Terraform: Security group rules cannot have both source_security_group_id and cidr directives

Created on 28 May 2016  ·  4Comments  ·  Source: hashicorp/terraform

Terraform Version

Terraform v0.6.16

Affected Resource(s)

  • security groups

    Terraform Configuration Files

resource "aws_security_group_rule" "allow_all" {
    type = "ingress"
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]

    security_group_id = "sg-123456"
    source_security_group_id = "sg-654321"
}

using this example from the documentation I created this config:

/* create security group without rules */

resource "aws_security_group" "cachet-db" {
  name = "cachet-db"
  description = "cachet db security group"

  tags {
    Name = "cachet-db-secgroup"
  }
}

resource "aws_security_group" "cachet-web" {
  name = "cachet-web"
  description = "cachet web security group"

  tags {
    Name = "cachet-web-secgroup"
  }
}


resource "aws_security_group" "cachet-elb" {
  name = "cachet-elb"
  description = "cachet elb security group"

  tags {
    Name = "cachet-elb-secgroup"
  }
}
/* create security rules and attach to security groups */

resource "aws_security_group_rule" "cachet-db-rule-ingress" {
    type = "ingress"
    from_port = 3306
    to_port = 3306
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    security_group_id = "${aws_security_group.cachet-db.id}"
    source_security_group_id = "${aws_security_group.cachet-web.id}"
}

resource "aws_security_group_rule" "cachet-db-rule-egress" {
    type = "egress"
    from_port = 3306
    to_port = 3306
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    security_group_id = "${aws_security_group.cachet-web.id}"
    source_security_group_id = "${aws_security_group.cachet-db.id}"
}

resource "aws_security_group_rule" "cachet-db-rule" {
    type = "ingress"
    from_port = 3306
    to_port = 3306
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
    security_group_id = "${aws_security_group.cachet-db.id}"
    source_security_group_id = "${aws_security_group.cachet-web.id}"
}

Debug Output

Errors:

  * aws_security_group_rule.cachet-db-rule-egress: "source_security_group_id": conflicts with cidr_blocks ([]interface {}{"0.0.0.0/0"})
  * aws_security_group_rule.cachet-db-rule-ingress: "source_security_group_id": conflicts with cidr_blocks ([]interface {}{"0.0.0.0/0"})
  * aws_security_group_rule.cachet-db-rule: "source_security_group_id": conflicts with cidr_blocks ([]interface {}{"0.0.0.0/0"})

Panic Output

n/a

Expected Behavior

as per documentation expecting no conflicts

Actual Behavior

error thrown that security_group_id is in conflict with the cidr directive

Steps to Reproduce

  1. terraform plan

    Important Factoids

I was able to resolve by removing the cidr directive as it seems to be redudant if using source security group. Documentations should update the example as it is confusing.

References

couldn't find

bug documentation provideaws
Source
picture kangman

All 4 comments

Hey @kangman – terribly sorry for the trouble here. This is actually by design, but was not sufficiently documented as you point out. I did just merge #6917 to address this. I apologize again for the hassle here.

catsby picture catsby on 1 Jun 2016

Thanks, appreciate the quick response. I know when you have to choose
between features and documentation features usually wins out but onboarding
new users like myself then gets dicey. Appreciate yours and team
hashicorp's work.
On Jun 1, 2016 4:40 PM, "Clint" [email protected] wrote:

Hey @kangman https://github.com/kangman – terribly sorry for the
trouble here. This is actually by design, but was not sufficiently
documented as you point out. I did just merge #6917
https://github.com/hashicorp/terraform/pull/6917 to address this. I
apologize again for the hassle here.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/hashicorp/terraform/issues/6914#issuecomment-223117629,
or mute the thread
https://github.com/notifications/unsubscribe/AASTrkbmU6Hoo65TrrD0M8T7qvOAc_zGks5qHe4pgaJpZM4IpIyF
.

kangman picture kangman on 2 Jun 2016

I'd like to re-open this bug. If you assign an empty list to cidr_blocks, the resource still throws an error if you then assign to source_security_group_id. Is there some conceptual thing I'm missing where cidr_blocks cannot be referenced and de-activated by assigning it an empty set?

in4mer picture in4mer on 13 Sep 2017
😕3

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashibot[bot] picture hashibot[bot] on 30 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rjinski picture rjinski  ·  3Comments
ketzacoatl picture ketzacoatl  ·  3Comments
darron picture darron  ·  3Comments
larstobi picture larstobi  ·  3Comments
rjinski picture rjinski  ·  3Comments