Terraform AWS Security group self reference

2
votes

I am using terraform for AWS resource provisioning. I need to self reference "mySG". from Terraform documentation i can use 

 ingress {
          from_port = 0
          to_port = 0
          protocol = -1
          self = true
      }

but how about the different Protocols? Using Console There are below historic inbound rules available:

      Type      Protocol         PortRange      Source
1. All TCP      TCP             0-65535         mySG 
2. All UDP       UDP              0-65535         mySG 
3. Custom TCP    TCP             1856            mySG

(is Third entry required?, considering first entry for all port) does the ingress rule described above takes care of all 3 entries? If not the what should be the terraform syntax.

1
amazon-web-servicesaws-cliterraform-provider-awsaws-security-groupaws-cloudformation-custom-resource
setting protocol to -1 covers both TCP and UDP. Security groups are layer 3, so those are the only two protocols it manages. - jordanm
@jordanm stackoverflow.com/a/61192693/154527 is a valid answer to your question and you should accept it. - Alain O'Dea
Kamlendra did my below answer help you solve it? - Datise
Thanks Datise, it worked for me. Even the modeler approach for different environments (Dev, UAT, PROD) also worked. Thanks! - Kamlendra Sharma

1 Answers

5
votes

You can implement a self referential group by splitting the sec group from the rules using the resources aws_security_group and aws_security_group_rule respectively. Doing this, combined with your 3 existing rules, would loosely look like this terraform: 

resource "aws_security_group" "sec_group" {
  name   = "sec_group"
  vpc_id = "${local.vpc_id}"
}

resource "aws_security_group_rule" "sec_group_allow_tcp" {
  type              = "ingress"
  from_port         = 0 // first part of port range 
  to_port           = 65535 // second part of port range
  protocol          = "tcp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

resource "aws_security_group_rule" "sec_group_allow_udp" {
  type              = "ingress"
  from_port         = 0 // first part of port range 
  to_port           = 65535 // second part of port range
  protocol          = "udp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

resource "aws_security_group_rule" "sec_group_allow_1865" {
  type              = "ingress"
  from_port         = 1865 // first part of port range 
  to_port           = 1865 // second part of port range
  protocol          = "tcp" // Protocol, could be "tcp" "udp" etc. 
  security_group_id = "${aws_security_group.sec_group.id}" // Which group to attach it to
  source_security_group_id = "${aws_security_group.sec_group.id}" // Which group to specify as source
}

Note that the rule takes a protocol type, from port/to port (for the range), and an optional source_security_group_id to specify