Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource aws_default_security_group won't remove existing rules #20697

Open
LuigiClemente-Awin opened this issue Aug 26, 2021 · 6 comments
Open

Resource aws_default_security_group won't remove existing rules #20697

LuigiClemente-Awin opened this issue Aug 26, 2021 · 6 comments
Labels
question A question about existing functionality; most questions are re-routed to discuss.hashicorp.com. service/ec2 Issues and PRs that pertain to the ec2 service.

Comments

@LuigiClemente-Awin
Copy link

Hi all

I do not know if this is a bug or just a mistake or misunderstanding from my part.
I am using AWS provider 3.55.0 and the Gruntwork modules to manage the default security group in a new vpc:

https://github.com/gruntwork-io/terraform-aws-vpc/blob/v0.15.5/modules/vpc-app/main.tf

I managed to update the existing rules (ingress and egress) but then I noticed that for compliance with the CIS Benchmark checks the default security group must be empty.
I tried to pass an empty list or array to the rules parameter but existing rules are not removed. I manually removed the rules and after applying, the security group stays empty.

This is not the expected behavior for the resource aws_default_security_group (used by the vpc module):

_When Terraform first adopts the default security group, it immediately removes all ingress and egress rules in the Security Group. It then creates any rules specified in the configuration. This way only the rules specified in the configuration are created.

This resource treats its inline rules as absolute; only the rules defined inline are created, and any additions/removals external to this resource will result in diff shown. For these reasons, this resource is incompatible with the aws_security_group_rule resource._

Reading this I was expecting to see a diff and removal of the existing rules once I pass an empty array of rules.

Best regards,

Luigi
@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. service/ec2 Issues and PRs that pertain to the ec2 service. labels Aug 26, 2021
@breathingdust breathingdust added question A question about existing functionality; most questions are re-routed to discuss.hashicorp.com. and removed needs-triage Waiting for first response or review from a maintainer. labels Aug 26, 2021
@m4t22
Copy link

m4t22 commented Dec 3, 2021

Also run into this issue

@leynebe
Copy link

leynebe commented Dec 23, 2021

Have you tried adding an empty map within a list?

  manage_default_security_group = true
  // Neuter default security group
  default_security_group_ingress = [{}]
  default_security_group_egress  = [{}]

This works for me but now I have perpetual changes for some reason.

@bryantbiggs bryantbiggs mentioned this issue Mar 2, 2022
Closed
@SerhiiKorolik
Copy link

SerhiiKorolik commented Oct 4, 2022
edited
Loading

For some reason it is worked for me with the setup:

resource "aws_default_security_group" "default" {
  vpc_id      = var.vpc_id
  
  ingress = []
  egress  = []
}

After the terraform apply - all inbound and outbound rules were deleted

Kudos to @geoffreywiseman
terraform-aws-modules/terraform-aws-vpc#759 (comment)

@benkeil
Copy link

benkeil commented Sep 11, 2023

does not work

@rwlodarczyk-xealth
Copy link

For some reason it is worked for me with the setup:

resource "aws_default_security_group" "default" {
  vpc_id      = var.vpc_id
  
  ingress = []
  egress  = []
}

After the terraform apply - all inbound and outbound rules were deleted

Kudos to @geoffreywiseman terraform-aws-modules/terraform-aws-vpc#759 (comment)

Confirmed that this approach works.

@ElvenSpellmaker
Copy link

ElvenSpellmaker commented Jul 15, 2024
edited
Loading

Using the https://github.com/terraform-aws-modules/terraform-aws-vpc module it seems it removes the rules on first apply, but if you manually go and add a rule it doesn't actually end up removing the added rules... It does appear to be bugged for managing this after first apply after the adoption of the resource.

The documentation seems to imply that it will manage anything you pass inline, the module uses dynamic to pass a list of rules, the rules should be an empty list if left default and so I'd expect it to remove the rules going forwards, not just on adoption.

Module variables:
https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/2e417ad0ce830893127476436179ef483485ae84/variables.tf#L1351-L1360

Module use: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/2e417ad0ce830893127476436179ef483485ae84/main.tf#L1231-L1271

@britthouser britthouser mentioned this issue Sep 30, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question A question about existing functionality; most questions are re-routed to discuss.hashicorp.com. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@breathingdust @ElvenSpellmaker @LuigiClemente-Awin @benkeil @SerhiiKorolik @leynebe @m4t22 @rwlodarczyk-xealth