Question on adding to cidr_blocks in aws_security_group_rule and ordering relative to EC2 instance create

dmastrop · August 20, 2023, 1:12am

hi all,
I have a few questions on the aws_security_group_rule
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule

Objective: my objective is to add the public ip addresses of the instances that are created to the cidr_block. I need to have the source=public ip addresses (/32) as allow all rules in the security group

I am wondering if this would work because the public ip addresses are not known until after the apply is complete and the security group is created before the EC2 instances are created.

I am running ansible and jenkins as well, could this be done as a new stage in jenkins after the main apply terraform stage? At the end of the terraform apply stage I have an output of the public ip addresses of the instances called instance_ips that I can terraform output.

I am thinking in a new stage in jenkins of running this command in shell

https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html

This is an example from the link above

aws ec2 authorize-security-group-ingress
–group-id sg-1234567890abcdef0
–protocol tcp
–port 22
–cidr 203.0.113.0/24

==========

The syntax below is incorrect, but it is what I am trying to achieve. the var.access_ip and var.cloud9_ip are working fine and I just need to add the public ip addresses to the cidr_blocks list.

I inserted what I want to achieve (even though the syntax is wrong).

aws_instance.mtc_main is shown below the aws_secuiry_group_rule

warm regards
Dave

resource "aws_security_group_rule" "ingress_all" {
  type      = "ingress"
  from_port = 0
  to_port   = 65535
  protocol  = "-1"
  # this means all protocols: icmp, tcp, udp, etc.....
  
  #cidr_blocks = [var.access_ip, var.cloud9_ip]
  cidr_blocks = [var.access_ip, var.cloud9_ip, [for i in aws_instance.mtc_main[*]: i.public_ip]]
  
  security_group_id = aws_security_group.mtc_sg.id
}

======

resource "aws_instance" "mtc_main" {
  count = var.main_instance_count

  instance_type = var.main_instance_type

  ami      = data.aws_ami.server_ami.id
  key_name = aws_key_pair.mtc_auth.id

  vpc_security_group_ids = [aws_security_group.mtc_sg.id]

  subnet_id = aws_subnet.mtc_public_subnet[count.index].id

  root_block_device {
    volume_size = var.main_vol_size
  }

  tags = {
    Name = "mtc_main-${random_id.mtc_compute_node_id[count.index].dec}"
  }

Topic		Replies	Views
Create AWS security group and rules dynamically Terraform	1	6228	March 11, 2021
Specifying security group in a cidr_blocks Terraform	2	6394	January 20, 2020
Aws security group source(CIDR/Source SG) Terraform	0	610	September 16, 2020
For loop help - SG rule generating Terraform	1	542	October 15, 2021
Aws_networkfirewall_rule_group - Source IP CIDR ranges AWS	2	1165	July 11, 2023

Question on adding to cidr_blocks in aws_security_group_rule and ordering relative to EC2 instance create

Related topics