Self-referential Resource (this)

[buth]

In AWS it is possible to create a security group that has ingress rules for itself. For instance you may want to do something like this to setup an etcd cluster:

resource "aws_security_group" "etcd" {
    name = "etcd"
    description = "Allow in-group etcd communication."
    vpc_id = "${var.aws_vpc_id}"
    ingress {
        from_port = 7001
        to_port = 7001
        protocol = "tcp"
        security_groups = ["${aws_security_group.etcd.id}"]
    }
}

However, this causes a dependency cycle error.

Errors:

  * Error creating graph: The dependency graph is not valid:

* Cycle: aws_security_group.etcd

Is there some other way to accomplish this?

[gibsop1]

Bit convoluted but a work around.

Create two SG's, sg1 & sg2.

Assign an ingress rule of cidr_block = ["0.0.0.0/32"] to sg1 (this is required as you can't not assign an ingress rule and will not allow any traffic in)

Assign an ingress rule of security_group = ["aws_security_group.sg1.id"] to sg2.

Assign both sg1 & sg2 to your instances.

You can obviously add any more specific ingress rules to either sg1 or sg2

gist of the plan I used here:
https://gist.github.com/gibsop1/459bcc22ff3074996fb3

[mitchellh]

This might be a dup, but I can't find it right now. I think the solution we discussed that is the lowest touch for now is to introduce a 2nd resource aws_security_group_ingress.

In the future, I've discussed ways of allowing self references that work, but it would be a pretty large change we don't want to pursue right now. @gibsop1's workaround works, too.

[buth]

The second resource makes sense to me, and seems to follow the API more closely in that ingress rules are separate things that depend on one or more security groups.

For now the workaround should be fine; thanks all!

[alekstorm]

Dupe of #167.

[errordeveloper]

I think someone should change the title of this ticket to reflect the fact that it's more general then what the title states right now.

[pearkes]

@errordeveloper I changed this to reflect us being aware of this use case for future searchers, but we don't have immediate plans to add it. (see also #167 (comment)).

#28 now has a "break-out security group ingress rules into it's own resource" as a task, as suggested here: #28 (comment).

[flozano]

This is unfortunately a big blocker for some infrastructure designs in which it's assumed that instances within the same security group can freely connect to themselves.

I understand self-referential variables maybe too challenging to implement at this stage, but maybe having another parameter like:

    ingress {
        from_port = 7001
        to_port = 7001
        protocol = "tcp"
        self_source = true
    }

or something similar could make this pretty extended use-case solved for now, not in the most elegant way (but way better than creating dummy security groups when AWS is perfectly capable of doing it).

[mitchellh]

@flozano That sounds like the best approach. We're doing this now.

[flozano]

👍 thanks!

[mitchellh]

Done!