I would recommend that you create the two groups without any in-line rules.
Then, create two security group rules:
resource "aws_security_group_rule" "inbound_ssh" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = aws_security_group.head_node_sg.id
security_group_id = aws_security_group.compute_node_sg.id
}
resource "aws_security_group_rule" "outbound_ssh" {
type = "egress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = aws_security_group.compute_node_sg.id
security_group_id = aws_security_group.head_node_sg.id
}
It’s a lot easier to use securitygroups in this fashion, sort of as labels which are used by the rules. You don’t need to worry about ip addresses that changes or wrong machines in a subnet.