Automatically assign instance ip addresses to security groups

[Kygru]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Firstly, I will provide some context. I am trying to automate the process of creating a bastion host also known as jump-box on AWS from Terraform. In order for this to be successful the following components need to be created and configured:

• Create a VPC

• Create two subnets
  -- One public subnet (for the bastion host to be connected to via SSH from an admin PC)
  -- One private subnets (for all private instances, which can only be connected to via SSH from the bastion host)

• Create an Internet Gateway

• Create Route Tables

• Create EC2 Instances
  -- Private instances within the private subnet
  -- Bastion instance within the public subnet

• Create and assign Elastic IP addresses to EC2 instances
  -- EIPs for the private instances
  -- EIP for the BASTION HOST which needs to be applied to the security group

• Create Security groups (this is where the problem lies)
  -- NOTE: I want the security group to find the earlier created bastion elastic ip and assign it to the security group automatically. So that the Security group for the private instances only accepts ssh from Bastion

When creating a security group on AWS you need to define rules; such as (Port 22 from 10.0.0.1/24) NOTE: the CIDR notation.

To automate security groups in terraform you need to use the following code:

resource "aws_security_group" "ssh_access_from_ip" {
  name        = "SSH_FROM_INSTANCE"
  vpc_id      = "${aws_vpc.main.id}"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

The problem lies within the cidr_blocks attribute, which uses a CIDR only ip address - which is perfectly fine if you would manually specify this address.

However, if you were to require this address be dynamic; in the following case:

ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["${aws_eip.public_instance.public_ip}"] 
  }

NOTE: The cidr_block attribute is calling for the ip address of an elastic ip assigned to an instance earlier in the configuration.

The IP is called successfully, on AWS you can use the following: IP, IP(CIDR) and Security Group. However, the aws_security_group module does not allow this, it only allows CIDR input.

When the IP is called it does not appear in CIDR notation (0.0.0.0/0) e.g. and the IP is called as Non-CIDR notation (0.0.0.0). So when applying this via terraform apply AWS returns errors as the IP address isn't in CIDR notation

If aws_eip included an exportable variable which contained the CIDR notation this would not be an issue or additionally if the aws_security_group allowed us to input a non-cidr IP address that would work.

New or Affected Resource(s)

• aws_security_group
• aws_eip

Potential Terraform Configuration

resource "aws_security_group" "ssh_access_from_ip" {
  name        = "SSH_FROM_INSTANCE"
  vpc_id      = "${aws_vpc.main.id}"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    public_ip = ["0.0.0.0"]
  }

NOTE: Above you can see public_ip without CIDR notation, this would solve the issue.

References

www.terraform.io/docs/providers/aws/r/eip.html
www.terraform.io/docs/providers/aws/r/security_group.html

[nywilken]

Hi @Kygru thanks for the provided context.Terraform provider arguments generally map directly to the AWS API arguments. While it is technically possible to add such an argument it would put the responsibility on the provider to convert the said IP into the proper CIDR notation (e.g appending /32 to the public_ip argument) and use that for the cidr_block argument. That type of conversion can be tricky if not validated and handled correctly. So it is not something we would be willing to take on at this time.

With that said, to fix your particular issue you can use interpolation to create the proper CIDR block by concating the netmask to the value of "aws_eip.public_instance.public_ip

ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["${aws_eip.public_instance.public_ip}/32"] 
  }

[nywilken]

@Kygru I realized that I closed this issue as opposed to commenting 🤦‍♂️. My apologies. I’m reopening the issue incase there is more to the request that I may have missed. Or if you have questions about my response. If not please feel free to close the issue yourself.

If you find that you are running into issues with the security group I recommend reaching out in our community forum for help https://discuss.hashicorp.com/c/terraform-providers

Cheers!

[Kygru]

@nywilken Not a problem! Thank you for the fast response.

Just an update, I tried the string interpolation and although the values outputted were the ip + cidr (0.0.0.0/0) - AWS just didn't want to accept it, maybe because it's appearing as a string to them.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!