Terraform-provider-aws: aws_security_group egress rules are not removed

I hit the same issue today.

The same issue also applies to ingress rules which is even more critical from a security point of view. The issue seems to happen specifically when removing all ingress or egress rules from the group; if any rules of the same type remain the change is applied correctly in my testing.

Same issue today :( 0.10.7

I think I have this same issue. A couple CIDR were manually added while I was out. Today I want to add them to the HCL, but being a well-scarred veteran of TF, I naturally ran a plan first. I expected to see a diff but terraform reported that everything is fine: "No changes."

I did a search in the console, the state list output, and the code. The CIDR only appears in AWS, yet TF does not detect it.

I just ran into this, wanted to note the workaround, which is to add the empty list, like so:

resource "aws_security_group" "a_security_group" {
  name = "a_security_group"

  vpc_id = "vpc-abcd1234"

  ingress = []
  egress = []

  tags {
    Name = "a_security_group"
  }
}

Modify as needed for your situation.

I do not want to remove all of the rules, just the ones that are not present in TF but present in AWS.

I think I maybe have the same issue or something similar with ingress rules: in my Terraform config I've specified an aws_security_group which only has an egress rule.

The actual security group created in AWS has the egress rule I specified, and an ingress rule which allows all traffic inbound (all protocols and ports from 0.0.0.0/0).

I think the security group config may have had an ingress block earlier in its life. If it did, Terraform isn't updating the group in AWS to remove the ingress/inbound rule.

So this issue as a whole, "aws_security_group egress rules are not removed", I suspect old ingress rules are also not removed.

Configuring the security group with ingress = [] does remove the old rule.

@ncraike Are you using individual security group rules or in-line rules? If you are using SGR's, then what you describe is the expected behaviour IMHO.

If I created a SG and specified only egress rules, I would NOT expect my SG to allow any ingress.

If you created a security group resource then attached egress via security group rule resources, then I believe you could manually add ingress via the AWS GUI that would remain untouched on subsequent terraform apply runs.

I can see how someone might expect that behavior. Are we generally expected to, for example, specify an ingress resource with a empty list to explicitly deny all? Docs are not completely clear on the behavior.

If you use in an 'in-line' rule and remove it, I would expect the inline rule to be in the statefile so would expect terraform to remove it when the in-line rule was removed. This is what I tried to do and terraform did not remove the rules, unlike what I expected.

Using ingress = [] egress = []

Is all well and good, but then if you mix in security group rules, is there a risk that they are overwritten by the []?

In my case, I'm using separate resources. Docs say you can't mix in-line with separate resources. Have not tested if it is accurate but am assuming it is.

I suppose I want to understand what is expected so I can understand how to approach the problem where I want TF to remove rules and it does not.

If that is not actually the intended behavior, then I'd like a fix so that unwanted rules are removed and my infrastructure is brought into compliance with my written definition.

If it is truly the intended behavior, I would like to ask for some direction on how I am supposed to write my definitions to remove unwanted rules that were not even defined in the first place.

@dlcc I'm using in-line rules.

For the case of aws_security_group_rule this is a dupe of https://github.com/terraform-providers/terraform-provider-aws/issues/220

This is still an issue and I'm using Terraform v0.12.16. I see other sisues talk about it not tracking out of band changes and this thread mentions rules aren't removed. I'd personally summarise the issue as Terraform is only checking for egress rules if egress rules are specified in your code.

If I have a security group that only specifies ingress rules and tags Terraform isn't checking what exists in the egress rules so it's not detecting if things exist and therefore it's not deleting the egress rules to match that no egress rules are specified in the code.

If I have a security group that specifies ingress, egress and tags then Terraform does detect the egress rules and anything that doesn't match the egress rules in my code are removed.

Does anyone know what's happening with closing this issue down as it seems to have been around for a long time and I'd definitely say it's a security issue as I found an egress rule today that was an 'any' rule, that wasn't being deleted because my code had no egress rules (because I wanted egress to be locked down)

Issue still present in 13.1