aws_security_group: no way to delete egress rule

[hashibot]

This issue was originally opened by @lra as hashicorp/terraform#13314. It was migrated here as part of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.9.2

Affected Resource(s)

aws_security_group

Terraform Configuration Files

resource "aws_vpc" "test-vpc" {
  cidr_block           = "172.20.0.0/16"
  enable_classiclink   = true
  enable_dns_support   = true
  enable_dns_hostnames = true
}

resource "aws_security_group" "test-sg" {
  name   = "test-sg"
  vpc_id = "${aws_vpc.test-vpc.id}"

  egress {
    from_port   = 3306
    to_port     = 3306
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Expected Behavior

When commenting out the egress rule, I except terraform to delete the egress rule on apply

Actual Behavior

When I comment out the egress rule, terraform applies no change.

Steps to Reproduce

1. terraform apply
2. comment out the egress section
3. terraform apply

Workaround

I can taint the security group and apply.

[yn-academia]

the last comment on the original issue (hashicorp/terraform#13314) included the following:

@deftflux's solution, however, does help solve the issue for users who have multiple remote statefiles, as it forces the user to contain all of their security group rules in a single resource. However, this doesn't solve the issue for users who still wish to create a single security group in one statefile, and separate rules in multiple different statefiles.

I would like to +1 the usefulness of containing all security group rules into a resource that would enforce something like "these rules, and only these rules" - we initially started to use Terraform specifically for this feature, which seemed to work when all the rules were inline. Turns out that it doesn't work, and moving rules to their own resources doesn't work either (because new rules created via GUI are not detected by terraform)

[jzafran]

I've found a workaround; set egress = [] and the default rule will magically disappear after running terraform.

[007]

Is anyone who commented on the original (@grubernaut @apparentlymart @catsby) still looking into implementing this?

I'm looking for much the same as @yn-academia for infosec / audit compliance - I want to apply a set of ingress/egress rules and have them 100% clobber anything that's out there without having to manually taint every security group before applying them. For my case I will always have at least one ingress and one egress, so I will always have "something" to set the state explicitly, versus trying to apply an empty state.

I got surprised yesterday when one of my SGs was more permissive than it should be immediately after doing a full terraform apply. It had all of the TF rules, plus one that was applied by hand that I had expected to go away.

CC #1824 since @deftflux seems to be solving this as well?

[ksperling]

@007 apart from the issue of "no egress" or "no ingress" not being applied without the = [] workaround mentioned above, TF does seem to remove manually added rules for me when the rules are managed inline in the aws_security_group resource. Are you using aws_security_group_rule?

[ckyoog]

Just want to bring this issue to your attention, @grubernaut @apparentlymart . Don't forget it please.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[007]

Reproduced in #20046 for 1.x and 3.47 so likely still valid?

[github-actions]

This functionality has been released in v5.8.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.