cloudposse / terraform-aws-security-group

Terraform module to provision an AWS Security Group
https://cloudposse.com/accelerate
Apache License 2.0
36 stars 35 forks source link

Migrate to new aws_vpc_security_group_*_rules #46

Open Nuru opened 1 year ago

Nuru commented 1 year ago

Describe the Feature

As explained in the Terraform AWS Provider documentation (emphasis added):

Terraform currently provides a Security Group resource with ingress and egress rules defined in-line and a Security Group Rule resource which manages one or more ingress or egress rules. Both of these resource were added before AWS assigned a security group rule unique ID, and they do not work well in all scenarios using the description and tags attributes, which rely on the unique ID. The aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources have been added to address these limitations and should be used for all new security group rules. You should not use the aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources in conjunction with an aws_security_group resource with in-line rules or with aws_security_group_rule resources defined for the same Security Group, as rule conflicts may occur and rules will be overwritten.

The new resources support tags for rules. Also, I believe the new resources do not suffer from https://github.com/hashicorp/terraform-provider-aws/issues/25173 .

However, the new resources do not support lists of CIDRs or prefix list IDs, so it will be extra work to explode those lists into individual rules.

Expected Behavior

n/a

Use Case

n/a

Describe Ideal Solution

n/a

Alternatives Considered

No response

Additional Context

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule

nitrocode commented 5 months ago

Please keep the inline rules as an option (even if they are technically/informally deprecated) so we can manage security groups exclusively with terraform.

The single rule resources (either old aws_security_group_rule or new aws_vpc_security_group_*gress_rule) will not delete rules outside of terraform.

The inline ruled security group resource will delete ruoes outside of terraform

https://github.com/hashicorp/terraform-provider-aws/issues/37914