I have a cloud infrastructure created using Terraform. Due to a cyclic dependency issue with two security groups referring to each other (Terraform circular dependency between security groups) , I tried defining a aws_security_group_rule for the ingress rules. The error disappeared and Terraform completed execution.
However, I found out that the group rule is only applied correctly whenever the security group in question does not exist yet. When it already exists, Terraform cannot seem to update it. Is there something that can be done to resolve this apart from recreating the resources which really goes against the principle of using Terraform?
See below the code
resource "aws_security_group_rule" "apix_to_apiy_rule" {
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
security_group_id = "xxxx"
source_security_group_id = "xxxx"
}
resource "aws_security_group" "xxxx" {...}
Note: Group ID values are just examples.
2
Answers
If the rule already exists and not managed by Terraform, Terraform cannot update it. This is expected behavior for any resources.
If the rule was created by Terraform, it should be able to detect changes and update it.
To be able to modify existing SG using TF, you have to first import into TF. Only then you will be able use
aws_security_group.xxxxresource to manage it.Alternatively, just use
aws_security_group_rule.apix_to_apiy_rule, and specify the id of the group through input variable to the template or the aws_security_group data source in:source_security_group_id = "<id-of-sg>"