[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

How to add multiple rules to a security group in Terraform

 

*Tsukemen Shigeta (Kobe Rokkomichi)

Hello!
My name is Hide, the ramen king of Beyond Osaka Office.
This is my 10th post.

Last time, I wrote about how to configure URL redirection using Google Cloud Load Balancing (GCLB)'s global external HTTP(S) load balancer!

The URL redirect settings are different for the latest model and the conventional model, so it's a little difficult, but it's useful to know, so if you're interested, please take a look at the following!

● Part 1: How to configure URL redirect settings with GCP's global external HTTP(S) load balancer (traditional type)
● Part 2: How to configure URL redirect settings with GCP's global external HTTP(S) load balancer

Add multiple rules to a security group in Terraform

Normally, when creating a security group, you manually create multiple inbound rules, but in Terraform as well, you would like to create a security group with multiple inbound rules and attach it to an instance.

We will introduce two ways to create these multiple rules.

The final goal is to make it look like the image below!
Let's do our best!

Setting method

First, the first setting method is to set two ingress (inbound rules) in aws_security_group.
This is very simple and very easy to use.

resource "aws_security_group" "test-sg" { name = "test-sg" description = "test-sg" egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } }

The second configuration method is to configure aws_security_group_rule.

Instead of writing ingress in aws_security_group, you can write it in aws_security_group_rule. With this method, you can only write one rule in one aws_security_group_rule resource, so if you want to write multiple rules, create an aws_security_group_rule resource with a different resource name as shown below, and then This is how to add rules to.

However, it may be convenient if used properly, but if you use this aws_security_group_rule to set rules, be sure to read the following before setting it!

resource "aws_security_group" test-sg" { name = "test-sg" description = "test-sg" egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] } } resource "aws_security_group_rule" "test-sg-inbound-http" { type = "ingress" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = [ "0.0.0.0/0" ] security_group_id = aws_security_group.test-sg.id } resource "aws_security_group_rule" "test-sg-inbound-https" { type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = [ "0.0.0.0/0 " ] security_group_id = aws_security_group.test-sg.id }

Do not set rules in both aws_security_group and aws_security_group_rule


"I set ingress in aws_security_group, but

I want to add another ingress, so add it with aws_security_group_rule! ”

I thought like this and set an ingress rule in aws_security_group, but if I add it in aws_security_group_rule,
the rule will conflict and be created or deleted during apply, resulting in a bug...

"There's no way it's a bug! What are you talking about?"

I'm sure there are people who thought something like this, and when I first learned about it, I was completely the same way lol
For those people, I'll leave a log of what I actually verified!

Apply in main.tf below.

resource "aws_security_group" "test-sg" { name = "test-sg" description = "test-sg" egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } ingress { from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } } resource "aws_security_group_rule" "test-sg-inbound-https" { type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = [ "0.0.0.0/0" ] security_group_id = aws_security_group.test-sg.id }

The first apply will look like this on the AWS side.
Inbound rules for ports 80 and 443 have been created without any problems.

However, when you apply it the second time, it becomes a change and the settings in aws_security_group_rule are deleted, even though no changes have been made to main.tf.

aws_security_group.test-sg: Refreshing state... [id=sg-063e7c33de8e1dc09] aws_security_group_rule.test-sg-inbound-https: Refreshing state... [id=sgrule-4193634971] aws_instance.test: Refreshing state... [ id=i-07125d27a59e1b8f5] Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place Terraform will perform the following actions: # aws_security_group.test-sg will be updated in- place ~ resource "aws_security_group" "test-sg" { id = "sg-063e7c33de8e1dc09" ~ ingress = [ - { - cidr_blocks = [ - "0.0.0.0/0", ] - description = "" - from_port = 443 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 443 }, - { - cidr_blocks = [ - "0.0.0.0/0", ] - description = "" - from_port = 80 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 80 }, + { + cidr_blocks = [ + "0.0.0.0/0", ] + description = null + from_port = 80 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 80 }, ] name = "test-sg" tags = {} # (7 unchanged attributes hidden) } Plan: 0 to add, 1 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes

The AWS screen after the second apply is as follows. The part set in aws_security_group_rule has disappeared. . .

The official aws_security_group resource description says:

In short, even if you set it in aws_security_group_rule, it will be overwritten by the content set in aws_security_group. It can be quite scary if you operate it without knowing...

Terraform currently provides both standalone security group rule resources (single ingress or egress rules) and security group resources that contain inline-defined ingress and egress rules.

Security groups with inline rules cannot currently be used in conjunction with security group rules resources. Doing this will cause a rule configuration conflict and override the rules.

● Reference: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

summary

This time I introduced how to add multiple rules to a security group using Terraform. What did you think?

You can define multiple rules using aws_security_group and aws_security_group_rule, but be careful not to set rules at the same time as you may end up making a terrible mistake!

I'll leave it up to you which one to use, but unless there's a special reason, I think it's easier to manage and avoid conflicts by setting multiple rules in aws_security_group.

Please refer to this when creating a security group!

If you found this article helpful , please give it a like!
5
Loading...
5 votes, average: 1.00 / 15
6,707
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!

[Osaka/Yokohama] Actively recruiting infrastructure engineers and server side engineers!

The person who wrote this article

About the author

Hide@Infrastructure Engineer

It all started with a very interesting interview.
A mid-career employee of the System Solutions Department in Osaka.My
job is to build and operate servers and clouds!
I have the qualifications of LPIC1, AWS SAA, and OCI Architect Associate.

Actually, I love ramen and
have investigated over 100 stores in Osaka (。-∀-) I'm striving to become the Ramen King of Nibi Beyond
!

I'm also on Twitter, so please follow me (´∇`)
Click on the Twitter mark on the right corner! !