How do I allow all traffic from one security group to another?

Question

How are you? I'm having an issue. Take a look at the code below. I created two security groups:

resource "aws_security_group" "ec2_sg" {
  name        = "${var.project_name}-${var.environment}-ec2-sg"
  vpc_id      = var.vpc_id
  description = "Security Group for EC2 instance"

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["172.15.0.0/16", "172.18.0.0/16", "172.19.0.0/16"]
  }

  tags = {
    Name         = "${var.project_name}-${var.environment}-ec2-sg"
    Environment  = var.environment
    Project      = var.project_name
    ResourceType = "security-group"
  }
}

resource "aws_security_group" "rds_sg" {
  name        = "${var.project_name}-${var.environment}-rds-sg"
  vpc_id      = var.vpc_id
  description = "Security Group for RDS"

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["172.15.0.0/16", "172.18.0.0/16", "172.19.0.0/16"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name         = "${var.project_name}-${var.environment}-rds-sg"
    Environment  = var.environment
    Project      = var.project_name
    ResourceType = "security-group"
  }
}

After that, I created two rules allowing cross-traffic between them:

resource "aws_security_group_rule" "ec2_rule" {
  depends_on               = [aws_security_group.ec2_sg, aws_security_group.rds_sg]
  type                     = "ingress"
  from_port                = 0
  to_port                  = 0
  protocol                 = "-1"
  source_security_group_id = aws_security_group.rds_sg.id
  security_group_id        = aws_security_group.ec2_sg.id

}

resource "aws_security_group_rule" "rds_rule" {
  depends_on               = [aws_security_group.ec2_sg, aws_security_group.rds_sg]
  type                     = "ingress"
  from_port                = 0
  to_port                  = 0
  protocol                 = "-1"
  source_security_group_id = aws_security_group.ec2_sg.id
  security_group_id        = aws_security_group.rds_sg.id

}

Everything was fine so far; I applied the code, and it worked. However, I noticed that every time I make a change with Terraform, even if it's to other resources, no matter what they are, these rules allowing cross-traffic disappear — only these rules.

I have to comment out this specific part of the code and apply it; the terraform plan shows that the rules will be deleted (even though they are not visible in the SG). Then, I uncomment the rules and apply them again.

This is okay for now but it will be a problem in production. Any idea why this is happening and how to fix it?

Answer 1

This a common issue if you define rules inside and outside your sg and this is documented here :

in your case define all rules outside of your sgs and reference the id of sgs in them that should work as expected.