[Docs]: It is not clear how to supply a list of cidr_blocks

[EugenKon]

Documentation Link

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#example-usage

Description

What is the docs issue?

It is not clear how to provide cidr_blocks.

should it be ["0.0.0.0/0, 192.168.0.0/16"] or ["0.0.0.0/0", "192.168.0.0/16"]

Proposal

Provide example how it should look like.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[michal-zubac-auriga]

What adds to confusion is my experience, that cidr_blocks can only contain only 1 entry in the list. For multiple items apply operation fails. AWS API does not seem to really support multiple CIDR entries in security group rule object. You must create multiple security group rule resources.

I have these thoughts related to this:

• Why is the parameter of the type list in the first place?
• If the parameter must be list (backward-compat?), it would be great to reflect the limitation with validation of the input already in TF module.
• The need for 1:1 mapping between source/destination & sg rule should be mentioned in docs.

References:

• https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-rule-components
• https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_SecurityGroupRuleRequest.html

[EugenKon]

For my project I did this and it works fine:

cidr_blocks     = split(",", var.allowlist_ip)

Where allowlist_ip = "1.1.1.1/32,2.2.2.2/32"

[michal-zubac-auriga]

@EugenKon, thanks for your angle.

I looked at sources and it seems TF module supports multiple items to be passed as list. It seems that AWS API accepts comma separated string as input, but internally it creates multiple SG rules from this input.

Where I hit the issue was subsequent change of codebase, where I added more items to the list. From TF data model it seemed like multiple CIDRS are attribute of 1 SG rule object, but in reality multiple SG rules were created. TF does not seem to handle this situation.

@EugenKon I believe if you changed the allowlist_ip your apply would fail. What is your experience?

[EugenKon]

@michal-zubac-auriga I'll check that when possible.