Aim here is to create new security groups using terraform code as well as update security group resources previously created by terraform
While trying to update an existing Security Group which was created by Terraform when I run terraform plan it shows:
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
- destroy
Terraform will perform the following actions:
# module.securitygroups.aws_security_group.this[0] will be destroyed
# (because index [0] is out of range for count)
- resource "aws_security_group" "this" {
- arn = "arn:aws:ec2:us-east-1:XXX:security-group/<sg-id>" -> null
- description = "Security group for the entire VPC." -> null
- egress = [
- {
- cidr_blocks = [
- "0.0.0.0/0",
]
- description = "All IPv4 Traffic"
- from_port = 0
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "-1"
- security_groups = []
- self = false
- to_port = 0
},
] -> null
- id = "<sg-id>" -> null
- ingress = [
- {
- cidr_blocks = [
- "<ipv4_cidr>",
]
- description = "Local Inbound Traffic"
- from_port = 0
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "-1"
- security_groups = []
- self = false
- to_port = 0
},
- {
- cidr_blocks = [
- "<vpn_cidr>",
]
- description = "VPN Traffic"
- from_port = 0
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "-1"
- security_groups = []
- self = false
- to_port = 0
},
- {
- cidr_blocks = []
- description = "Traffic with Self "
- from_port = 0
- ipv6_cidr_blocks = []
- prefix_list_ids = []
- protocol = "-1"
- security_groups = []
- self = true
- to_port = 0
},
] -> null
- name = "main-sg" -> null
- owner_id = "owner_id" -> null
- revoke_rules_on_delete = false -> null
- tags = {
- "CreatedBy" = "Terraform"
} -> null
- tags_all = {
- "CreatedBy" = "Terraform"
} -> null
- vpc_id = "<vpc-id>" -> null
}
# module.securitygroups.aws_security_group_rule.egress_with_ipv6_cidr_blocks[0] will be created
+ resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks" {
+ description = "All IPv6 Traffic"
+ from_port = -1
+ id = (known after apply)
+ ipv6_cidr_blocks = [
+ "::/0",
]
+ prefix_list_ids = []
+ protocol = "-1"
+ security_group_id = "<sg-id>"
+ security_group_rule_id = (known after apply)
+ self = false
+ source_security_group_id = (known after apply)
+ to_port = -1
+ type = "egress"
}
Plan: 1 to add, 0 to change, 1 to destroy.
I have a single module where I am creating security group as well as the associated rules, the code looks something like this:
resource "aws_security_group" "this" {
count = local.create_sg ? 1 :0
name = "${var.name_prefix}-${var.sg_name}"
description = var.description
vpc_id = var.vpc_id
#revoke_rules_on_delete = var.revoke_rules_on_delete
ingress = []
egress = []
tags = merge(
{
"Name" = "${var.name_prefix}-${var.sg_name}"
},
var.predefined_tags,
)
# timeouts {
# create = var.create_timeout
# delete = var.delete_timeout
# }
lifecycle {
create_before_destroy = true
}
}
//Takes an input of a list of rules
resource "aws_security_group_rule" "ingress_rules" {
count = length(var.ingress_rules)>0 ? length(var.ingress_rules) : 0
security_group_id = local.create_sg ? aws_security_group.this[0].id:var.sg_id
type = "ingress"
cidr_blocks = var.ingress_cidr_blocks
ipv6_cidr_blocks = var.ingress_ipv6_cidr_blocks
prefix_list_ids = var.ingress_prefix_list_ids
description = var.rules[var.ingress_rules[count.index]][3]
from_port = var.rules[var.ingress_rules[count.index]][0]
to_port = var.rules[var.ingress_rules[count.index]][1]
protocol = var.rules[var.ingress_rules[count.index]][2]
}
One solution I can see is to creation of security group & associated rules in different modules, but is there a way to fix the code to make it work?