get an aws_security_group_rules to delete unwanted stuffs

[ze42]

Hi there,

Affected Resource(s)

• aws_security_group
• aws_security_group_rule
• aws_security_group_rules (non-existent, suggested here)

Actual Behavior

Currently, if we have SG referecing each-other, we have to split at least one of them into an aws_security_group_rule and multiple aws_security_group_rule.

That works nicely, BUT, if we use aws_security_group_rule, it fails to notice if any rogue rule would be added by non-terraform, and would leave it there...

Expected Behavior

A way to apply cyclic-rules, and still have the nice Terraform that would help and be able to remove hand-placed rules, like if we had them directly in aws_security_group.

Suggested new resource

Creating an aws_security_group_rules would allow to move from:

• 1 aws_security_group SG1 with no security-rule
• 1 aws_security_group SG2 with inline security-rules, referencing SG1
• N aws_security_group_rule for each rule wanted for SG1

and any extra rule for SG1 not detected/handled by TF (as they could be in any aws_security_group_rule not handled by our current module), to:

• 1 aws_security_group SG1 with no security-rule
• 1 aws_security_group SG2 with inline security-rules, referencing SG1
• 1 aws_security_group_rules for all the rules wanted for SG1

and the rules managed by aws_security_group_rules would be able to work like rules in SG2, and detect any manual addition, and remove them properly.

References

The original aws_security_group_rule seems to be from the following issue, that already suggested it, but was not implemented that way:

• Security Groups need to be able to depend on each other terraform#539

Couldn't find any further discution about such resource, and reason to reject it.

[radeksimko]

Hi folks,
thanks for reporting this issue. I'm just going to consolidate this debate to a single thread, specifically #3234 which also contains explanation of the current state and suggestion for workaround.

[ze42]

How is this a duplicate of #3234?

#3234 is about a single aws_security_group_rule that lose tracking after OOB changes.

Here, I am asking to get an object that allows when used, to manage the whole security group rules, just like it would be done while defined within the securty group egress/ingress options...

[cytopia]

How is this a duplicate of #3234?

@ze42 @radeksimko I agree and this issue should not have been closed. The above state issue is different from this one. Please re-open

[riwiki]

Is there any workaround/solution by now? Interested as well, aws_security_group_rule are required in our usecase to avoid cyclic dependencies.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!