nitrocode
commented
2 months ago Please keep the inline rules as an option (even if they are technically/informally deprecated) so we can manage security groups exclusively with terraform.
The single rule resources (either old aws_security_group_rule or new aws_vpc_security_group_*gress_rule) will not delete rules outside of terraform.
The inline ruled security group resource will delete ruoes outside of terraform
https://github.com/hashicorp/terraform-provider-aws/issues/37914
Describe the Feature
As explained in the Terraform AWS Provider documentation (emphasis added):
Terraform currently provides a Security Group resource with ingress and egress rules defined in-line and a Security Group Rule resource which manages one or more ingress or egress rules. Both of these resource were added before AWS assigned a security group rule unique ID, and they do not work well in all scenarios using the
descriptionandtagsattributes, which rely on the unique ID. The aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources have been added to address these limitations and should be used for all new security group rules. You should not use theaws_vpc_security_group_egress_ruleandaws_vpc_security_group_ingress_ruleresources in conjunction with anaws_security_groupresource with in-line rules or withaws_security_group_ruleresources defined for the same Security Group, as rule conflicts may occur and rules will be overwritten.The new resources support
tagsfor rules. Also, I believe the new resources do not suffer from https://github.com/hashicorp/terraform-provider-aws/issues/25173 .However, the new resources do not support lists of CIDRs or prefix list IDs, so it will be extra work to explode those lists into individual rules.
Expected Behavior
n/a
Use Case
n/a
Describe Ideal Solution
n/a
Alternatives Considered
No response
Additional Context
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule