Terraform: aws_security_group: Can not add IPv6 address. InvalidParameterValue: CIDR block ::/0 is malformed

Created on 11 May 2017 · 5Comments · Source: hashicorp/terraform

Hi!

I'm trying to add an IPv6 address in a aws_security_group. But terraform fails with "Error authorizing security group egress rules: InvalidParameterValue: CIDR block ::/0 is malformed"

Terraform Version

Terraform v0.9.4

Affected Resource(s)

aws_security_group

Terraform Configuration Files

resource "aws_security_group" "test" {
  vpc_id = "${var.vpc}"
  name        = "Test"
  description = "Test"

  # Allow all outgoing:
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["::/0"]
  }
}

Debug Output

terraform apply

1 error(s) occurred:

* module.uptime_probes.aws_security_group.uptime_probe_sg: 1 error(s) occurred:

* aws_security_group.uptime_probe_sg: Error authorizing security group egress rules: InvalidParameterValue: CIDR block ::/0 is malformed
    status code: 400, request id: 9f209ba4-802e-4619-9f5a-38613cc7ebc5

Workaround

Comment out the IPv6 egress-block in the terraform configuration
Run 'terraform apply' to create the security group without the IPv6 block
Open the AWS console, and add the IPv6 block manually.
'terraform plan' should now report 'Infrastructure is up-to-date.'

provideaws question

Source

sandnabba

👍3

Most helpful comment

Hi @sandnabba

Thanks for reporting your issue here. The following configuration will work for you in this case:

resource "aws_security_group" "test" {
  vpc_id = "${var.vpc}"
  name        = "Test"
  description = "Test"

  # Allow all outgoing:
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    ipv6_cidr_blocks     = ["0.0.0.0/0"]
  }
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    ipv6_cidr_blocks     = ["::/0"]
  }
}

Notice the use of ipv6_cidr_blocks rather than cidr_blocks

Paul

stack72 on 11 May 2017

👍6 ❤4 🎉3

All 5 comments

Hi @sandnabba

Thanks for reporting your issue here. The following configuration will work for you in this case:

resource "aws_security_group" "test" {
  vpc_id = "${var.vpc}"
  name        = "Test"
  description = "Test"

  # Allow all outgoing:
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    ipv6_cidr_blocks     = ["0.0.0.0/0"]
  }
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    ipv6_cidr_blocks     = ["::/0"]
  }
}

Notice the use of ipv6_cidr_blocks rather than cidr_blocks

Paul

stack72 on 11 May 2017

👍6 ❤4 🎉3

@stack72 Your proposed configuration doesn't work - it results in InvalidParameterValue: CIDR block 0.0.0.0/0 is malformed (probably as expected). I think you meant:

resource "aws_security_group" "test" {
  vpc_id = "${var.vpc}"
  name        = "Test"
  description = "Test"

  # Allow all outgoing:
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
  }
  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    ipv6_cidr_blocks     = ["::/0"]
  }
}

realflash on 16 May 2017

Sorry @realflash, you are correct. This is what happens trying to write a response on my phone :)

stack72 on 18 May 2017

@stack72
Hi, I think it's ipv6_cidr_block not ipv6_cidr_blocks. When I try terraform apply

invalid or unknown key: ipv6_cidr_blocks

comes out.

Using ipv6_cidr_block solves it.

Ref: https://www.terraform.io/docs/providers/aws/r/network_acl_rule.html

luckymagic7 on 5 Dec 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.