Terraform-provider-aws: AWS Security Group Rule protocol/port error.

Created on 10 Jul 2017 · 3Comments · Source: hashicorp/terraform-provider-aws

Hi,

Terraform Version

Terraform v0.9.11

Affected Resource(s)

aws_security_group_rule

Terraform Configuration Files

variable "ports_logstash" {
  description = "Ports used by logstash and graphite"
  default     = ["40000", "40001", "40002", "40003", "40004", "40005", "40006", "40007", "40008", "40009", "40010", "2003", "2005", "8125", "80", "443"]
}

resource "aws_security_group_rule" "Logstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = -1
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}

resource "aws_security_group" "SG-Logstash" {
  name        = "SG-Logstash"
  description = "Access to all ports required for Logstash communication"
  vpc_id      = "${aws_vpc.default.id}"

  tags {
    Name = "SG-Logstash"
  }
}

Expected Behavior

Terraform should throw an error that defining protocol as -1 and setting from_port and to_port, is not supported OR create the rule for both tcp and udp.

Actual Behavior

Throws an error that the requested rule is already added, because it's adding an allow all rule for the specified CIDR.

Steps to Reproduce

Define a new SG rule resource, for specific ports with the same CIDR and different ports.
Run terraform apply.
Get the below error:
```* aws_security_group_rule.Logstash[3]: 1 error(s) occurred:

aws_security_group_rule.Logstash.3: [WARN] A duplicate Security Group rule was found on (sg-xxxxxxxx). This may be
a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each
other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
information and instructions for recovery. Error message: the specified rule "peer: 10.0.1.0/8, ALL, ALLOW" already exists```

bug servicec2 stale

Source

gothrek22

Most helpful comment

Turns out it's the default behaviour of AWS API, if you provide protocol=-1 for a aws_security_group_rule you will get an ALL ALLOW rule. This should be mentioned in terraform docs.

the proper way to go about it is to create two aws_security_group_rule both for tcp and udp f.e.

resource "aws_security_group_rule" "tcpLogstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = "tcp"
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}

resource "aws_security_group_rule" "udpLogstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = "udp"
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}

gothrek22 on 19 Aug 2017

👍2

All 3 comments

Turns out it's the default behaviour of AWS API, if you provide protocol=-1 for a aws_security_group_rule you will get an ALL ALLOW rule. This should be mentioned in terraform docs.

the proper way to go about it is to create two aws_security_group_rule both for tcp and udp f.e.

resource "aws_security_group_rule" "tcpLogstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = "tcp"
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}

resource "aws_security_group_rule" "udpLogstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = "udp"
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}

gothrek22 on 19 Aug 2017

👍2

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] on 31 Mar 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 2 Jun 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Plans to support more custom endpoints in provider AWS (lambda, apigateway, ...)

hashibot · 3Comments

Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

andywirv · 3Comments

AWS Lambda function invocation as data source (like CloudFormation custom resource)

aidansteele · 3Comments

Feature request: S3 Cross-Region Replication with KMS

modax · 3Comments

On plan, redrive_policy is always marked as modified

hashibot · 3Comments