Since you can't reference security groups by anything else than their ids, we can't work around this by referring to them by name, or any other already known value.
Here come aws_security_group_rule, aws_vpc_security_group_egress_rule, aws_vpc_security_group_ingress_rule. We can then build something like that :
This breaks the dependency loop, and works as expected.
The problem is that if an ingress rule is manually added to dest, terraform is unable to detect (and remove) it, which is not the case for egress rules on dest, and all rules on source.
Fix ideas
I can only think of one clean strategy to solve this problem : Adding a new type of resource, that is authoritative on the rules of a given security group.
We could for example add aws_vpc_security_group_egress_rules and aws_vpc_security_group_ingress_rules resources, that we could configure similarly to inline rules in aws_security_group. For example, something like :
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Description
Let's say you want to create two security groups referencing each other, for example :
As you might expect, this results in a dependency loop error :
Since you can't reference security groups by anything else than their ids, we can't work around this by referring to them by name, or any other already known value.
Here come
aws_security_group_rule
,aws_vpc_security_group_egress_rule
,aws_vpc_security_group_ingress_rule
. We can then build something like that :This breaks the dependency loop, and works as expected.
The problem is that if an ingress rule is manually added to
dest
, terraform is unable to detect (and remove) it, which is not the case for egress rules ondest
, and all rules onsource
.Fix ideas
I can only think of one clean strategy to solve this problem : Adding a new type of resource, that is authoritative on the rules of a given security group.
We could for example add
aws_vpc_security_group_egress_rules
andaws_vpc_security_group_ingress_rules
resources, that we could configure similarly to inline rules inaws_security_group
. For example, something like :Affected Resource(s) and/or Data Source(s)
Would you like to implement a fix?
No