Resource Identifiers and Tags for VPC Security Group Rules

[ewbankkit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Amazon Virtual Private Cloud (VPC) now supports resource identifiers and tags for security group rules. You can now manage VPC security group rules using the assigned rule IDs and resource tags.

New or Affected Resource(s)

• aws_security_group
• aws_security_group_rule
• aws_default_security_group

Potential Terraform Configuration

resource "aws_security_group_rule" "example" {
  tags = {
    Env = "prod"
  }
}

References

Announcement.
Blog post.

Requires AWS SDK v1.39.2:

• build(deps): bump github.com/aws/aws-sdk-go from 1.39.0 to 1.39.2 #20102

[virgofx]

Adding tags to aws_security_group_rule would be incredibly useful. (FYI - aws_security_group already has tags so that's no longer applicable)

Seems like this would be an easy fix. Would love to see this get implemented (Been over a two years now!)

[ewbankkit]

@virgofx Thanks for your (and everyone else's) interest in the issue.

The complexity in addressing this is best summarized in a section from an internal design document we are working on:

================

Background

The aws_security_group resource with in-line ingress and (since Terraform 0.3.7) egress rules has been available since Terraform 0.1.0 and the aws_security_group_rule resource has been available since Terraform 0.5.0. For both of these resources a single rule corresponds to an EC2 IpPermission structure, a set of one or more individual permissions (protocol, port range and source or destination). Notably the IpPermission has no unique resource ID assigned by AWS.

In July 2021 AWS announced security group rule IDs and tags for security group rules:

Before this release, you had to reference and manage security group rules based on the rule attributes such as ports, protocols, or IP CIDRs, which can become difficult to incorporate into automation tooling. With the introduction of security group rule IDs, every security group rule is automatically assigned a unique resource ID. You can reference security group rules in your automation tooling by their newly introduced resource IDs to simplify querying, revoking and updating your security group rules at scale. In addition, you can specify tags for security group rules and manage them in a more structured manner with rule-specific metadata.

The new EC2 APIs use an EC2 SecurityGroupRule structure which represents a single permission (protocol, port range and source or destination) and has a unique resource ID assigned by AWS.

As there is no 1-to-1 mapping between an IpPermission and SecurityGroupRule, aws_security_group_rule (and aws_security_group’s in-line rules) have not implemented rule tagging.

================

The only solution we have come up with that does not break any existing configurations is to implement a "new" security group rule resource (with a new name) that maps 1-to-1 with the EC2 SecurityGroupRule structure.
Adding yet-another way to provision security groups adds confusion and maintenance overhead and is not to be undertaken lightly.

[ewbankkit]

With #27828, planned to be released in v4.40.0 of the Terraform AWS Provider, we are adding the security_group_rule_id attribute to the aws_security_group_rule resource.
If the resource has a single source or destination then the EC2 IpPermission structure represented by this resource maps 1-to-1 with an EC2 SecurityGroupRule structure and the security_group_rule_id attribute receives the AWS Security Group Rule resource ID. In other cases there is not a 1-to-1 mapping and the attribute will be empty ("").

In the case that security_group_rule_id has a value, the aws_ec2_tag resource can be used to manage Security Group Rule tags. For example:

resource "aws_vpc" "test" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_security_group" "test" {
  vpc_id = aws_vpc.test.id
}

resource "aws_security_group_rule" "test" {
  security_group_id = aws_security_group.test.id

  type        = "ingress"
  protocol    = "tcp"
  from_port   = 80
  to_port     = 8000
  cidr_blocks = ["10.0.0.0/8"]
}

resource "aws_ec2_tag" "test" {
  resource_id = aws_security_group_rule.test.security_group_rule_id
  key         = "Name"
  value       = "Hello World"
}

[MrHash]

Is it not possible to provide an array of security rule group ids from the aws_security_group_rule resource if there are multiple rules generated?

[evandeworp]

@ewbankkit - Maybe you should add your example to the documentation for aws_security_group_rule.

[tmccombs]

What is the impact on the aws_security_group resource? Currently it is the only way to have drift detection, but the diffs can sometimes be very difficult to read due to the rules being treated as a set. Is there any plan to improve how that works using the security group rule ids? Or allowing specifying tags in inline rules? Perhaps a new way of specifying inline rules that conflicts with the current way, to avoid any backwards incompatibility issues?

Or perhaps have something like #9032 (comment), but instead of specifying the rules inline, you just include a set of the ids from the new resource that replaces aws_security_group_rule.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.