Managing the same security group from different root modules

Hi all,

I have an intersting challenge to manage an AWS ASG security group from different root modules.
The security group (controlling the application traffic) is created during creation of the ASG.

In additional terraform modules I start the services on the ASG (its a Nomad Cluster) and create AWS Network Load Balancer to access the workload. For the NLB I need to to manage the client rules on the same security group. For a single stage this is not an issue.

I struggle with running multistage setup using the same ASG as the creation of the same rules - different NLB but same CIDR blocks, same source port - will cause conflicts with existing rules.

I have already looked for a security_group datasource that returns the current firewall list but it seems this does not exist.

I also don’t see a possibility to attach additional security groups in a later step to the ASG without interfering with the root asg module.

Has anyone an idea how to get similar firewall rules created without causing conflicts?

I think what you can do is adding a boolean flag to each NLB module to enable/disable updating ASG SG with the specific rule. That way you should be able to prevent NLB modules trying to add similar SG rules.

Yes that is possible. But I then have a dependency betweeen those modules. If I have a NLB module “dev” that propagates the ruleset and I run a NLB module “test” it will also need the rules from “dev” to work properly.

Yeah, I think it sounds more like a design question now. I think best we can do is to manage the security group rules from a seperate single location where it doesn’t belong to either ASG or NLB modules.

Yes you are right. For now I will put the overlapping rules directly in the asg cluster module.