Terraform-provider-aws: AWS Security Group Rule protocol/port error.

Created on 10 Jul 2017  ·  3Comments  ·  Source: hashicorp/terraform-provider-aws

Hi,

Terraform Version

Terraform v0.9.11

Affected Resource(s)

  • aws_security_group_rule

Terraform Configuration Files

variable "ports_logstash" {
  description = "Ports used by logstash and graphite"
  default     = ["40000", "40001", "40002", "40003", "40004", "40005", "40006", "40007", "40008", "40009", "40010", "2003", "2005", "8125", "80", "443"]
}

resource "aws_security_group_rule" "Logstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = -1
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}

resource "aws_security_group" "SG-Logstash" {
  name        = "SG-Logstash"
  description = "Access to all ports required for Logstash communication"
  vpc_id      = "${aws_vpc.default.id}"

  tags {
    Name = "SG-Logstash"
  }
}

Expected Behavior

Terraform should throw an error that defining protocol as -1 and setting from_port and to_port, is not supported OR create the rule for both tcp and udp.

Actual Behavior

Throws an error that the requested rule is already added, because it's adding an allow all rule for the specified CIDR.

Steps to Reproduce

  1. Define a new SG rule resource, for specific ports with the same CIDR and different ports.
  2. Run terraform apply.
  3. Get the below error:
    ```* aws_security_group_rule.Logstash[3]: 1 error(s) occurred:
  • aws_security_group_rule.Logstash.3: [WARN] A duplicate Security Group rule was found on (sg-xxxxxxxx). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
    information and instructions for recovery. Error message: the specified rule "peer: 10.0.1.0/8, ALL, ALLOW" already exists```
bug servicec2 stale
Source
picture gothrek22

Most helpful comment

Turns out it's the default behaviour of AWS API, if you provide protocol=-1 for a aws_security_group_rule you will get an ALL ALLOW rule. This should be mentioned in terraform docs.

the proper way to go about it is to create two aws_security_group_rule both for tcp and udp f.e.

resource "aws_security_group_rule" "tcpLogstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = "tcp"
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}

resource "aws_security_group_rule" "udpLogstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = "udp"
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}
picture gothrek22 on 19 Aug 2017
👍2

All 3 comments

Turns out it's the default behaviour of AWS API, if you provide protocol=-1 for a aws_security_group_rule you will get an ALL ALLOW rule. This should be mentioned in terraform docs.

the proper way to go about it is to create two aws_security_group_rule both for tcp and udp f.e.

resource "aws_security_group_rule" "tcpLogstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = "tcp"
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}

resource "aws_security_group_rule" "udpLogstash" {
  count       = "${length(var.ports_logstash)}"
  depends_on  = ["aws_security_group.SG-Logstash"]
  type        = "ingress"
  from_port   = "${var.ports_logstash[count.index]}"
  to_port     = "${var.ports_logstash[count.index]}"
  protocol    = "udp"
  cidr_blocks = ["10.0.1.0/8"]

  security_group_id = "${aws_security_group.SG-Logstash.id}"
}
gothrek22 picture gothrek22 on 19 Aug 2017
👍2

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

github-actions[bot] picture github-actions[bot] on 31 Mar 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 2 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

carmas picture carmas  ·  3Comments
hashibot picture hashibot  ·  3Comments
hazmeister picture hazmeister  ·  3Comments
hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments