Search code examples
terraformaws-security-groupaws-elasticsearch

ElasticSearch: Use terraform to provision security groups

At AWS console, I manually provisioned the security rules below for ElasticSearch. There are three VPCs. Transit gateway connects them. ElasticSearch is installed in VPC-A.

   Type      Protocol   Port range      Source

All traffic     All        All       40.10.0.0/16  (VPC-A)
All traffic     All        All       20.10.0.0/16  (VPC-B)
All traffic     All        All       30.10.0.0/16  (VPC-C)

Outbound rules:
   Type      Protocol   Port range    Destination
All traffic     All        All        0.0.0.0/0

But, the terraform code below is not able to provision the above security groups.

resource "aws_security_group" "shared-elasticsearch-sg" {
  name = var.name_sg
  vpc_id = data.terraform_remote_state.vpc-A.outputs.vpc_id
  ingress {
    from_port = 0
    to_port   = 0
    protocol  = "-1"
    cidr_blocks = [data.terraform_remote_state.vpc-A.outputs.vpc_cidr_block,
                   data.terraform_remote_state.vpc-B.outputs.vpc_cidr_block,
                   data.terraform_remote_state.vpc-C.outputs.vpc_cidr_block]
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags = {
    Name = var.name_sg
  }
}

module "elasticsearch" {
  source                = "git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.24.1"
  security_groups       = [aws_security_group.shared-elasticsearch-sg.id,
                           data.terraform_remote_state.vpc-A.outputs.default_security_group_id]
  vpc_id                 = data.terraform_remote_state.vpc-A.outputs.vpc_id
  ......
}

The above code provision the security rules below:

Inbound rules:
  Type      Protocol   Port range         Source
All TCP       TCP       0 - 65535   sg-0288988f38d2007be / shared-elasticSearch-sg
All TCP       TCP       0 - 65535   sg-0893dfcdc1be34c63 / default
Outbound rules:
  Type      Protocol   Port range    Destination
All TCP       TCP      0 - 65535      0.0.0.0/0

Security rules of sg-0288988f38d2007be / shared-elasticSearch-sg

   Type      Protocol   Port range      Source
All traffic     All        All       40.10.0.0/16  (VPC-A)
All traffic     All        All       20.10.0.0/16  (VPC-B)
All traffic     All        All       30.10.0.0/16  (VPC-C)

Outbound rules:
   Type      Protocol   Port range    Destination
All traffic     All        All        0.0.0.0/0

The terraform code provisioned security groups do not work. In VPC-B and VPC-C, it cannot reach elasticsearch at VPC-A. How to code terraform properly so that it can provision the security groups I manually created?

Solution

  • I solved the problem myself. There is a limitation / bug with the ElasticSearch module. I downloaded the module, made changes on the security group. Problem solved. There is no way to use the security groups provided by the elasticsearch module to provision the security group I stated in the problem.