Creating self-references in new security group rule resource types

Context - I want to move my aws_security_group_rule resources to aws_vpc_security_group_ingress_rule/ aws_vpc_security_group_egress_rule so I can start tagging my rules.

The older resource type has a handy property for creating a self-reference (the SG accepts from its own SG ID) Terraform Registry

However I don’t see such a thing for Terraform Registry

My first thought was to supply

referenced_security_group_id = resource.aws_vpc_security_group_ingress_rule.ec2_self_1.id

However as I expected, terraform did not like me referencing something in its self.

My question is, how can I achieve a self referential rule using the new resource types?

It helps when you don’t try to put a rule ID where a security group ID ought be - it’s what I meant but not what I wrote. disregard :slight_smile:

Hi there,

I know this is an old post, but I was in the exact same situation today. If I’m understanding the last comment correctly, it sounds like you ended up figuring it out.

I went through the motions myself, wanting to migrate off of in-line ingress/egress blocks in my aws_security_group resource. Found that self = true isn’t an accepted argument for aws_vpc_security_group_ingress_rule or aws_vpc_security_group_egress_rule, so I went to Google for the solution and found this post.

So to be clear, in the end, this is the solution:

resource "aws_security_group" "main" {
  vpc_id = "vpc-xxxx"
  name   = "foo"
}

resource "aws_vpc_security_group_ingress_rule" "ingress_self" {
  security_group_id            = aws_security_group.main.id
  ip_protocol                  = "-1"
  referenced_security_group_id = aws_security_group.main.id
  description                  = "blah"
}

Which is equivalent to:

resource "aws_security_group" "main" {
  vpc_id = "vpc-xxxx"
  name   = "foo"

  ingress {
    self        = true
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    description = "blah"
  }
}