AWS with Terraform - security groups argument inside a security group rule

About

Asked 6/3, 2019 at 21:33 Answered 6/3, 2019 at 21:41

Solved amazon-web-services terraform infrastructure-as-code

When you look at terraform's docs for security group, you can see that there is an option to define a security_groups argument inside the ingress/egress security rules.

It seems quite strange to me, but maybe I'm missing something here.

I saw this post but there are no real world use cases mentioned.

My question is: In which cases we'll want to use this kind of configuration?

Pansypant answered 6/3, 2019 at 21:33 Comment(0)

You can use this syntax to apply those ingress/egress rules to any infrastructure that belongs to a particular security group.

This Terraform code, for example:

ingress {
    from_port = "80"
    to_port   = "80"
    protocol  = "tcp"

    security_groups = [
      "${aws_security_group.elb_sg.id}",
    ]
}

will allow HTTP access to any infrastructure that belongs to the elb_sg security group. This is helpful if you've got a large amount of infrastructure that needs to have the ingress/egress access and don't want to name all of the parts individually.

Another example: you could create a security group for an Elastic Search cluster, and then state that all elements of an EC2 app server security group should have ingress/egress access to that cluster by using this syntax.

Marmara answered 6/3, 2019 at 21:41 Comment(5)

Thanks @Adil B, in your example, if all EC2 instances share the same security group, it means they share the same inbound rule. so i didn't understand what did we save here? – Pansypant 6/3, 2019 at 21:54

This syntax will let you define an egress rule without knowing the actual CIDR blocks or IPs of the infrastructure itself -- let's say I didn't have static IPs for my EC2 instances but still wanted to allow all of them to access my Elastic Search cluster. – Marmara 6/3, 2019 at 21:59

Do you have another example - lets say an ALB in front of some some backend? could that be useful there? – Pansypant 6/3, 2019 at 22:2

Yes - you could create a security group for your ALB and allow any infrastructure in that group ingress/egress access to certain ports on your backend, for example. – Marmara 6/3, 2019 at 22:33

Though I'd mostly use this syntax if I had an SG with many infrastructure pieces in it and wanted to allow all items in the SG to ingress to items in another SG - the ALB example would likely just have one item in its SG. – Marmara 6/3, 2019 at 22:42

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags