Creating self-references in new security group rule resource types

gilesvessey · March 8, 2023, 9:58pm

Context - I want to move my aws_security_group_rule resources to aws_vpc_security_group_ingress_rule/ aws_vpc_security_group_egress_rule so I can start tagging my rules.

The older resource type has a handy property for creating a self-reference (the SG accepts from its own SG ID) Terraform Registry

However I don’t see such a thing for Terraform Registry

My first thought was to supply

referenced_security_group_id = resource.aws_vpc_security_group_ingress_rule.ec2_self_1.id

However as I expected, terraform did not like me referencing something in its self.

My question is, how can I achieve a self referential rule using the new resource types?

gilesvessey · March 28, 2023, 1:08am

It helps when you don’t try to put a rule ID where a security group ID ought be - it’s what I meant but not what I wrote. disregard

fabien.delpierre · March 13, 2025, 9:28pm

Hi there,

I know this is an old post, but I was in the exact same situation today. If I’m understanding the last comment correctly, it sounds like you ended up figuring it out.

I went through the motions myself, wanting to migrate off of in-line ingress/egress blocks in my aws_security_group resource. Found that self = true isn’t an accepted argument for aws_vpc_security_group_ingress_rule or aws_vpc_security_group_egress_rule, so I went to Google for the solution and found this post.

So to be clear, in the end, this is the solution:

resource "aws_security_group" "main" {
  vpc_id = "vpc-xxxx"
  name   = "foo"
}

resource "aws_vpc_security_group_ingress_rule" "ingress_self" {
  security_group_id            = aws_security_group.main.id
  ip_protocol                  = "-1"
  referenced_security_group_id = aws_security_group.main.id
  description                  = "blah"
}

Which is equivalent to:

resource "aws_security_group" "main" {
  vpc_id = "vpc-xxxx"
  name   = "foo"

  ingress {
    self        = true
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    description = "blah"
  }
}

FlorinAndrei · September 19, 2025, 7:43pm

@fabien.delpierre Your solution works if you write the Terraform module yourself.

But there are modules out there that you could reference in your code, and are useful, but have no provision to reflect the security group ID back to the rule itself, to simulate the self argument. Getting those modules to change is not always feasible, as the code is controlled by someone else.

For this reason, having an explicit self argument for the new SG rule resources (both ingress and egress) would be very useful.

fabien.delpierre · September 19, 2025, 9:40pm

I also wish there was a self argument because I don’t find the current implementation all that intuitive.

Topic		Replies	Views
Aws_security_group_rule toggles the re AWS	3	1580	July 21, 2020
What is the relationship between aws_security_group_rule and aws_security_group resources Terraform	0	527	April 14, 2020
Discussion of AWS Security Group Rules for absolute management while avoiding cyclical dependencies AWS	1	3069	June 6, 2020
How to add a security group depending upon count Terraform	1	7193	July 29, 2019
Issue creating security group in AWS with custom name passed as variables Terraform	1	1915	December 4, 2019

Creating self-references in new security group rule resource types

Related topics