Security Groups do not allow ICMP

[wazoo]

I was trying to create a security group with the following configuration:

ingress {
  protocol = "icmp"
  security_groups = ["${aws_security_group.sgr_test_nodes.id}"]
}

and I get the following error:

Errors:

  * 'aws_security_group.sgr_test_nodes' error: ingress.2.from_port: required field is not set
  * 'aws_security_group.sgr_test_nodes' error: ingress.2.to_port: required field is not set

While I understand why this error is happening, ICMP doesn't really have a port and if you try to specify one you get this error from amazon:

Error applying plan:

1 error(s) occurred:

* Error revoking security group ingress rules: ICMP code (65535) out of range (InvalidParameterValue)

Is there a specific way to configure ICMP? From looking at resource_aws_security_group.go it didn't look that way so this may be a feature request, maybe a rule type or something so that way we could accomplish the ability to do "all tcp" or whatever without having to specify ports.

[ltcdnunez]

I think I just sorted this out. As it happens, Amazon uses the same interface for CloudFormation and there is some documentation on how to use ICMP. The from_port is the ICMP type number and the to_port is the ICMP code (which does not exist for many types and should be either 0 or -1 in that case). See the Amazon CloudFormation Documentation for details. And here are the ICMP types/codes.

Here's an example of how to allow inbound echo requests:

ingress {
  protocol = 200
  cidr_block = "10.0.1.0/24"
  protocol = "icmp"
  from_port = 8
  to_port = 0
}

[catsby]

The from_port is the ICMP type number and the to_port is the ICMP code

That's... disappointing to hear... Network ACLs have an explicit icmp_type and icmp_type code parameter. I came here expecting I needed to add those here, but sadness...

Sounds like the solution for this issue then is to document this on the Security Group and Security Group Rules docs, agreed?

[ltcdnunez]

@catsby I discovered after this that the Network ACL rules break when attempting to use this because of exactly what you're saying about the icmp_type and icmp_code parameters. It looks like you submitted a pull request to fix this for issue #2148, however.

To be clear, ICMP works fine when creating Security Group Rules if you do what I described before, but not in Network ACL in terraform v0.51.0 (and presumably lower). This does appear to mirror the AWS API for Security Group Rules.

[seanknox]

For those out there who want to allow incoming ICMP echo ("ping") from any source via a security group, this does the trick:

  ingress {
    from_port = 8
    to_port = 0
    protocol = "icmp"
    cidr_blocks = ["0.0.0.0/0"]
  }

[stack72]

The documentation has been updated to reflect ICMP. I am going to close this issue. If you feel that the documentation is not as clear as it can be, please let us know

Thanks

Paul

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.