39 | > Watch demo of using Atmos with Terraform
40 | > 
41 | > Example of running atmos to manage infrastructure from our Quick Start tutorial.
42 | >
43 |
44 |
45 |
46 |
47 |
48 | ## Usage
49 |
50 | This module is primarily for setting security group rules on a security group. You can provide the
51 | ID of an existing security group to modify, or, by default, this module will create a new security
52 | group and apply the given rules to it.
53 |
54 | This module can be used very simply, but it is actually quite complex because it is attempting to handle
55 | numerous interrelationships, restrictions, and a few bugs in ways that offer a choice between zero
56 | service interruption for updates to a security group not referenced by other security groups
57 | (by replacing the security group with a new one) versus brief service interruptions for security groups that must be preserved.
58 |
59 | ### Avoiding Service Interruptions
60 |
61 | It is desirable to avoid having service interruptions when updating a security group. This is not always
62 | possible due to the way Terraform organizes its activities and the fact that AWS will reject an attempt
63 | to create a duplicate of an existing security group rule. There is also the issue that while most AWS
64 | resources can be associated with and disassociated from security groups at any time, there remain some
65 | that may not have their security group association changed, and an attempt to change their security group
66 | will cause Terraform to delete and recreate the resource.
67 |
68 | #### The 2 Ways Security Group Changes Cause Service Interruptions
69 |
70 | Changes to a security group can cause service interruptions in 2 ways:
71 |
72 | 1. Changing rules may be implemented as deleting existing rules and creating new ones. During the
73 | period between deleting the old rules and creating the new rules, the security group will block
74 | traffic intended to be allowed by the new rules.
75 | 2. Changing rules may alternately be implemented as creating a new security group with the new rules
76 | and replacing the existing security group with the new one (then deleting the old one).
77 | This usually works with no service interruption in the case where all resources that reference the
78 | security group are part of the same Terraform plan.
79 | However, if, for example, the security group ID is referenced in a security group
80 | rule in a security group that is not part of the same Terraform plan, then AWS will not allow the
81 | existing (referenced) security group to be deleted, and even if it did, Terraform would not know
82 | to update the rule to reference the new security group.
83 |
84 | The key question you need to answer to decide which configuration to use is "will anything break
85 | if the security group ID changes". If not, then use the defaults `create_before_destroy = true` and
86 | `preserve_security_group_id = false` and do not worry about providing "keys" for
87 | security group rules. This is the default because it is the easiest and safest solution when
88 | the way the security group is being used allows it.
89 |
90 | If things will break when the security group ID changes, then set `preserve_security_group_id`
91 | to `true`. Also read and follow the guidance below about [keys](#the-importance-of-keys) and
92 | [limiting Terraform security group rules to a single AWS security group rule](#terraform-rules-vs-aws-rules)
93 | if you want to mitigate against service interruptions caused by rule changes.
94 | Note that even in this case, you probably want to keep `create_before_destroy = true` because otherwise,
95 | if some change requires the security group to be replaced, Terraform will likely succeed
96 | in deleting all the security group rules but fail to delete the security group itself,
97 | leaving the associated resources completely inaccessible. At least with `create_before_destroy = true`,
98 | the new security group will be created and used where Terraform can make the changes,
99 | even though the old security group will still fail to be deleted.
100 |
101 | #### The 3 Ways to Mitigate Against Service Interruptions
102 |
103 | ##### Security Group `create_before_destroy = true`
104 |
105 | The most important option is `create_before_destroy` which, when set to `true` (the default),
106 | ensures that a new replacement security group is created before an existing one is destroyed.
107 | This is particularly important because a security group cannot be destroyed while it is associated with
108 | a resource (e.g. a load balancer), but "destroy before create" behavior causes Terraform
109 | to try to destroy the security group before disassociating it from associated resources,
110 | so plans fail to apply with the error
111 |
112 | ```
113 | Error deleting security group: DependencyViolation: resource sg-XXX has a dependent object
114 | ```
115 |
116 | With "create before destroy" and any resources dependent on the security group as part of the
117 | same Terraform plan, replacement happens successfully:
118 |
119 | 1. New security group is created
120 | 2. Resource is associated with the new security group and disassociated from the old one
121 | 3. Old security group is deleted successfully because there is no longer anything associated with it
122 |
123 | (If there is a resource dependent on the security group that is also outside the scope of
124 | the Terraform plan, the old security group will fail to be deleted and you will have to
125 | address the dependency manually.)
126 |
127 | Note that the module's default configuration of `create_before_destroy = true` and
128 | `preserve_security_group_id = false` will force "create before destroy" behavior on the target security
129 | group, even if the module did not create it and instead you provided a `target_security_group_id`.
130 |
131 | Unfortunately, just creating the new security group first is not enough to prevent a service interruption. Keep reading.
132 |
133 | ##### Setting Rule Changes to Force Replacement of the Security Group
134 |
135 | A security group by itself is just a container for rules. It only functions as desired when all the rules are in place.
136 | If using the Terraform default "destroy before create" behavior for rules, even when using `create_before_destroy` for the
137 | security group itself, an outage occurs when updating the rules or security group, because the order of operations is:
138 |
139 | 1. Delete existing security group rules (triggering a service interruption)
140 | 2. Create the new security group
141 | 3. Associate the new security group with resources and disassociate the old one (which can take a substantial
142 | amount of time for a resource like a NAT Gateway)
143 | 4. Create the new security group rules (restoring service)
144 | 5. Delete the old security group
145 |
146 | To resolve this issue, the module's default configuration of `create_before_destroy = true` and
147 | `preserve_security_group_id = false` causes any change in the security group rules
148 | to trigger the creation of a new security group. With that, a rule change causes operations to occur in this order:
149 |
150 | 1. Create the new security group
151 | 2. Create the new security group rules
152 | 3. Associate the new security group with resources and disassociate the old one
153 | 4. Delete the old security group rules
154 | 5. Delete the old security group
155 |
156 | ##### Preserving the Security Group
157 |
158 | There can be a downside to creating a new security group with every rule change.
159 | If you want to prevent the security group ID from changing unless absolutely necessary, perhaps because the associated
160 | resource does not allow the security group to be changed or because the ID is referenced somewhere (like in
161 | another security group's rules) outside of this Terraform plan, then you need to set `preserve_security_group_id` to `true`.
162 |
163 | The main drawback of this configuration is that there will normally be
164 | a service outage during an update, because existing rules will be deleted before replacement
165 | rules are created. Using keys to identify rules can help limit the impact, but even with keys, simply adding a
166 | CIDR to the list of allowed CIDRs will cause that entire rule to be deleted and recreated, causing a temporary
167 | access denial for all of the CIDRs in the rule. (For more on this and how to mitigate against it, see [The Importance
168 | of Keys](#the-importance-of-keys) below.)
169 |
170 | Also note that setting `preserve_security_group_id` to `true` does not prevent Terraform from replacing the
171 | security group when modifying it is not an option, such as when its name or description changes.
172 | However, if you can control the configuration adequately, you can maintain the security group ID and eliminate
173 | impact on other security groups by setting `preserve_security_group_id` to `true`. We still recommend
174 | leaving `create_before_destroy` set to `true` for the times when the security group must be replaced,
175 | to avoid the `DependencyViolation` described above.
176 |
177 | ### Defining Security Group Rules
178 |
179 | We provide a number of different ways to define rules for the security group for a few reasons:
180 | - Terraform type constraints make it difficult to create collections of objects with optional members
181 | - Terraform resource addressing can cause resources that did not actually change to nevertheless be replaced
182 | (deleted and recreated), which, in the case of security group rules, then causes a brief service interruption
183 | - Terraform resource addresses must be known at `plan` time, making it challenging to create rules that
184 | depend on resources being created during `apply` and at the same time are not replaced needlessly when something else changes
185 | - When Terraform rules can be successfully created before being destroyed, there is no service interruption for the resources
186 | associated with that security group (unless the security group ID is used in other security group rules outside
187 | of the scope of the Terraform plan)
188 |
189 | #### The Importance of Keys
190 |
191 | If you are using "create before destroy" behavior for the security group and security group rules, then
192 | you can skip this section and much of the discussion about keys in the later sections, because keys do not matter
193 | in this configuration. However, if you are using "destroy before create" behavior, then a full understanding of keys
194 | as applied to security group rules will help you minimize service interruptions due to changing rules.
195 |
196 | When creating a collection of resources, Terraform requires each resource to be identified by a key,
197 | so that each resource has a unique "address", and changes to resources are tracked by that key.
198 | Every security group rule input to this module accepts optional identifying keys (arbitrary strings) for each rule.
199 | If you do not supply keys, then the rules are treated as a list,
200 | and the index of the rule in the list will be used as its key. This has the unwelcome behavior that removing a rule
201 | from the list will cause all the rules later in the list to be destroyed and recreated. For example, changing
202 | `[A, B, C, D]` to `[A, C, D]` causes rules 1(`B`), 2(`C`), and 3(`D`) to be deleted and new rules 1(`C`) and
203 | 2(`D`) to be created.
204 |
205 | To mitigate against this problem, we allow you to specify keys (arbitrary strings) for each rule. (Exactly how you specify
206 | the key is explained in the next sections.) Going back to our example, if the
207 | initial set of rules were specified with keys, e.g. `[{A: A}, {B: B}, {C: C}, {D: D}]`, then removing `B` from the list
208 | would only cause `B` to be deleted, leaving `C` and `D` intact.
209 |
210 | Note, however, two cautions. First, the keys must be known at `terraform plan` time and therefore cannot depend
211 | on resources that will be created during `apply`. Second, in order to be helpful, the keys must remain consistently
212 | attached to the same rules. For example, if you did
213 |
214 | ```hcl
215 | rule_map = { for i, v in rule_list : i => v }
216 | ```
217 |
218 | then you will have merely recreated the initial problem with using a plain list. If you cannot attach
219 | meaningful keys to the rules, there is no advantage to specifying keys at all.
220 |
221 | #### Terraform Rules vs AWS Rules
222 |
223 | A single security group rule input can actually specify multiple AWS security group rules. For example,
224 | `ipv6_cidr_blocks` takes a list of CIDRs. However, AWS security group rules do not allow for a list
225 | of CIDRs, so the AWS Terraform provider converts that list of CIDRs into a list of AWS security group rules,
226 | one for each CIDR. (This is the underlying cause of several AWS Terraform provider bugs,
227 | such as [#25173](https://github.com/hashicorp/terraform-provider-aws/issues/25173).)
228 | As of this writing, any change to any element of such a rule will cause
229 | all the AWS rules specified by the Terraform rule to be deleted and recreated, causing the same kind of
230 | service interruption we sought to avoid by providing keys for the rules, or, when create_before_destroy = true,
231 | causing a complete failure as Terraform tries to create duplicate rules which AWS rejects. To guard against this issue,
232 | when not using the default behavior, you should avoid the convenience of specifying multiple AWS rules
233 | in a single Terraform rule and instead create a separate Terraform rule for each source or destination specification.
234 |
235 | ##### `rules` and `rules_map` inputs
236 | This module provides 3 ways to set security group rules. You can use any or all of them at the same time.
237 |
238 | The easy way to specify rules is via the `rules` input. It takes a list of rules. (We will define
239 | a rule [a bit later](#definition-of-a-rule).) The problem is that a Terraform list must be composed
240 | of elements that are all the exact same type, and rules can be any of several
241 | different Terraform types. So to get around this restriction, the second
242 | way to specify rules is via the `rules_map` input, which is more complex.
243 |
244 | Why the input is so complex (click to reveal)
245 |
246 | - Terraform has 3 basic simple types: bool, number, string
247 | - Terraform then has 3 collections of simple types: list, map, and set
248 | - Terraform then has 2 structural types: object and tuple. However, these are not really single
249 | types. They are catch-all labels for values that are themselves combination of other values.
250 | (This will become a bit clearer after we define `maps` and contrast them with `objects`)
251 |
252 | One [rule of the collection types](https://www.terraform.io/docs/language/expressions/type-constraints.html#collection-types)
253 | is that the values in the collections must all be the exact same type.
254 | For example, you cannot have a list where some values are boolean and some are string. Maps require
255 | that all keys be strings, but the map values can be any type, except again all the values in a map
256 | must be the same type. In other words, the values of a map must form a valid list.
257 |
258 | Objects look just like maps. The difference between an object and a map is that the values in an
259 | object do not all have to be the same type.
260 |
261 | The "type" of an object is itself an object: the keys are the same, and the values are the types of the values in the object.
262 |
263 | So although `{ foo = "bar", baz = {} }` and `{ foo = "bar", baz = [] }` are both objects,
264 | they are not of the same type, and you can get error messages like
265 |
266 | ```
267 | Error: Inconsistent conditional result types
268 | The true and false result expressions must have consistent types. The given
269 | expressions are object and object, respectively.
270 | ```
271 |
272 | This means you cannot put them both in the same list or the same map,
273 | even though you can put them in a single tuple or object.
274 | Similarly, and closer to the problem at hand,
275 |
276 | ```hcl
277 | cidr_rule = {
278 | type = "ingress"
279 | cidr_blocks = ["0.0.0.0/0"]
280 | }
281 | ```
282 | is not the same type as
283 |
284 | ```hcl
285 | self_rule = {
286 | type = "ingress"
287 | self = true
288 | }
289 | ```
290 |
291 | This means you cannot put both of those in the same list.
292 |
293 | ```hcl
294 | rules = tolist([local.cidr_rule, local.self_rule])
295 | ```
296 |
297 | Generates the error
298 |
299 | ```text
300 | Invalid value for "v" parameter: cannot convert tuple to list of any single type.
301 | ```
302 |
303 | You could make them the same type and put them in a list,
304 | like this:
305 |
306 | ```hcl
307 | rules = tolist([{
308 | type = "ingress"
309 | cidr_blocks = ["0.0.0.0/0"]
310 | self = null
311 | },
312 | {
313 | type = "ingress"
314 | cidr_blocks = []
315 | self = true
316 | }])
317 | ```
318 |
319 | That remains an option for you when generating the rules, and is probably better when you have full control over all the rules.
320 | However, what if some of the rules are coming from a source outside of your control? You cannot simply add those rules
321 | to your list. So, what to do? Create an object whose attributes' values can be of different types.
322 |
323 | ```hcl
324 | { mine = local.my_rules, theirs = var.their_rules }
325 | ```
326 |
327 | That is why the `rules_map` input is available. It will accept a structure like that, an object whose
328 | attribute values are lists of rules, where the lists themselves can be different types.
329 |
330 |
635 | > ✅ Your team owns everything.
636 | > ✅ 100% Open Source and backed by fanatical support.
637 | >
638 | > 
639 | > 📚 Learn More
640 | >
641 | >
642 | >
643 | > Cloud Posse is the leading [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-security-group&utm_content=commercial_support) for funded startups and enterprises.
644 | >
645 | > *Your team can operate like a pro today.*
646 | >
647 | > Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.
648 | > #### Day-0: Your Foundation for Success
649 | > - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code.
650 | > - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
651 | > - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
652 | > - **Security Baseline.** Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations.
653 | > - **GitOps.** Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions.
654 | >
655 | >
656 | >
657 | > #### Day-2: Your Operational Mastery
658 | > - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
659 | > - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
660 | > - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
661 | > - **Code Reviews.** Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration.
662 | > - **Bug Fixes.** Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly.
663 | > - **Migration Assistance.** Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value.
664 | > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate.
665 | >
666 | >
667 | >
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no |
711 | | [allow\_all\_egress](#input\_allow\_all\_egress) | A convenience that adds to the rules specified elsewhere a rule that allows all egress.
If this is false and no egress rules are specified via `rules` or `rule-matrix`, then no egress will be allowed. | `bool` | `true` | no |
712 | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no |
713 | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | {
"additional_tag_map": {},
"attributes": [],
"delimiter": null,
"descriptor_formats": {},
"enabled": true,
"environment": null,
"id_length_limit": null,
"label_key_case": null,
"label_order": [],
"label_value_case": null,
"labels_as_tags": [
"unset"
],
"name": null,
"namespace": null,
"regex_replace_chars": null,
"stage": null,
"tags": {},
"tenant": null
} | no |
714 | | [create\_before\_destroy](#input\_create\_before\_destroy) | Set `true` to enable terraform `create_before_destroy` behavior on the created security group.
We only recommend setting this `false` if you are importing an existing security group
that you do not want replaced and therefore need full control over its name.
Note that changing this value will always cause the security group to be replaced. | `bool` | `true` | no |
715 | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no |
716 | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
717 | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
718 | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
719 | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no |
720 | | [inline\_rules\_enabled](#input\_inline\_rules\_enabled) | NOT RECOMMENDED. Create rules "inline" instead of as separate `aws_security_group_rule` resources.
See [#20046](https://github.com/hashicorp/terraform-provider-aws/issues/20046) for one of several issues with inline rules.
See [this post](https://github.com/hashicorp/terraform-provider-aws/pull/9032#issuecomment-639545250) for details on the difference between inline rules and rule resources. | `bool` | `false` | no |
721 | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no |
722 | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no |
723 | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no |
724 | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | [
"default"
]
| no |
725 | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no |
726 | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no |
727 | | [preserve\_security\_group\_id](#input\_preserve\_security\_group\_id) | When `false` and `create_before_destroy` is `true`, changes to security group rules
cause a new security group to be created with the new rules, and the existing security group is then
replaced with the new one, eliminating any service interruption.
When `true` or when changing the value (from `false` to `true` or from `true` to `false`),
existing security group rules will be deleted before new ones are created, resulting in a service interruption,
but preserving the security group itself.
**NOTE:** Setting this to `true` does not guarantee the security group will never be replaced,
it only keeps changes to the security group rules from triggering a replacement.
See the README for further discussion. | `bool` | `false` | no |
728 | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no |
729 | | [revoke\_rules\_on\_delete](#input\_revoke\_rules\_on\_delete) | Instruct Terraform to revoke all of the Security Group's attached ingress and egress rules before deleting
the security group itself. This is normally not needed. | `bool` | `false` | no |
730 | | [rule\_matrix](#input\_rule\_matrix) | A convenient way to apply the same set of rules to a set of subjects. See README for details. | `any` | `[]` | no |
731 | | [rules](#input\_rules) | A list of Security Group rule objects. All elements of a list must be exactly the same type;
use `rules_map` if you want to supply multiple lists of different types.
The keys and values of the Security Group rule objects are fully compatible with the `aws_security_group_rule` resource,
except for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique
and known at "plan" time.
To get more info see the `security_group_rule` [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule).
\_\_\_Note:\_\_\_ The length of the list must be known at plan time.
This means you cannot use functions like `compact` or `sort` when computing the list. | `list(any)` | `[]` | no |
732 | | [rules\_map](#input\_rules\_map) | A map-like object of lists of Security Group rule objects. All elements of a list must be exactly the same type,
so this input accepts an object with keys (attributes) whose values are lists so you can separate different
types into different lists and still pass them into one input. Keys must be known at "plan" time.
The keys and values of the Security Group rule objects are fully compatible with the `aws_security_group_rule` resource,
except for `security_group_id` which will be ignored, and the optional "key" which, if provided, must be unique
and known at "plan" time.
To get more info see the `security_group_rule` [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule). | `any` | `{}` | no |
733 | | [security\_group\_create\_timeout](#input\_security\_group\_create\_timeout) | How long to wait for the security group to be created. | `string` | `"10m"` | no |
734 | | [security\_group\_delete\_timeout](#input\_security\_group\_delete\_timeout) | How long to retry on `DependencyViolation` errors during security group deletion from
lingering ENIs left by certain AWS services such as Elastic Load Balancing. | `string` | `"15m"` | no |
735 | | [security\_group\_description](#input\_security\_group\_description) | The description to assign to the created Security Group.
Warning: Changing the description causes the security group to be replaced. | `string` | `"Managed by Terraform"` | no |
736 | | [security\_group\_name](#input\_security\_group\_name) | The name to assign to the security group. Must be unique within the VPC.
If not provided, will be derived from the `null-label.context` passed in.
If `create_before_destroy` is true, will be used as a name prefix. | `list(string)` | `[]` | no |
737 | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no |
738 | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no |
739 | | [target\_security\_group\_id](#input\_target\_security\_group\_id) | The ID of an existing Security Group to which Security Group rules will be assigned.
The Security Group's name and description will not be changed.
Not compatible with `inline_rules_enabled` or `revoke_rules_on_delete`.
If not provided (the default), this module will create a security group. | `list(string)` | `[]` | no |
740 | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no |
741 | | [vpc\_id](#input\_vpc\_id) | The ID of the VPC where the Security Group will be created. | `string` | n/a | yes |
742 |
743 | ## Outputs
744 |
745 | | Name | Description |
746 | |------|-------------|
747 | | [arn](#output\_arn) | The created Security Group ARN (null if using existing security group) |
748 | | [id](#output\_id) | The created or target Security Group ID |
749 | | [name](#output\_name) | The created Security Group Name (null if using existing security group) |
750 | | [rules\_terraform\_ids](#output\_rules\_terraform\_ids) | List of Terraform IDs of created `security_group_rule` resources, primarily provided to enable `depends_on` |
751 |
752 |
753 |
754 |
755 |
756 |
757 |
758 |
759 | ## Related Projects
760 |
761 | Check out these related projects.
762 |
763 | - [terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention.
764 |
765 |
766 | ## References
767 |
768 | For additional context, refer to some of these links.
769 |
770 | - [terraform-provider-aws](https://registry.terraform.io/providers/hashicorp/aws/latest) - Terraform AWS provider
771 |
772 |
773 |
774 |
775 | ## ✨ Contributing
776 |
777 | This project is under active development, and we encourage contributions from our community.
778 |
779 |
780 |
781 | Many thanks to our outstanding contributors:
782 |
783 |
784 | 
785 |
786 |
787 | For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-aws-security-group/issues).
788 |
789 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.
790 | 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-security-group/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md).
791 | 2. **Fork** the repo on GitHub
792 | 3. **Clone** the project to your own machine
793 | 4. **Commit** changes to your own branch
794 | 5. **Push** your work back up to your fork
795 | 6. Submit a **Pull Request** so that we can review your changes
796 |
797 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request!
798 |
799 | ### 🌎 Slack Community
800 |
801 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-security-group&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure.
802 |
803 | ### 📰 Newsletter
804 |
805 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-security-group&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know.
806 | Dropped straight into your Inbox every week — and usually a 5-minute read.
807 |
808 | ### 📆 Office Hours 
809 |
810 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-security-group&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else.
811 | It's **FREE** for everyone!
812 | ## License
813 |
814 | 
815 |
816 |
817 | Preamble to the Apache License, Version 2.0
818 |
819 |
820 |
821 | Complete license is available in the [`LICENSE`](LICENSE) file.
822 |
823 | ```text
824 | Licensed to the Apache Software Foundation (ASF) under one
825 | or more contributor license agreements. See the NOTICE file
826 | distributed with this work for additional information
827 | regarding copyright ownership. The ASF licenses this file
828 | to you under the Apache License, Version 2.0 (the
829 | "License"); you may not use this file except in compliance
830 | with the License. You may obtain a copy of the License at
831 |
832 | https://www.apache.org/licenses/LICENSE-2.0
833 |
834 | Unless required by applicable law or agreed to in writing,
835 | software distributed under the License is distributed on an
836 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
837 | KIND, either express or implied. See the License for the
838 | specific language governing permissions and limitations
839 | under the License.
840 | ```
841 |
842 |
843 | ## Trademarks
844 |
845 | All other trademarks referenced herein are the property of their respective owners.
846 |
847 |
848 | ## Copyrights
849 |
850 | Copyright © 2021-2025 [Cloud Posse, LLC](https://cloudposse.com)
851 |
852 |
853 |
854 | 
855 |
856 | 
857 |
--------------------------------------------------------------------------------
/README.yaml:
--------------------------------------------------------------------------------
1 | #
2 | # This is the canonical configuration for the `README.md`
3 | # Run `make readme` to rebuild the `README.md`
4 | #
5 |
6 | # Name of this project
7 | name: terraform-aws-security-group
8 |
9 | # Tags of this project
10 | tags:
11 | - aws
12 | - security-group
13 | - terraform
14 | - terraform-modules
15 |
16 | # Logo for this project
17 | #logo: docs/logo.png
18 |
19 | # License of this project
20 | license: "APACHE2"
21 |
22 | # Copyrights
23 | copyrights:
24 | - name: "Cloud Posse, LLC"
25 | url: "https://cloudposse.com"
26 | year: "2021"
27 |
28 | # Canonical GitHub repo
29 | github_repo: cloudposse/terraform-aws-security-group
30 |
31 | # Badges to display
32 | badges:
33 | - name: Latest Release
34 | image: https://img.shields.io/github/release/cloudposse/terraform-aws-security-group.svg?style=for-the-badge
35 | url: https://github.com/cloudposse/terraform-aws-security-group/releases/latest
36 | - name: Last Updated
37 | image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-security-group.svg?style=for-the-badge
38 | url: https://github.com/cloudposse/terraform-aws-security-group/commits
39 | - name: Slack Community
40 | image: https://slack.cloudposse.com/for-the-badge.svg
41 | url: https://cloudposse.com/slack
42 |
43 | # List any related terraform modules that this module may be used with or that this module depends on.
44 | related:
45 | - name: "terraform-null-label"
46 | description: "Terraform module designed to generate consistent names and tags for resources. Use terraform-null-label to implement a strict naming convention."
47 | url: "https://github.com/cloudposse/terraform-null-label"
48 |
49 | # List any resources helpful for someone to get started. For example, link to the hashicorp documentation or AWS documentation.
50 | references:
51 | - name: terraform-provider-aws
52 | description: Terraform AWS provider
53 | url: https://registry.terraform.io/providers/hashicorp/aws/latest
54 |
55 | # Short description of this project
56 | description: |-
57 | Terraform module to create AWS Security Group and rules.
58 |
59 | # Introduction to the project
60 | #introduction: |-
61 | # This is an introduction.
62 |
63 | # How to use this module. Should be an easy example to copy and paste.
64 | usage: |-
65 | This module is primarily for setting security group rules on a security group. You can provide the
66 | ID of an existing security group to modify, or, by default, this module will create a new security
67 | group and apply the given rules to it.
68 |
69 | This module can be used very simply, but it is actually quite complex because it is attempting to handle
70 | numerous interrelationships, restrictions, and a few bugs in ways that offer a choice between zero
71 | service interruption for updates to a security group not referenced by other security groups
72 | (by replacing the security group with a new one) versus brief service interruptions for security groups that must be preserved.
73 |
74 | ### Avoiding Service Interruptions
75 |
76 | It is desirable to avoid having service interruptions when updating a security group. This is not always
77 | possible due to the way Terraform organizes its activities and the fact that AWS will reject an attempt
78 | to create a duplicate of an existing security group rule. There is also the issue that while most AWS
79 | resources can be associated with and disassociated from security groups at any time, there remain some
80 | that may not have their security group association changed, and an attempt to change their security group
81 | will cause Terraform to delete and recreate the resource.
82 |
83 | #### The 2 Ways Security Group Changes Cause Service Interruptions
84 |
85 | Changes to a security group can cause service interruptions in 2 ways:
86 |
87 | 1. Changing rules may be implemented as deleting existing rules and creating new ones. During the
88 | period between deleting the old rules and creating the new rules, the security group will block
89 | traffic intended to be allowed by the new rules.
90 | 2. Changing rules may alternately be implemented as creating a new security group with the new rules
91 | and replacing the existing security group with the new one (then deleting the old one).
92 | This usually works with no service interruption in the case where all resources that reference the
93 | security group are part of the same Terraform plan.
94 | However, if, for example, the security group ID is referenced in a security group
95 | rule in a security group that is not part of the same Terraform plan, then AWS will not allow the
96 | existing (referenced) security group to be deleted, and even if it did, Terraform would not know
97 | to update the rule to reference the new security group.
98 |
99 | The key question you need to answer to decide which configuration to use is "will anything break
100 | if the security group ID changes". If not, then use the defaults `create_before_destroy = true` and
101 | `preserve_security_group_id = false` and do not worry about providing "keys" for
102 | security group rules. This is the default because it is the easiest and safest solution when
103 | the way the security group is being used allows it.
104 |
105 | If things will break when the security group ID changes, then set `preserve_security_group_id`
106 | to `true`. Also read and follow the guidance below about [keys](#the-importance-of-keys) and
107 | [limiting Terraform security group rules to a single AWS security group rule](#terraform-rules-vs-aws-rules)
108 | if you want to mitigate against service interruptions caused by rule changes.
109 | Note that even in this case, you probably want to keep `create_before_destroy = true` because otherwise,
110 | if some change requires the security group to be replaced, Terraform will likely succeed
111 | in deleting all the security group rules but fail to delete the security group itself,
112 | leaving the associated resources completely inaccessible. At least with `create_before_destroy = true`,
113 | the new security group will be created and used where Terraform can make the changes,
114 | even though the old security group will still fail to be deleted.
115 |
116 | #### The 3 Ways to Mitigate Against Service Interruptions
117 |
118 | ##### Security Group `create_before_destroy = true`
119 |
120 | The most important option is `create_before_destroy` which, when set to `true` (the default),
121 | ensures that a new replacement security group is created before an existing one is destroyed.
122 | This is particularly important because a security group cannot be destroyed while it is associated with
123 | a resource (e.g. a load balancer), but "destroy before create" behavior causes Terraform
124 | to try to destroy the security group before disassociating it from associated resources,
125 | so plans fail to apply with the error
126 |
127 | ```
128 | Error deleting security group: DependencyViolation: resource sg-XXX has a dependent object
129 | ```
130 |
131 | With "create before destroy" and any resources dependent on the security group as part of the
132 | same Terraform plan, replacement happens successfully:
133 |
134 | 1. New security group is created
135 | 2. Resource is associated with the new security group and disassociated from the old one
136 | 3. Old security group is deleted successfully because there is no longer anything associated with it
137 |
138 | (If there is a resource dependent on the security group that is also outside the scope of
139 | the Terraform plan, the old security group will fail to be deleted and you will have to
140 | address the dependency manually.)
141 |
142 | Note that the module's default configuration of `create_before_destroy = true` and
143 | `preserve_security_group_id = false` will force "create before destroy" behavior on the target security
144 | group, even if the module did not create it and instead you provided a `target_security_group_id`.
145 |
146 | Unfortunately, just creating the new security group first is not enough to prevent a service interruption. Keep reading.
147 |
148 | ##### Setting Rule Changes to Force Replacement of the Security Group
149 |
150 | A security group by itself is just a container for rules. It only functions as desired when all the rules are in place.
151 | If using the Terraform default "destroy before create" behavior for rules, even when using `create_before_destroy` for the
152 | security group itself, an outage occurs when updating the rules or security group, because the order of operations is:
153 |
154 | 1. Delete existing security group rules (triggering a service interruption)
155 | 2. Create the new security group
156 | 3. Associate the new security group with resources and disassociate the old one (which can take a substantial
157 | amount of time for a resource like a NAT Gateway)
158 | 4. Create the new security group rules (restoring service)
159 | 5. Delete the old security group
160 |
161 | To resolve this issue, the module's default configuration of `create_before_destroy = true` and
162 | `preserve_security_group_id = false` causes any change in the security group rules
163 | to trigger the creation of a new security group. With that, a rule change causes operations to occur in this order:
164 |
165 | 1. Create the new security group
166 | 2. Create the new security group rules
167 | 3. Associate the new security group with resources and disassociate the old one
168 | 4. Delete the old security group rules
169 | 5. Delete the old security group
170 |
171 | ##### Preserving the Security Group
172 |
173 | There can be a downside to creating a new security group with every rule change.
174 | If you want to prevent the security group ID from changing unless absolutely necessary, perhaps because the associated
175 | resource does not allow the security group to be changed or because the ID is referenced somewhere (like in
176 | another security group's rules) outside of this Terraform plan, then you need to set `preserve_security_group_id` to `true`.
177 |
178 | The main drawback of this configuration is that there will normally be
179 | a service outage during an update, because existing rules will be deleted before replacement
180 | rules are created. Using keys to identify rules can help limit the impact, but even with keys, simply adding a
181 | CIDR to the list of allowed CIDRs will cause that entire rule to be deleted and recreated, causing a temporary
182 | access denial for all of the CIDRs in the rule. (For more on this and how to mitigate against it, see [The Importance
183 | of Keys](#the-importance-of-keys) below.)
184 |
185 | Also note that setting `preserve_security_group_id` to `true` does not prevent Terraform from replacing the
186 | security group when modifying it is not an option, such as when its name or description changes.
187 | However, if you can control the configuration adequately, you can maintain the security group ID and eliminate
188 | impact on other security groups by setting `preserve_security_group_id` to `true`. We still recommend
189 | leaving `create_before_destroy` set to `true` for the times when the security group must be replaced,
190 | to avoid the `DependencyViolation` described above.
191 |
192 | ### Defining Security Group Rules
193 |
194 | We provide a number of different ways to define rules for the security group for a few reasons:
195 | - Terraform type constraints make it difficult to create collections of objects with optional members
196 | - Terraform resource addressing can cause resources that did not actually change to nevertheless be replaced
197 | (deleted and recreated), which, in the case of security group rules, then causes a brief service interruption
198 | - Terraform resource addresses must be known at `plan` time, making it challenging to create rules that
199 | depend on resources being created during `apply` and at the same time are not replaced needlessly when something else changes
200 | - When Terraform rules can be successfully created before being destroyed, there is no service interruption for the resources
201 | associated with that security group (unless the security group ID is used in other security group rules outside
202 | of the scope of the Terraform plan)
203 |
204 | #### The Importance of Keys
205 |
206 | If you are using "create before destroy" behavior for the security group and security group rules, then
207 | you can skip this section and much of the discussion about keys in the later sections, because keys do not matter
208 | in this configuration. However, if you are using "destroy before create" behavior, then a full understanding of keys
209 | as applied to security group rules will help you minimize service interruptions due to changing rules.
210 |
211 | When creating a collection of resources, Terraform requires each resource to be identified by a key,
212 | so that each resource has a unique "address", and changes to resources are tracked by that key.
213 | Every security group rule input to this module accepts optional identifying keys (arbitrary strings) for each rule.
214 | If you do not supply keys, then the rules are treated as a list,
215 | and the index of the rule in the list will be used as its key. This has the unwelcome behavior that removing a rule
216 | from the list will cause all the rules later in the list to be destroyed and recreated. For example, changing
217 | `[A, B, C, D]` to `[A, C, D]` causes rules 1(`B`), 2(`C`), and 3(`D`) to be deleted and new rules 1(`C`) and
218 | 2(`D`) to be created.
219 |
220 | To mitigate against this problem, we allow you to specify keys (arbitrary strings) for each rule. (Exactly how you specify
221 | the key is explained in the next sections.) Going back to our example, if the
222 | initial set of rules were specified with keys, e.g. `[{A: A}, {B: B}, {C: C}, {D: D}]`, then removing `B` from the list
223 | would only cause `B` to be deleted, leaving `C` and `D` intact.
224 |
225 | Note, however, two cautions. First, the keys must be known at `terraform plan` time and therefore cannot depend
226 | on resources that will be created during `apply`. Second, in order to be helpful, the keys must remain consistently
227 | attached to the same rules. For example, if you did
228 |
229 | ```hcl
230 | rule_map = { for i, v in rule_list : i => v }
231 | ```
232 |
233 | then you will have merely recreated the initial problem with using a plain list. If you cannot attach
234 | meaningful keys to the rules, there is no advantage to specifying keys at all.
235 |
236 | #### Terraform Rules vs AWS Rules
237 |
238 | A single security group rule input can actually specify multiple AWS security group rules. For example,
239 | `ipv6_cidr_blocks` takes a list of CIDRs. However, AWS security group rules do not allow for a list
240 | of CIDRs, so the AWS Terraform provider converts that list of CIDRs into a list of AWS security group rules,
241 | one for each CIDR. (This is the underlying cause of several AWS Terraform provider bugs,
242 | such as [#25173](https://github.com/hashicorp/terraform-provider-aws/issues/25173).)
243 | As of this writing, any change to any element of such a rule will cause
244 | all the AWS rules specified by the Terraform rule to be deleted and recreated, causing the same kind of
245 | service interruption we sought to avoid by providing keys for the rules, or, when create_before_destroy = true,
246 | causing a complete failure as Terraform tries to create duplicate rules which AWS rejects. To guard against this issue,
247 | when not using the default behavior, you should avoid the convenience of specifying multiple AWS rules
248 | in a single Terraform rule and instead create a separate Terraform rule for each source or destination specification.
249 |
250 | ##### `rules` and `rules_map` inputs
251 | This module provides 3 ways to set security group rules. You can use any or all of them at the same time.
252 |
253 | The easy way to specify rules is via the `rules` input. It takes a list of rules. (We will define
254 | a rule [a bit later](#definition-of-a-rule).) The problem is that a Terraform list must be composed
255 | of elements that are all the exact same type, and rules can be any of several
256 | different Terraform types. So to get around this restriction, the second
257 | way to specify rules is via the `rules_map` input, which is more complex.
258 |
259 | Why the input is so complex (click to reveal)
260 |
261 | - Terraform has 3 basic simple types: bool, number, string
262 | - Terraform then has 3 collections of simple types: list, map, and set
263 | - Terraform then has 2 structural types: object and tuple. However, these are not really single
264 | types. They are catch-all labels for values that are themselves combination of other values.
265 | (This will become a bit clearer after we define `maps` and contrast them with `objects`)
266 |
267 | One [rule of the collection types](https://www.terraform.io/docs/language/expressions/type-constraints.html#collection-types)
268 | is that the values in the collections must all be the exact same type.
269 | For example, you cannot have a list where some values are boolean and some are string. Maps require
270 | that all keys be strings, but the map values can be any type, except again all the values in a map
271 | must be the same type. In other words, the values of a map must form a valid list.
272 |
273 | Objects look just like maps. The difference between an object and a map is that the values in an
274 | object do not all have to be the same type.
275 |
276 | The "type" of an object is itself an object: the keys are the same, and the values are the types of the values in the object.
277 |
278 | So although `{ foo = "bar", baz = {} }` and `{ foo = "bar", baz = [] }` are both objects,
279 | they are not of the same type, and you can get error messages like
280 |
281 | ```
282 | Error: Inconsistent conditional result types
283 | The true and false result expressions must have consistent types. The given
284 | expressions are object and object, respectively.
285 | ```
286 |
287 | This means you cannot put them both in the same list or the same map,
288 | even though you can put them in a single tuple or object.
289 | Similarly, and closer to the problem at hand,
290 |
291 | ```hcl
292 | cidr_rule = {
293 | type = "ingress"
294 | cidr_blocks = ["0.0.0.0/0"]
295 | }
296 | ```
297 | is not the same type as
298 |
299 | ```hcl
300 | self_rule = {
301 | type = "ingress"
302 | self = true
303 | }
304 | ```
305 |
306 | This means you cannot put both of those in the same list.
307 |
308 | ```hcl
309 | rules = tolist([local.cidr_rule, local.self_rule])
310 | ```
311 |
312 | Generates the error
313 |
314 | ```text
315 | Invalid value for "v" parameter: cannot convert tuple to list of any single type.
316 | ```
317 |
318 | You could make them the same type and put them in a list,
319 | like this:
320 |
321 | ```hcl
322 | rules = tolist([{
323 | type = "ingress"
324 | cidr_blocks = ["0.0.0.0/0"]
325 | self = null
326 | },
327 | {
328 | type = "ingress"
329 | cidr_blocks = []
330 | self = true
331 | }])
332 | ```
333 |
334 | That remains an option for you when generating the rules, and is probably better when you have full control over all the rules.
335 | However, what if some of the rules are coming from a source outside of your control? You cannot simply add those rules
336 | to your list. So, what to do? Create an object whose attributes' values can be of different types.
337 |
338 | ```hcl
339 | { mine = local.my_rules, theirs = var.their_rules }
340 | ```
341 |
342 | That is why the `rules_map` input is available. It will accept a structure like that, an object whose
343 | attribute values are lists of rules, where the lists themselves can be different types.
344 |
345 | 
