Terraform: aws_security_group: ingress rule + security_groups not working

Created on 27 Jul 2015 · 9Comments · Source: hashicorp/terraform

Hi :)

I am trying to create an aws_security_group resource but am getting an error when using security_groups in ingress rule:

resource "aws_security_group" "mysql-cluster_haproxy" {
  name = "sg_mysql-cluster_haproxy"
  description = "Allow traffic to mysql-cluster loadbalancer"
  vpc_id = "${var.aws_vpc_id}"
  ingress {
    protocol = "tcp"
    from_port = 22
    to_port = 22
    cidr_blocks = ["0.0.0.0/0"]
  }
  ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    security_groups = ["sg-1234567"]
  }
  egress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Error:
aws_security_group.mysql-cluster_haproxy: Error: 1 error(s) occurred:

* Error authorizing security group ingress rules: InvalidGroup.NotFound: You have specified two resources that belong to different networks.
        status code: 400, request id: []

Once I change:

security_groups = ["sg-1234567"]

cidr_blocks = ["0.0.0.0/0"]

it works as expected.

Can you verify and fix this?

BR,
Rafal.

bug provideaws

Source

rradecki

👍2

Most helpful comment

You will need to use the DependsOn attribute with your peering config as the value to make cloud formation wait until that has been created before attempting to edit the security group.

LouiseMcMahon on 22 Jun 2017

👍7

All 9 comments

Hello –

I apologize for the delay in getting back to you here. By the error message, it seems you're trying to authorize ingress from a Security Group that is in a different VPC. The AWS documentation indicates that you can't do this, e.g. the security groups must all be in the same source VPC:

http://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html

Can you confirm for me that the security group you're referencing in sg-1234567 is in the same VPC?

catsby on 17 Aug 2015

You can do this now as long as you have a peering connection between both VPCs that you have referenced. It has to be setup and accepted before it's accepted via CloudFormation.

mtunstill on 27 Jul 2016

You will need to use the DependsOn attribute with your peering config as the value to make cloud formation wait until that has been created before attempting to edit the security group.

LouiseMcMahon on 22 Jun 2017

👍7

Ran into the same issue and @LouiseMcMahon's comment really helped! Thanks!
More specifically:

https://www.terraform.io/docs/configuration/resources.html#explicit-dependencies

xxthegonzxx on 4 Jan 2018

Hi @xxthegonzxx I'm confronted with the same problem even if I'm using the depends_on for explicitly depending on the aws_vpc_peering_connection and/or on additional resources such as aws_routes created exclusively for this VPC peering.

bs1px on 26 Feb 2018

@bs1px What version of Terraform are you using? I was coming across problems creating an aws_nat_gateway. I resolved my issue by adding: depends_on = ["aws_internet_gateway.this"] as a dependency for the aws_nat_gateway method.

xxthegonzxx on 26 Feb 2018

@xxthegonzxx thanks for your reply!
I'm using Terraform v0.11.3 and struggling creating a aws_security_group with an ingress a security group from a peered VPC (using security_groups argument under the form security_groups = ["sg-1234"]

bs1px on 26 Feb 2018

Having same issue :(
My peering is created via cloudformation thus can't set a dependency :(
Terraform v0.11.14

max-lobur on 14 Jun 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.