[Enhancement]: Undetectable rule drift with security groups referencing each other #32743
Labels
enhancement
Requests to existing resources that expand the functionality or scope.
service/vpc
Issues and PRs that pertain to the vpc service.
Description
Let's say you want to create two security groups referencing each other, for example :
As you might expect, this results in a dependency loop error :
Since you can't reference security groups by anything else than their ids, we can't work around this by referring to them by name, or any other already known value.
Here come
aws_security_group_rule
,aws_vpc_security_group_egress_rule
,aws_vpc_security_group_ingress_rule
. We can then build something like that :This breaks the dependency loop, and works as expected.
The problem is that if an ingress rule is manually added to
dest
, terraform is unable to detect (and remove) it, which is not the case for egress rules ondest
, and all rules onsource
.Fix ideas
I can only think of one clean strategy to solve this problem : Adding a new type of resource, that is authoritative on the rules of a given security group.
We could for example add
aws_vpc_security_group_egress_rules
andaws_vpc_security_group_ingress_rules
resources, that we could configure similarly to inline rules inaws_security_group
. For example, something like :Affected Resource(s) and/or Data Source(s)
Would you like to implement a fix?
No
The text was updated successfully, but these errors were encountered: