-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatically assign instance ip addresses to security groups #10181
Comments
Hi @Kygru thanks for the provided context.Terraform provider arguments generally map directly to the AWS API arguments. While it is technically possible to add such an argument it would put the responsibility on the provider to convert the said IP into the proper CIDR notation (e.g appending /32 to the public_ip argument) and use that for the With that said, to fix your particular issue you can use interpolation to create the proper CIDR block by concating the netmask to the value of ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${aws_eip.public_instance.public_ip}/32"]
} |
@Kygru I realized that I closed this issue as opposed to commenting 🤦♂️. My apologies. I’m reopening the issue incase there is more to the request that I may have missed. Or if you have questions about my response. If not please feel free to close the issue yourself. If you find that you are running into issues with the security group I recommend reaching out in our community forum for help https://discuss.hashicorp.com/c/terraform-providers Cheers! |
@nywilken Not a problem! Thank you for the fast response. Just an update, I tried the string interpolation and although the values outputted were the ip + cidr (0.0.0.0/0) - AWS just didn't want to accept it, maybe because it's appearing as a string to them. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Community Note
Description
Firstly, I will provide some context. I am trying to automate the process of creating a bastion host also known as jump-box on AWS from Terraform. In order for this to be successful the following components need to be created and configured:
Create a VPC
Create two subnets
-- One public subnet (for the bastion host to be connected to via SSH from an admin PC)
-- One private subnets (for all private instances, which can only be connected to via SSH from the bastion host)
Create an Internet Gateway
Create Route Tables
Create EC2 Instances
-- Private instances within the private subnet
-- Bastion instance within the public subnet
Create and assign Elastic IP addresses to EC2 instances
-- EIPs for the private instances
-- EIP for the BASTION HOST which needs to be applied to the security group
Create Security groups (this is where the problem lies)
-- NOTE: I want the security group to find the earlier created bastion elastic ip and assign it to the security group automatically. So that the Security group for the private instances only accepts ssh from Bastion
When creating a security group on AWS you need to define rules; such as (Port 22 from 10.0.0.1/24) NOTE: the CIDR notation.
To automate security groups in terraform you need to use the following code:
The problem lies within the cidr_blocks attribute, which uses a CIDR only ip address - which is perfectly fine if you would manually specify this address.
However, if you were to require this address be dynamic; in the following case:
NOTE: The cidr_block attribute is calling for the ip address of an elastic ip assigned to an instance earlier in the configuration.
The IP is called successfully, on AWS you can use the following: IP, IP(CIDR) and Security Group. However, the aws_security_group module does not allow this, it only allows CIDR input.
When the IP is called it does not appear in CIDR notation (0.0.0.0/0) e.g. and the IP is called as Non-CIDR notation (0.0.0.0). So when applying this via terraform apply AWS returns errors as the IP address isn't in CIDR notation
If aws_eip included an exportable variable which contained the CIDR notation this would not be an issue or additionally if the aws_security_group allowed us to input a non-cidr IP address that would work.
New or Affected Resource(s)
Potential Terraform Configuration
NOTE: Above you can see public_ip without CIDR notation, this would solve the issue.
References
www.terraform.io/docs/providers/aws/r/eip.html
www.terraform.io/docs/providers/aws/r/security_group.html
The text was updated successfully, but these errors were encountered: