How can I set the security group rule description with Terraform?

0
votes

It looks like you can now set security group rule descriptions. This is super useful for maintaining whitelists for administrative access.

I can set the description in the AWS console but can't figure out how to set it with Terraform.

My assumption was that if the AWS API allows for it, Terraform can just do it without explicit support for it in the Terraform code. Perhaps that's wishful thinking and we'll have to wait for Terraform to support the new feature, or perhaps I'm just doing it wrong.

I tried simply declaring the description property in the rule declaration (like you would for the description of the security group itself):

    ingress {
        from_port       = 22
        to_port         = 22
        protocol        = "tcp"
        cidr_blocks     = ["123.456.789.123"]
        description     = "some rule description"
        }

Terraform bails in the plan stage with:

aws_security_group.somegroup: ingress.0: invalid or unknown key: description

I also tried setting tags within the rule declaration (like you would for setting the name of the security group):

     ingress {
         from_port       = 22
         ...
      tags {
           "Description" = "some rule description"
           }
      }

Terraform bails in the plan stage with:

aws_security_group.somegroup: ingress.0: invalid or unknown key: tags

2
amazon-web-servicesterraformnetwork-security-groups
Unfortunately changes like this do require updates to Terraform to support them, since Terraform must translate its own configuration language to AWS API calls behind the scenes. There is a feature request open for this which you can, if you wish, watch for updates. - Martin Atkins
It looks like there is a pull request out to support this. github.com/terraform-providers/terraform-provider-aws/pull/1587 Apparently Terraform uses the AWS Go API and there is some ongoing discussion about the best way to handle supporting rule descriptions. It looks like one CIDR block per rule is probably the way to go so descriptions map properly. I'll keep an eye on the PR and post my own answer once the change is merged. - jorfus
I've added a description inside the ingress block and it works now. - Jordan

2 Answers

1
votes

As of now, it is possible and your code should be valid.

1
votes

Seems that you do not use Terraform api correctly.

You can not set description to aws_security_group_rule resource.

aws_security_group_rule on Terraform.io

resource "aws_security_group_rule" "allow_all" {
  type            = "ingress"
  from_port       = 0
  to_port         = 65535
  protocol        = "tcp"
  cidr_blocks     = ["0.0.0.0/0"]
  prefix_list_ids = ["pl-12c4e678"]

  security_group_id = "sg-123456"
}

You can set description to aws_security_group resource.

aws_security_group on Terraform.io

From their Docs:

resource "aws_security_group" "allow_all" {
  name        = "allow_all"
  description = "Allow all inbound traffic"

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
    prefix_list_ids = ["pl-12c4e678"]
  }
}

aws_security_group's description property should be declared outside of ingress and egress declarations, in its root scope