Make the default security group idempotent

Measurabl · Oct 25, 2019 · 6ad596d · 6ad596d
1 parent 9c36107
commit 6ad596d
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/main.tf b/main.tf
@@ -129,13 +129,6 @@ resource "aws_security_group" "default" {
   description = "Allow inbound traffic from the security groups"
   vpc_id      = var.vpc_id
 
-  ingress {
-    from_port       = var.database_port
-    to_port         = var.database_port
-    protocol        = "tcp"
-    security_groups = var.security_group_ids
-  }
-
   egress {
     from_port   = 0
     to_port     = 0
@@ -146,6 +139,19 @@ resource "aws_security_group" "default" {
   tags = module.label.tags
 }
 
+resource "aws_security_group_rule" "default_ingress" {
+  for_each = toset(var.security_group_ids)
+
+  description              = "default security group ingress"
+  type                     = "ingress"
+  from_port                = var.database_port
+  to_port                  = var.database_port
+  protocol                 = "tcp"
+  source_security_group_id = each.value
+
+  security_group_id = aws_security_group.default.*.id
+}
+
 module "dns_host_name" {
   source  = "git::https://github.com/cloudposse/terraform-aws-route53-cluster-hostname.git?ref=tags/0.3.0"
   enabled = length(var.dns_zone_id) > 0 && var.enabled ? true : false