Open LuigiClemente-Awin opened 3 years ago
Also run into this issue
Have you tried adding an empty map within a list?
manage_default_security_group = true
// Neuter default security group
default_security_group_ingress = [{}]
default_security_group_egress = [{}]
This works for me but now I have perpetual changes for some reason.
For some reason it is worked for me with the setup:
resource "aws_default_security_group" "default" {
vpc_id = var.vpc_id
ingress = []
egress = []
}
After the terraform apply - all inbound and outbound rules were deleted
Kudos to @geoffreywiseman https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/759#issuecomment-1138742761
does not work
For some reason it is worked for me with the setup:
resource "aws_default_security_group" "default" { vpc_id = var.vpc_id ingress = [] egress = [] }
After the terraform apply - all inbound and outbound rules were deleted
Kudos to @geoffreywiseman terraform-aws-modules/terraform-aws-vpc#759 (comment)
Confirmed that this approach works.
Using the https://github.com/terraform-aws-modules/terraform-aws-vpc module it seems it removes the rules on first apply, but if you manually go and add a rule it doesn't actually end up removing the added rules... It does appear to be bugged for managing this after first apply after the adoption of the resource.
The documentation seems to imply that it will manage anything you pass inline, the module uses dynamic
to pass a list of rules, the rules should be an empty list if left default and so I'd expect it to remove the rules going forwards, not just on adoption.
Module variables: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/2e417ad0ce830893127476436179ef483485ae84/variables.tf#L1351-L1360
Hi all
I do not know if this is a bug or just a mistake or misunderstanding from my part. I am using AWS provider 3.55.0 and the Gruntwork modules to manage the default security group in a new vpc:
https://github.com/gruntwork-io/terraform-aws-vpc/blob/v0.15.5/modules/vpc-app/main.tf
I managed to update the existing rules (ingress and egress) but then I noticed that for compliance with the CIS Benchmark checks the default security group must be empty. I tried to pass an empty list or array to the rules parameter but existing rules are not removed. I manually removed the rules and after applying, the security group stays empty.
This is not the expected behavior for the resource aws_default_security_group (used by the vpc module):
_When Terraform first adopts the default security group, it immediately removes all ingress and egress rules in the Security Group. It then creates any rules specified in the configuration. This way only the rules specified in the configuration are created.
This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diff shown. For these reasons, this resource is incompatible with the aws_security_grouprule resource.
Reading this I was expecting to see a diff and removal of the existing rules once I pass an empty array of rules.
Best regards,
Luigi