I was trying to create aws rules by defining a data structure for my desired security groups, and also a data structure for my rules.
examples:
locals {
security_groups = {
sg1 = [ “sg_name”, “sg_description” ]
sg2 = [ “sg_name2”, “sg_description” ]
}
security_groups_rules = [
{ type = “ingress”, from_port = 10, to_port = 10, protocol = “TCP”,
cidr_blocks = [“0.0.0.0/0”], description = “rule description”,
sg_name = local.security_groups.sg1[0], sg_id = null },
… more rules
]
}
resource “aws_security_group” “sg” {
for_each = local.security_groups
name = each.value[0]
description = each.value[1]
vpc_id = var.vpc_id
}
locals {
sg_name_to_id = { for sg in aws_security_group.sg : sg.name => sg.id }
}
resource “aws_security_group_rule” “rule” {
count = length(local.security_groups_rules)
type = lookup(local.security_groups_rules[count.index], “type”)
from_port. = lookup(local.security_groups_rules[count.index], “from_port”)
to_port = lookup(local.security_groups_rules[count.index], “to_port”)
protocol = lookup(local.security_groups_rules[count.index], “protocol”)
cidr_blocks. = lookup(local.security_groups_rules[count.index], “cidr_blocks”)
description = lookup(local.security_groups_rules[count.index], “description”)
security_group_id = lookup(local.sg_name_to_id,
lookup(local.security_groups_rules[count.index], “sg_name”))
}
in this example if I add more security groups, all my current rules need to be recreated.
in this example if i add a rule in between rules all, the rules beneath it will need to be recreated.
- is it happening because with the changes described, the local.sg_name_to_id need to be recomputed and thus aws_security_group_rule.rule need to re-evaluate resulting in re-creation of the rules?
- my goal is to have my rules well organised and maintained from terraform, and to have the ability to make changes without requiring recreation with every change
- are there any best practices on a way to do that?
thanks