aws_security_group egress rules are not removed

[thomasbiddle]

When using aws_security_group and removing an egress statement; Terraform does not reflect the change. It works fine when adding it; however removing it is completely ignored.

I am unsure how aws_security_group_rule works in this case. I would assume it works fine as it is an individual resource.

Terraform Version

Terraform v0.10.2

Affected Resource(s)

Please list the resources as a list, for example:

• aws_security_group

Terraform Configuration Files

resource "aws_security_group" "a_security_group" {
  name = "a_security_group"

  vpc_id = "vpc-abcd1234"

  ingress {
    from_port = 443
    to_port   = 443
    protocol  = "tcp"

    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags {
    Name = "a_security_group"
  }
}

Expected Behavior

• Create security group with egress rule, and terraform apply
• Group is created
• Remove egress rule and run terraform apply
• Security group exists with all rules; however egress rule is removed

Actual Behavior

• Egress rule is still there; Terraform makes no mention of it.

Steps to Reproduce

• Create security group with any rules you want, add an egress rule as mentioned in the HCL above.
• terraform apply
• Remove the egress statement
• terraform apply

[dmlemos]

I hit the same issue today.

[ksperling]

The same issue also applies to ingress rules which is even more critical from a security point of view. The issue seems to happen specifically when removing all ingress or egress rules from the group; if any rules of the same type remain the change is applied correctly in my testing.

[dlcc]

Same issue today :( 0.10.7

[Gary-Armstrong]

I think I have this same issue. A couple CIDR were manually added while I was out. Today I want to add them to the HCL, but being a well-scarred veteran of TF, I naturally ran a plan first. I expected to see a diff but terraform reported that everything is fine: "No changes."

I did a search in the console, the state list output, and the code. The CIDR only appears in AWS, yet TF does not detect it.

[cmhamill]

I just ran into this, wanted to note the workaround, which is to add the empty list, like so:

resource "aws_security_group" "a_security_group" {
  name = "a_security_group"

  vpc_id = "vpc-abcd1234"

  ingress = []
  egress = []
  
  tags {
    Name = "a_security_group"
  }
}

Modify as needed for your situation.

[Gary-Armstrong]

I do not want to remove all of the rules, just the ones that are not present in TF but present in AWS.

[ncraike]

I think I maybe have the same issue or something similar with ingress rules: in my Terraform config I've specified an aws_security_group which only has an egress rule.

The actual security group created in AWS has the egress rule I specified, and an ingress rule which allows all traffic inbound (all protocols and ports from 0.0.0.0/0).

I think the security group config may have had an ingress block earlier in its life. If it did, Terraform isn't updating the group in AWS to remove the ingress/inbound rule.

So this issue as a whole, "aws_security_group egress rules are not removed", I suspect old ingress rules are also not removed.

Configuring the security group with ingress = [] does remove the old rule.

[dlcc]

@ncraike Are you using individual security group rules or in-line rules? If you are using SGR's, then what you describe is the expected behaviour IMHO.

[Gary-Armstrong]

If I created a SG and specified only egress rules, I would NOT expect my SG to allow any ingress.

[dlcc]

If you created a security group resource then attached egress via security group rule resources, then I believe you could manually add ingress via the AWS GUI that would remain untouched on subsequent terraform apply runs.

[Gary-Armstrong]

I can see how someone might expect that behavior. Are we generally expected to, for example, specify an ingress resource with a empty list to explicitly deny all? Docs are not completely clear on the behavior.

[dlcc]

If you use in an 'in-line' rule and remove it, I would expect the inline rule to be in the statefile so would expect terraform to remove it when the in-line rule was removed. This is what I tried to do and terraform did not remove the rules, unlike what I expected.

Using ingress = [] egress = []

Is all well and good, but then if you mix in security group rules, is there a risk that they are overwritten by the []?

[Gary-Armstrong]

In my case, I'm using separate resources. Docs say you can't mix in-line with separate resources. Have not tested if it is accurate but am assuming it is.

I suppose I want to understand what is expected so I can understand how to approach the problem where I want TF to remove rules and it does not.

If that is not actually the intended behavior, then I'd like a fix so that unwanted rules are removed and my infrastructure is brought into compliance with my written definition.

If it is truly the intended behavior, I would like to ask for some direction on how I am supposed to write my definitions to remove unwanted rules that were not even defined in the first place.

[ncraike]

@dlcc I'm using in-line rules.