aws_security_group egress rules are not removed

[thomasbiddle]

When using aws_security_group and removing an egress statement; Terraform does not reflect the change. It works fine when adding it; however removing it is completely ignored.

I am unsure how aws_security_group_rule works in this case. I would assume it works fine as it is an individual resource.

Terraform Version

Terraform v0.10.2

Affected Resource(s)

Please list the resources as a list, for example:

• aws_security_group

Terraform Configuration Files

resource "aws_security_group" "a_security_group" {
  name = "a_security_group"

  vpc_id = "vpc-abcd1234"

  ingress {
    from_port = 443
    to_port   = 443
    protocol  = "tcp"

    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
  tags {
    Name = "a_security_group"
  }
}

Expected Behavior

• Create security group with egress rule, and terraform apply
• Group is created
• Remove egress rule and run terraform apply
• Security group exists with all rules; however egress rule is removed

Actual Behavior

• Egress rule is still there; Terraform makes no mention of it.

Steps to Reproduce

• Create security group with any rules you want, add an egress rule as mentioned in the HCL above.
• terraform apply
• Remove the egress statement
• terraform apply

[dmlemos]

I hit the same issue today.

[ksperling]

The same issue also applies to ingress rules which is even more critical from a security point of view. The issue seems to happen specifically when removing all ingress or egress rules from the group; if any rules of the same type remain the change is applied correctly in my testing.

[dlcc]

Same issue today :( 0.10.7

[Gary-Armstrong]

I think I have this same issue. A couple CIDR were manually added while I was out. Today I want to add them to the HCL, but being a well-scarred veteran of TF, I naturally ran a plan first. I expected to see a diff but terraform reported that everything is fine: "No changes."

I did a search in the console, the state list output, and the code. The CIDR only appears in AWS, yet TF does not detect it.

[cmhamill]

I just ran into this, wanted to note the workaround, which is to add the empty list, like so:

resource "aws_security_group" "a_security_group" {
  name = "a_security_group"

  vpc_id = "vpc-abcd1234"

  ingress = []
  egress = []
  
  tags {
    Name = "a_security_group"
  }
}

Modify as needed for your situation.

[Gary-Armstrong]

I do not want to remove all of the rules, just the ones that are not present in TF but present in AWS.

[ncraike]

I think I maybe have the same issue or something similar with ingress rules: in my Terraform config I've specified an aws_security_group which only has an egress rule.

The actual security group created in AWS has the egress rule I specified, and an ingress rule which allows all traffic inbound (all protocols and ports from 0.0.0.0/0).

I think the security group config may have had an ingress block earlier in its life. If it did, Terraform isn't updating the group in AWS to remove the ingress/inbound rule.

So this issue as a whole, "aws_security_group egress rules are not removed", I suspect old ingress rules are also not removed.

Configuring the security group with ingress = [] does remove the old rule.

[dlcc]

@ncraike Are you using individual security group rules or in-line rules? If you are using SGR's, then what you describe is the expected behaviour IMHO.

[Gary-Armstrong]

If I created a SG and specified only egress rules, I would NOT expect my SG to allow any ingress.

[dlcc]

If you created a security group resource then attached egress via security group rule resources, then I believe you could manually add ingress via the AWS GUI that would remain untouched on subsequent terraform apply runs.

[Gary-Armstrong]

I can see how someone might expect that behavior. Are we generally expected to, for example, specify an ingress resource with a empty list to explicitly deny all? Docs are not completely clear on the behavior.

[dlcc]

If you use in an 'in-line' rule and remove it, I would expect the inline rule to be in the statefile so would expect terraform to remove it when the in-line rule was removed. This is what I tried to do and terraform did not remove the rules, unlike what I expected.

Using ingress = [] egress = []

Is all well and good, but then if you mix in security group rules, is there a risk that they are overwritten by the []?

[Gary-Armstrong]

In my case, I'm using separate resources. Docs say you can't mix in-line with separate resources. Have not tested if it is accurate but am assuming it is.

I suppose I want to understand what is expected so I can understand how to approach the problem where I want TF to remove rules and it does not.

If that is not actually the intended behavior, then I'd like a fix so that unwanted rules are removed and my infrastructure is brought into compliance with my written definition.

If it is truly the intended behavior, I would like to ask for some direction on how I am supposed to write my definitions to remove unwanted rules that were not even defined in the first place.

[ncraike]

@dlcc I'm using in-line rules.

[pmoust]

For the case of aws_security_group_rule this is a dupe of #220

[MarkRoss-Eviden]

This is still an issue and I'm using Terraform v0.12.16. I see other sisues talk about it not tracking out of band changes and this thread mentions rules aren't removed. I'd personally summarise the issue as Terraform is only checking for egress rules if egress rules are specified in your code.

If I have a security group that only specifies ingress rules and tags Terraform isn't checking what exists in the egress rules so it's not detecting if things exist and therefore it's not deleting the egress rules to match that no egress rules are specified in the code.

If I have a security group that specifies ingress, egress and tags then Terraform does detect the egress rules and anything that doesn't match the egress rules in my code are removed.

Does anyone know what's happening with closing this issue down as it seems to have been around for a long time and I'd definitely say it's a security issue as I found an egress rule today that was an 'any' rule, that wasn't being deleted because my code had no egress rules (because I wanted egress to be locked down)

[teng1]

Issue still present in 13.1

[lijok]

We just wasted hours on this
Fix please?

[asiosio]

Same issue here:
I have a terraform file which defines a Security Group with only ingress block.
If I manually add an egress rule on AWS side, the next terraform apply won't detect the "drift" neither revert the change..
I guess this is because there is no "egress" block in the original terraform file.
Could lead to some security issues...

[igor-borisoglebski]

Bump.

Issue is still present.

Terraform v1.2.6

• provider registry.terraform.io/hashicorp/aws v4.25.0

[github-actions]

This functionality has been released in v5.8.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.