aws_security_group_rule ignores port range if protocol is -1

alex-herold commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.18
AWS provider 2.43.0

Affected Resource(s)

aws_security_group_rule

Terraform Configuration Files

resource "aws_security_group_rule" "https_ingress_rule" {
  description       = "Allow all inbound on HTTPS"
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = -1
  security_group_id = aws_security_group.some_ingress_rule.id
  cidr_blocks       = ["0.0.0.0/0"]
}

Expected Behavior

Expecting Terraform to throw an error or at least a warning stating that a non-zero port number was used, but a port-specific protocol (udp or tcp) was not specified. This allows for the possibility to open up all ports/protocols as opposed to very specific ranges due to a simple typo.

Given the level of impact, a warning or error would enhance the guardrails around TF.

Actual Behavior

A security group rule allowing all ports, all protocols was created.

References

https://www.terraform.io/docs/providers/aws/r/security_group_rule.html

phyber commented 4 years ago

Looks like an error should be returned here for this:

https://github.com/terraform-providers/terraform-provider-aws/blob/master/aws/resource_aws_security_group_rule.go#L629-L633

ktham commented 4 years ago

It would be great if TF can indeed throw an error there rather than continuing with issuing the AWS API call with the port values discarded

sidcarter commented 4 years ago

I just landed on this bug and this is a glaring security issue that is not obvious and can cause security issues and may have already caused security issues.

And when you try to change this, terraform thinks the rule doesn't exist in it's state when you try to destroy it.

aramhakobyan commented 3 years ago

+1

justinretzolk commented 2 years ago

Hey y'all 👋 Thank you for taking the time to file this issue, and for the discussion around it. Given that there's been a number of AWS provider releases since the last update, can anyone confirm if you're still experiencing this behavior?

hashicorp / terraform-provider-aws