We Keep Coding

Referencing Security Group in AWS via Terraform using Dynamic Block

I have a security group resource in the module called "networking":
resource "aws_security_group" "dev_sg" {
for_each = var.security_groups
name = each.value.name
description = each.value.description
vpc_id = aws_vpc.dev_vpc.id
dynamic "ingress" {
for_each = each.value.ingress
#iterator = port
content {
from_port = ingress.value.from
to_port = ingress.value.to
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
}
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
Also, outside of the module, in the root module i have locals.tf file which is this:
locals {
security_groups = {
public = {
name = "public_sg"
description = "Security Group for Public Access"
ingress = {
ssh = {
from = 22
to = 22
protocol = "tcp"
cidr_blocks = [var.access_ip]
}
http = {
from = 80
to = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
}
}
And here is the module definition:
module "networking" {
source = "./networking"
vpc_cidr = local.vpc_cidr
security_groups = local.security_groups
public_sn_count = 2
private_sn_count = 3
}
Now, my question is, how can I reference a security group ID instead of cidr_block inside locals.tf file? I have no clue how to implement this?
For example:
cidr_blocks = ["192.168.8.0/21", "${var.security_group_id}"]

You need to use security_groups in aws_security_group ingress or egress
resource "aws_security_group" "dev_sg" {
for_each = var.security_groups
name = each.value.name
description = each.value.description
vpc_id = aws_vpc.dev_vpc.id
dynamic "ingress" {
for_each = each.value.ingress
#iterator = port
content {
from_port = ingress.value.from
to_port = ingress.value.to
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
security_groups = lookup(ingress.value, "security_groups", null)
}
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
locals {
security_groups = {
public = {
name = "public_sg"
description = "Security Group for Public Access"
ingress = {
ssh = {
from = 22
to = 22
protocol = "tcp"
cidr_blocks = [var.access_ip]
security_groups = [var.security_group_id]
}
http = {
from = 80
to = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"],
security_groups = [var.security_group_id]
}
}
}
}
module "networking" {
source = "./networking"
vpc_cidr = local.vpc_cidr
security_groups = local.security_groups
public_sn_count = 2
private_sn_count = 3
}

How to specify list of string within for_each loop?

I'm trying to create a reusable security group and its rules using for_each. While passing the cidr_blocks = list(string), I'm getting the below error. If I remove the cidr_blocks the code works fine
╷
│ Error: Invalid index
│
│ on ../../modules/security/main.tf line 18, in resource "aws_security_group" "app_sg":
│ 18: cidr_blocks = ingress.value["cidr_blocks"]
│ ├────────────────
│ │ ingress.value is object with 3 attributes
│
│ The given key does not identify an element in this collection value.
╵
Root Module
###################################
# Create a security group & rules #
###################################
module "application_sg" {
source = "../../modules/security"
create_sg = var.create_sg
name_suffix = var.name_suffix
sg_name = var.sg_name
environment = local.common-tags.environment
vpc_id = one(module.mgt_vpc.vpc_id)
egress_rules = var.app_egress_rules
ingress_rules = var.app_ingress_rules
cidr_blocks = var.app_cidr_blocks
common-tags = local.common-tags
}
module "database_sg" {
source = "../../modules/security"
create_sg = var.create_sg
vpc_id = one(module.sre_vpc.vpc_id)
sg_name = var.db_sg_name
name_suffix = var.name_suffix
environment = local.common-tags.environment
egress_rules = var.db_egress_rules
ingress_rules = var.db_ingress_rules
ingress_self_sg = true
common-tags = local.common-tags
}
################################
# List of Security Group Rules #
################################
variable "app_ingress_rules" {
type = map(object({
from_port = number
to_port = number
protocol = string
cidr_blocks = list(string)
}))
default = {
SSH = {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
},
HTTP = {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
},
HTTPS = {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
}
variable "app_egress_rules" {
type = map(object({
from_port = number
to_port = number
protocol = string
cidr_blocks = list(string)
}))
default = {
ALLOW_ALL = {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
}
variable "db_ingress_rules" {
type = map(object({
from_port = number
to_port = number
protocol = string
}))
default = {
MYSQL = {
from_port = 3306
to_port = 3306
protocol = "tcp"
},
HTTPS = {
from_port = 443
to_port = 443
protocol = "tcp"
}
}
}
variable "db_egress_rules" {
type = map(object({
from_port = number
to_port = number
protocol = string
cidr_blocks = list(string)
}))
default = {
ALLOW_ALL = {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
}
Child Module
################################
# Create Securiy Group & Rules #
################################
resource "aws_security_group" "app_sg" {
for_each = var.create_sg ? toset(var.sg_name) : []
name = each.key
vpc_id = var.vpc_id
dynamic "ingress" {
for_each = var.ingress_rules != {} ? toset(values(var.ingress_rules)) : []
content {
from_port = ingress.value["from_port"]
to_port = ingress.value["to_port"]
protocol = ingress.value["protocol"]
cidr_blocks = ingress.value["cidr_blocks"]
security_groups = var.security_groups
self = var.ingress_self_sg
}
}
dynamic "egress" {
for_each = var.egress_rules != {} ? toset(values(var.egress_rules)) : []
content {
from_port = egress.value["from_port"]
to_port = egress.value["to_port"]
protocol = egress.value["protocol"]
cidr_blocks = egress.value["cidr_blocks"]
security_groups = var.security_groups
self = var.egress_self_sg
}
}
tags = merge(
var.common-tags,
{
"Name" = "${each.key}-${lower(var.environment)}"
}
)
}
// Variables
variable "create_sg" {
}
variable "vpc_id" {
}
variable "environment" {
}
variable "name_suffix" {
}
variable "sg_name" {
}
variable "common-tags" {
}
variable "ingress_rules" {
type = any
default = {}
}
variable "egress_rules" {
type = any
default = {}
}
variable "security_groups" {
type = list(string)
default = []
}
variable "ingress_self_sg" {
type = bool
default = false
}
variable "egress_self_sg" {
type = bool
default = false
}

Your var.db_ingress_rules does not have cidr_blocks. You have to add it there, e.g.:
variable "db_ingress_rules" {
type = map(object({
from_port = number
to_port = number
protocol = string
cidr_blocks = list(string)
}))
default = {
MYSQL = {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
},
HTTPS = {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
}

Terraform aws_security_group: How do you pass ingress and egress blocks from variables?

My main goal is to remove hardcoded ingress and egress configuration blocks from our aws_security_group resources in our terraforms modules. I instead want to pass in one ingress and one egress input variable containing all the ingress and egress rules.
Current aws_security_group creation:
# main.tf
resource "aws_security_group" "sg" {
name = "Example security group"
egress {
from_port = 123
to_port = 123
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 53
to_port = 53
protocol = "tcp"
security_groups = [local.some_sg_id]
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["10.0.0.0/8"]
}
vpc_id = var.vpc_id
}
What i want to do:
# main.tf
resource "aws_security_group" "sg" {
name = "Example security group"
egress = var.sg_egress
ingress = var.sg_ingress
vpc_id = var.vpc_id
}
The issue is that the ingress and egress blocks have optional parameters.
I.E on one ingress statement i have specified "cidr_blocks" and on one "security_groups".
This makes it hard to create a variable statement for these blocks.
I have managed to get it to work using this:
# terragrunt.hcl
# Note: we use terragrunt, but in the example below think of this as terraform.tfvars
locals {
some_sg_id = "sg-123abc456"
sg_defaults = {
"security_groups" = []
"cidr_blocks" = []
"ipv6_cidr_blocks" = []
"prefix_list_ids" = []
"self" = false
"description" = ""
}
}
inputs = {
sg_egress [
merge(local.sg_defaults, {
from_port = 123
to_port = 123
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}),
merge(local.sg_defaults, {
from_port = 53
to_port = 53
protocol = "tcp"
security_groups = [local.some_sg_id]
})
]
sg_ingress [
merge(local.sg_defaults, {
from_port = 123
to_port = 123
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
})
]
}
# variables.tf
variable "sg_ingress" {
type = list(object({
cidr_blocks = list(string)
description = string
from_port = number
ipv6_cidr_blocks = list(string)
prefix_list_ids = list(string)
protocol = string
security_groups = list(string)
self = bool
to_port = number
}))
default = []
}
variable "sg_egress" {
type = list(object({
cidr_blocks = list(string)
description = string
from_port = number
ipv6_cidr_blocks = list(string)
prefix_list_ids = list(string)
protocol = string
security_groups = list(string)
self = bool
to_port = number
}))
default = []
}
Here i create default (empty) values for the optional attributes and then merge them with the values in the input variable. This creates input variables that have all attributes filled in, with empty values if none were specified. This way i can just create a variable statement with all values specified, but it's not a very pretty solution...
Dynamic blocks can probobly be used to accomplish this but so far my smooth brain have not been able to make it work with those..
I have seen this similar StackOverflow question, but it does not go over using optional attributes.

Creating AWS Security Groups in a Terraform Nested Loop

Using Terraform version 12, I am attempting to create some AWS security group rules.
I need to create x number of rules which may have different from and to ports.
These rules need to be create for each security group returned from the sg_groups data lookup.
So I have a nested list/map.
I think this is doable using Terraform's for_each and for loop function but I struggling to get my head around how to make this work.
Can anybody help me getting looping syntax correct.
Note: The format of the sg_rules map is not set in stone and can be formatted in any way that works best.
variable "sg_rules" = {
type = map
default = {
80 = {
protocol = "tcp"
from_port = 80
to_port = 80
},
443 = {
protocol = "tcp"
from_port = 443
to_port = 443
},
service_ports = {
protocol = "tcp"
from_port = 60000
to_port = 60500
}
}
}
data "aws_security_groups" "sg_groups" {
filter {
name = "group-name"
values = var.sg_names
}
}

Here is an example in which I have created the list of AWS Security Groups using nested for_each.
One for_each for creating a list of AWS Security Groups and another for creating dynamic Ingress and Egress Rules.
main.tf
resource "aws_security_group" "security-groups" {
# Dynamic number of Security Groups
for_each = var.security_group_configurations.security_groups
name = each.value.name
description = each.value.description
vpc_id = var.vpc_id
# Dynamic number of Ingress Rules
dynamic ingress {
for_each = var.security_group_configurations.security_groups[each.key].ingress_rules
content {
description = ingress.value.description
from_port = ingress.value.from_port
to_port = ingress.value.to_port
protocol = ingress.value.protocol
cidr_blocks = lookup(ingress.value, "cidr_blocks", [])
ipv6_cidr_blocks = lookup(ingress.value, "ipv6_cidr_blocks", [])
security_group_id = lookup(ingress.value, "security_group_id", "")
}
}
# Dynamic number of Egress Rules
dynamic egress {
for_each = var.security_group_configurations.security_groups[each.key].egress_rules
content {
description = egress.value.description #Here the 'egress' is the dynamic egress block
from_port = egress.value.from_port
to_port = egress.value.to_port
protocol = egress.value.protocol
cidr_blocks = lookup(ingress.value, "cidr_blocks", [])
ipv6_cidr_blocks = lookup(ingress.value, "ipv6_cidr_blocks", [])
security_group_id = lookup(ingress.value, "security_group_id", "")
}
}
tags = each.value.tags
}
variables.tf
variable "security_group_configurations" {
description = "All Security_Groups related configuration"
}
variable "vpc_id" {
description = "Vpc Id for security_groups"
}
example.tfvars
vpc_id = "vpc-0be6071d37dsd985b"
security_group_configurations = {
security_groups = {
#--------------------->> Security Group 0 <-------------------------------------------
"0" = {
name = "security_group_0"
description = "security_group_0"
# Ingress Rules
ingress_rules = {
# Ingress Rule 0
0 = {
description = "TLS from Public Internet"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
},
# Ingress Rule 1
1 = {
description = "SSH from Public Internet"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
},
}
# Egress Rules
egress_rules = {
# Egress Rule 0
0 = {
description = "Allow all traffic to outside"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
},
# Egress Rule 1
##############
}
# Tags for Security Group 0
tags = {
Name = "security_group_0"
}
},
#--------------------->> Security Group 1 <-------------------------------------------
"1" = {
name = "security_group_1"
description = "security_group_1"
# Ingress Rules
ingress_rules = {
# Ingress Rule 0
0 = {
description = "TLS from Public Internet"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
},
# Ingress Rule 1
1 = {
description = "SSH from Public Internet"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
},
}
# Egress Rules
egress_rules = {
# Egress Rule 0
0 = {
description = "Allow all traffic to outside"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
},
# Egress Rule 1
####
####
}
# Tags for Security Group 1
tags = {
Name = "security_group_1"
}
}
#--------------------->> Security Group 2 <-------------------------------------------
#######
#######
}
}

In typical fashion as soon as I ask for help I end up figuring it out myself, or at least one way of doing it. Here is what I came up with, if anyone has any better ideas please feel free to say
variable "sg_rules" = {
type = map
default = [
{
protocol = "tcp"
from_port = 80
to_port = 80
},
{
protocol = "tcp"
from_port = 443
to_port = 443
},
{
protocol = "tcp"
from_port = 60000
to_port = 60500
}
}
}
locals {
gw_to_mx_rules = [
for pair in setproduct(data.aws_security_groups.sg_groups.ids, var.sg_rules) : {
sg = pair[0]
type = pair[1].type
protocol = pair[1].protocol
from_port = pair[1].from_port
to_port = pair[1].to_port
}
]
}
data "aws_security_groups" "sg_groups" {
filter {
name = "group-name"
values = var.sg_names
}
}
resource "aws_security_group_rule" "gw_to_mx" {
for_each = { for rule in local.gw_to_mx_rules : "${rule.type}.${rule.from_port}.${rule.to_port}.${rule.protocol}.${rule.sg}" => rule }
description = "MX Communication"
type = each.value.type
from_port = each.value.from_port
to_port = each.value.to_port
protocol = each.value.protocol
source_security_group_id = each.value.sg
security_group_id = aws_security_group.waf_instance_sg.id
}

Create multiple rules in AWS security Group

I tried to create an AWS security group with multiple inbound rules, Normally we need to multiple ingresses in the sg for multiple inbound rules. Instead of creating multiple ingress rules separately, I tried to create a list of ingress and so that I can easily reuse the module for different applications.
PFB,
module/sg/sg.tf >>
resource "aws_security_group" "ec2_security_groups" {
name = var.name_security_groups
vpc_id = var.vpc_id
}
module/sg/rules.tf >>
resource "aws_security_group_rule" "ingress_rules" {
count = lenght(var.ingress_rules)
type = "ingress"
from_port = var.ingress_rules[count.index][0]
to_port = var.ingress_rules[count.index][1]
protocol = var.ingress_rules[count.index][2]
cidr_blocks = var.ingress_rules[count.index][3]
description = var.ingress_rules[count.index][4]
security_group_id = aws_security_group.ec2_security_groups.id
}
module/sg/variable.tf >>
variable "vpc_id" {
}
variable "name_security_groups" {
}
variable "ingress_rules" {
type = list(string)
}
In the application folder,
application/dev/sg.tf >>
module "sg_test" {
source = "../modules/sg"
vpc_id = "vpc-xxxxxxxxx"
name_security_groups = "sg_test"
ingress_rules = var.sg_ingress_rules
}
application/dev/variable.tf >>
variable "sg_ingress_rules" {
type = list(string)
default = {
[22, 22, "tcp", "1.2.3.4/32", "test"]
[23, 23, "tcp", "1.2.3.4/32", "test"]
}
}
Error:
Error: Missing attribute value
on test-sgs.tf line 21, in variable "sg_ingress_rules":
20:
21:
22:
Expected an attribute value, introduced by an equals sign ("=").
Please help to correct this or if there is any other method please suggest.
Regards,

Thanks#apparentlymart, who helped to solve this in Terraform discussion
The Security rule:-
resource "aws_security_group_rule" "ingress_rules" {
count = length(var.ingress_rules)
type = "ingress"
from_port = var.ingress_rules[count.index].from_port
to_port = var.ingress_rules[count.index].to_port
protocol = var.ingress_rules[count.index].protocol
cidr_blocks = [var.ingress_rules[count.index].cidr_block]
description = var.ingress_rules[count.index].description
security_group_id = aws_security_group.ec2_security_groups.id
}
And the variable:
variable "sg_ingress_rules" {
type = list(object({
from_port = number
to_port = number
protocol = string
cidr_block = string
description = string
}))
default = [
{
from_port = 22
to_port = 22
protocol = "tcp"
cidr_block = "1.2.3.4/32"
description = "test"
},
{
from_port = 23
to_port = 23
protocol = "tcp"
cidr_block = "1.2.3.4/32"
description = "test"
},
]
}

We can do this in a simple way:-
locals {
ports_in = [
443,
80
]
ports_out = [
0
]
}
resource "aws_security_group" "internet_facing_alb" {
name = "internetfacing-loadbalancer-sg"
description = "Security group attached to internet facing loadbalancer"
vpc_id = var.vpc_id
dynamic "ingress" {
for_each = toset(local.ports_in)
content {
description = "Web Traffic from internet"
from_port = ingress.value
to_port = ingress.value
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
dynamic "egress" {
for_each = toset(local.ports_out)
content {
description = "Web Traffic to internet"
from_port = egress.value
to_port = egress.value
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
tags = {
Name = "internetfacing-loadbalancer-sg"
}
}

If you want this to work literally with indexed fields, make it a list(list(string)) and change the default oyter syntax from braces (used for maps) to brackets (used for lists):
variable "sg_ingress_rules" {
type = list(list(string))
default = [
[22, 22, "tcp", "1.2.3.4/32", "test"]
[23, 23, "tcp", "1.2.3.4/32", "test"]
]
}
That is a confusing data structure and will be difficult to work with, so I recommend this instead:
variable "sg_ingress_rules" {
type = map(map(any))
default = {
thing1 = {from=22, to=22, proto="tcp", cidr="1.2.3.4/32", desc=test"]
thing2 = {from=23, to=23, proto="tcp", cidr="1.2.3.4/32", desc="test"}
}
}
You can use better names than the terrible ones I've chosen and then refer to them in your resource:
resource "aws_security_group_rule" "ingress_rules" {
for_each = var.ingress_rules
type = "ingress"
from_port = each.value.from
to_port = each.value.to
protocol = each.value.proto
cidr_blocks = each.value.cidr
description = each.value.desc
security_group_id = aws_security_group.ec2_security_groups.id
}
You'll get multiple named copies of the aws_security_group_rule which better survives insertions and deletions from the ingress_rules variable and will save you headaches. Otherwise you'll get superfluous destroys and creates of rules and sometimes conflicts due to the indexed resources a count creates.
If you are feeling like having some better guardrails on people setting the ingress_rules value you can use object to require and restrict to a particular set of fields with certain types as follows:
variable "sg_ingress_rules" {
type = map(object(
{
from = number
to = number
proto = string
cidr = string
desc = string
}
))
default = {
thing1 = {from=22, to=22, proto="tcp", cidr="1.2.3.4/32", desc=test"]
thing2 = {from=23, to=23, proto="tcp", cidr="1.2.3.4/32", desc="test"}
}
}

There is a new way to manage multiple ingress rules, with a new terraform resource, named aws_security_group_rule
it is better than the other ways, using Attributes as Blocks
Sample for reference
resource "aws_security_group_rule" "example" {
type = "ingress"
from_port = 0
to_port = 65535
protocol = "tcp"
cidr_blocks = [aws_vpc.example.cidr_block]
ipv6_cidr_blocks = [aws_vpc.example.ipv6_cidr_block]
security_group_id = "sg-123456"
}
Ref: aws_security_group_rule

The easiest way to implement multiple rules in a security group looks a bit like the following example:
resource "aws_security_group" "sg_my_security_group" {
name = "sg_my_security_group"
description = "Implements some security"
vpc_id = var.your_vpc_id
ingress {
from_port = 3889
to_port = 3889
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 3889
to_port = 3889
protocol = "udp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "does_something_important"
}
}