Terraform: Security Groups do not allow ICMP

Created on 26 Mar 2015 · 6Comments · Source: hashicorp/terraform

I was trying to create a security group with the following configuration:

ingress {
  protocol = "icmp"
  security_groups = ["${aws_security_group.sgr_test_nodes.id}"]
}

and I get the following error:

Errors:

  * 'aws_security_group.sgr_test_nodes' error: ingress.2.from_port: required field is not set
  * 'aws_security_group.sgr_test_nodes' error: ingress.2.to_port: required field is not set

While I understand why this error is happening, ICMP doesn't really have a port and if you try to specify one you get this error from amazon:

Error applying plan:

1 error(s) occurred:

* Error revoking security group ingress rules: ICMP code (65535) out of range (InvalidParameterValue)

Is there a specific way to configure ICMP? From looking at resource_aws_security_group.go it didn't look that way so this may be a feature request, maybe a rule type or something so that way we could accomplish the ability to do "all tcp" or whatever without having to specify ports.

documentation enhancement provideaws

Source

wazoo

Most helpful comment

For those out there who want to allow incoming ICMP echo ("ping") from any source via a security group, this does the trick:

  ingress {
    from_port = 8
    to_port = 0
    protocol = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }

seanknox on 8 Mar 2016

👍37

All 6 comments

I think I just sorted this out. As it happens, Amazon uses the same interface for CloudFormation and there is some documentation on how to use ICMP. The from_port is the ICMP type number and the to_port is the ICMP code (which does not exist for many types and should be either 0 or -1 in that case). See the Amazon CloudFormation Documentation for details. And here are the ICMP types/codes.

Here's an example of how to allow inbound echo requests:

ingress {
  protocol = 200
  cidr_block = "10.0.1.0/24"
  protocol = "icmp"
  from_port = 8
  to_port = 0
}

ltcdnunez on 1 Jun 2015

👍31 🎉1 😄1

The from_port is the ICMP type number and the to_port is the ICMP code

That's... disappointing to hear... Network ACLs have an explicit icmp_type and icmp_type code parameter. I came here expecting I needed to add those here, but sadness...

Sounds like the solution for this issue then is to document this on the Security Group and Security Group Rules docs, agreed?

catsby on 2 Jun 2015

@catsby I discovered after this that the Network ACL rules break when attempting to use this because of exactly what you're saying about the icmp_type and icmp_code parameters. It looks like you submitted a pull request to fix this for issue #2148, however.

To be clear, ICMP works fine when creating Security Group Rules if you do what I described before, but not in Network ACL in terraform v0.51.0 (and presumably lower). This does appear to mirror the AWS API for Security Group Rules.

ltcdnunez on 3 Jun 2015

For those out there who want to allow incoming ICMP echo ("ping") from any source via a security group, this does the trick:

  ingress {
    from_port = 8
    to_port = 0
    protocol = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }

seanknox on 8 Mar 2016

👍37

The documentation has been updated to reflect ICMP. I am going to close this issue. If you feel that the documentation is not as clear as it can be, please let us know

Thanks

Paul

stack72 on 22 Mar 2016

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.