[aws_security_group] How to manage inline ingress rules via parameters?

[Nuru]

Description

#32424 closed a lot of issues related to inline aws_security_group ingress and egress rules, but I do not see how it is a solution. I think they should be reopened or closed on other grounds with a different explanation. The documentation says

To subsequently remove all managed ingress and egress rules:

resource "aws_security_group" "example" {
  name   = "sg"
  vpc_id = aws_vpc.example.id
  ingress = []
  egress  = []
}

Does this mean that if I have var.ingress_rules = list(object(<rules>)) I can write

resource "aws_security_group" "example" {
  name   = "sg"
  vpc_id = aws_vpc.example.id
  ingress = var.ingress_rules
}

The documentation indicates that this will not work, and instead I have to do something like

resource "aws_security_group" "example" {
  name   = "sg"
  vpc_id = aws_vpc.example.id
  dynamic "ingress" {
    for_each = var.ingress_rules
    content {
      description      = ingress.value.description
      ...
    }
  }
}

How can I write one block of code that will delete inline ingress rules when they are removed? It looks to me that I still cannot, in which case I think a lot of these issues are still not resolved.

It is fine with me if you say the issues will not be resolved per se and declare inline rules deprecated or insist that people use aws_vpc_security_group_ingress_rule resources if they are going to change during the life of the security group, but that is a different resolution than #32424 provides.

References

PR #32424

Issues it claims to close:

• aws_security_group: no way to delete egress rule #660
• aws_security_group egress rules are not removed #1555
• Removing ingress rules from aws_security_group is not detected #4399
• aws_security_group does not destroy rules when all nested blocks are removed #11059
• Cannot remove inline ingress or egress from aws_security_group #20046

Would you like to implement a fix?

No

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @Nuru 👋 Thank you for taking the time to raise this! While we strongly recommend using the distinct aws_vpc_security_group_ingress_rule and aws_vpc_security_group_egress_rule resources for any newly created security groups, the attributes-as-blocks documentation covers this use-case under the header Arbitrary Expressions with Argument Syntax. Can you take a look at that document and let me know if it helps in your scenario?

[justinretzolk]

Since we haven't heard back, I'm going to close this issue. If you're still having trouble, please feel free to open a new issue, referencing this one for context as needed.

[github-actions]

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.