AWS Security Group: Ingress and Egress define "security groups" as optional but if not mentioned it fails as required

[mtedone]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform: V1.0.4
registry.terraform.io/hashicorp/aws: v3.51.0

Affected Resource(s)

• aws_security_group

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_vpc" "module_vpc" {
  cidr_block = "10.0.1.0/16"
  enable_dns_hostnames = true
  tags = {
    "Name" = "Production-VPC"
  }
}

resource "aws_security_group" "ec2-security-group" {
  name = "EC2-Instance-Security-Group"
  vpc_id = aws_vpc.module_vpc.id


  ingress = [ 
    {
      cidr_blocks = [ "0.0.0.0/0" ]
      description = "Security Group Ingress"
      from_port = 0
      ipv6_cidr_blocks = [ "::/0" ]
      prefix_list_ids = [ "pl-0d79201f4d485a2f5" ]
      protocol = "-1"
      //security_groups = [ "${aws_security_group.ec2-security-group.id}" ]     
      self = true 
      to_port = 0
    } 
  ]

  egress = [ 
    {
      cidr_blocks = [ "0.0.0.0/0" ]
      description = "Security Group Egress"
      from_port = 0
      ipv6_cidr_blocks = [ "::/0" ]
      prefix_list_ids = [ "pl-0d79201f4d485a2f5" ]
      protocol = "-1"
      //security_groups = [ "${aws_security_group.ec2-security-group.id}" ]   
      self = true   
      to_port = 0
    } 
  ]
}

Debug Output

Terraform Log

Panic Output

Expected Behavior

I should be able to declare ingress and egress for aws_security_group without security_groups

Actual Behavior

Terraform asked for security_groups to be specified as required

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000

[v3rv]

terraform validate shows that all fields in the ingress and egress blocks are required.
Terraform v1.0.4
AWS Provider v3.53.0

[mtedone]

That's exactly my point. The documentation, however, indicates them as optional: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

[pgiuliano]

I have a similar issue - I am defining a security group ingress rule with security_group argument but validation is failing. It does not think security_groups is valid instead of cidr_blocks...... when according to docs it is

{
  "format_version": "0.1",
  "valid": false,
  "error_count": 2,
  "warning_count": 0,
  "diagnostics": [
    {
      "severity": "error",
      "summary": "Incorrect attribute value type",
      "detail": "Inappropriate value for attribute \"ingress\": element 0: attributes \"cidr_blocks\", \"ipv6_cidr_blocks\", \"prefix_list_ids\", and \"self\" are required.",
      "range": {
        "filename": ".terraform/modules/efsOneZone/aws/efs/module.tf",
        "start": {
          "line": 38,
          "column": 13,
          "byte": 1252
        },
        "end": {
          "line": 46,
          "column": 4,
          "byte": 1479
        }
      },
      "snippet": {
        "context": "resource \"aws_security_group\" \"filesystem-ingress\"",
        "code": "  ingress = [\n    {\n      description     = \"Allow from supplied source security group\"\n      from_port       = 2049\n      to_port         = 2049\n      protocol        = \"tcp\"\n      security_groups = var.source_security_group_ids\n    }\n  ]",
        "start_line": 38,
        "highlight_start_offset": 12,
        "highlight_end_offset": 239,
        "values": [
          {
            "traversal": "var.source_security_group_ids",
            "statement": "is a list of string, known only after apply"
          }
        ]
      }
    },

[ewbankkit]

Relates: #20428.

[adamdaniel2993]

I reported exactly the same in #20599, this arguments are only required if you use the cidr_block argument in your ingress ,what I did to solve it was this, I had to use the resource aws_security_group_rule to add the ingress

  resource "aws_security_group" "rds-sg" {
   name        = "rds-sg"
   description = "Security group for test-sg"
   vpc_id      = module.vpc.vpc_id

   egress {
     from_port = 0
     to_port   = 0
     protocol  = "-1"
     cidr_blocks = [
       "0.0.0.0/0"
     ]
   }
   tags = {
     name = "RDS Security Group"
   }
 }

resource "aws_security_group_rule" "test-ingres" {
  type              = "ingress"
  from_port         = 5432
  to_port           = 5432
  protocol          = "tcp"
  cidr_blocks       = ["my-ip/32"]
  security_group_id = aws_security_group.rds-sg.id
}

[sirpentagon]

Working code.

resource "aws_security_group" "this" {
name = "allow_tls"
vpc_id = "vpc-abcdefgh"
description = "test"

ingress {
description = "Test 1"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

ingress {
description = "Test 2"
from_port = 442
to_port = 442
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}

egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}

[giom-l]

also hitting this issue while having copy/paste a snippet from terraform doc.

However, it worked for me when I define ingress or egress like

resource "aws_security_group" "sg" {
  provider    = aws.region
  vpc_id      = var.vpc_id
  name        = local.name
  description = "definition"

  // Not working
//  egress = [
//    {
//      description      = "Allow all outbound traffic"
//      from_port        = 0
//      to_port          = 0
//      protocol         = "-1"
//      cidr_blocks      = ["0.0.0.0/0"]
//      ipv6_cidr_blocks = ["::/0"]
//      self = false
//      prefix_list_ids = []
//      security_groups = []
//    }
//  ]

// working
  egress {
    description = "Allow all outbound traffic"
    protocol  = "-1"
    from_port = 0
    to_port   = 0
    cidr_blocks = [
      "0.0.0.0/0",
    ]
  }

Is the first one (with ``egress = []) the way (as stated in [docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) to be able to use the SG with aws_security_group_rule` ?

I'm a little bit confused about that.

[paulgear]

This continues to be a problem on provider 3.58.0. The omission of what should be optional attributes results in:

│ Error: Incorrect attribute value type
│ 
│   on sg.tf line 6, in resource "aws_security_group" "alb_allow_https":
│    6:   ingress = [
│    7:     {
│    8:       description      = "HTTPS from everywhere"
│    9:       from_port        = 443
│   10:       to_port          = 443
│   11:       protocol         = "tcp"
│   12:       cidr_blocks      = ["0.0.0.0/0"]
│   13:       ipv6_cidr_blocks = ["::/0"]
│   14:     }
│   15:   ]
│ 
│ Inappropriate value for attribute "ingress": element 0: attributes "prefix_list_ids", "security_groups", and "self" are required.

and the conversion to a single object mentioned as working above results in:

╷
│ Error: Incorrect attribute value type
│ 
│   on sg.tf line 6, in resource "aws_security_group" "alb_allow_https":
│    6:   ingress = {
│    7:     description      = "HTTPS from everywhere"
│    8:     from_port        = 443
│    9:     to_port          = 443
│   10:     protocol         = "tcp"
│   11:     cidr_blocks      = ["0.0.0.0/0"]
│   12:     ipv6_cidr_blocks = ["::/0"]
│   13:   }
│ 
│ Inappropriate value for attribute "ingress": set of object required.
╵

The only way I could make this rule work was supplying empty/false values for the attributes which should be optional.

[giom-l]

@paulgear
What is mentioned to work above is having

ingress { 
...
}

Instead of

ingress = {
...
}

You need to remove the equal sign to get it work.

But still it is a bug...

[paulgear]

@giom-l Thanks - my eyes must need checking! :-)

[github-actions]

This functionality has been released in v3.65.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.