I am trying to create an sg with Terraform.
I want all instances of a particular SG to have all communication allowed among them, so I am adding the SG itself to the ingress rules as follows:
resource "aws_security_group" "rancher-server-sg" {
vpc_id = "${aws_vpc.rancher-vpc.id}"
name = "rancher-server-sg"
description = "security group for rancher server"
ingress {
from_port = 0
to_port = 0
protocol = -1
security_groups = ["${aws_security_group.rancher-server-sg.id}"]
}
However when running terraform plan
, I get:
However, in the AWS console, I am allowed to add an SG name in the inbound rules and I see that I can add the group itself (i.e. self-referenced).
Why is that?
I have also tried this without success:
security_groups = ["${self.id}"]
By creating a self-referencing rule, you can restrict the source to the same security group in the VPC, and it's not open to all networks. The default security group for your VPC might already have a self-referencing inbound rule for ALL Traffic.
Instances associated with the same security group can't talk to each other unless you add rules allowing it (with the exception being the default security group). you have to add rules to make them able to communicate.
NACL can be understood as the firewall or protection for the subnet. Security group can be understood as a firewall to protect EC2 instances. These are stateless, meaning any change applied to an incoming rule isn't automatically applied to an outgoing rule.
Citing the manual:
self - (Optional) If true, the security group itself will be added as a source to this ingress rule.
ingress {
from_port = 0
to_port = 0
protocol = -1
self = true
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With