Use separate TF resources for security group ingress/egress rules

[markdboyd]

Changes proposed in this pull request:

Part of https://github.com/cloud-gov/private/issues/1439

We have a problem where Terraform is constantly detecting changes to our aws_security_group resources, when in fact nothing is changing except that Terraform thinks the order of the cidr_blocks values have changed.

After looking for an easy fix in the Terraform AWS provider GitHub, I struck out and then went to the documentation page for the aws_security_group resource which has this note:

Avoid using the ingress and egress arguments of the aws_security_group resource to configure in-line rules, as they struggle with managing multiple CIDR blocks, and, due to the historical lack of unique IDs, tags and descriptions. To avoid these problems, use the current best practice of the aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources with one CIDR block per rule.

In line with those suggestions, I am refactoring the code to use separate aws_vpc_security_group_ingress_rule and aws_vpc_security_group_egress_rule resources to have a separate ingress/egress rule for each CIDR block. I think this refactoring will resolve the issue with Terraform always detecting changes because each IP will effectively create a different resource in Terraform and thus ordering should not matter.

security considerations

There should be no material changes to security group ingress/egress, just refactoring how those resources are declared in Terraform.

[bengerman13]

I'm guessing this might force recreates on some of these resources. Do we have a strategy to validate there's no downtime applying this in dev/stage before applying it to prod?