Bootstrap FreeKB - Amazon Web Services (AWS) - Create Update or Delete a Security Group using Terraform
Amazon Web Services (AWS) - Create Update or Delete a Security Group using Terraform
Updated:   |  Amazon Web Services (AWS) articles

A Security Group is used to allow or deny requests coming in (ingress) and/or requests going out (egress). For example, a Security Group could be used to only allow requests within a certain IP address range to come in (ingress) and go out (egress) of an EC2 Instance.

 

Let's say you have the following files on your Terraform server.

├── required_providers.tf
├── security_groups (directory)
│   ├── data.tf
│   ├── outputs.tf
│   ├── resources.tf
├── virtual_private_clouds (directory)
│   ├── data.tf
│   ├── outputs.tf
│   ├── resources.tf

 

required_providers.tf will almost always have this.

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
    }
  }
}

 

Let's say provider.tf has the following. In this example, the "default" profile in /home/username/.aws/config and /home/username/.aws/credentials is being used. This assumes you have setup Terraform as described in Amazon Web Services (AWS) - Getting Started with Terraform.

provider "aws" {
  alias   = "default"
  profile = "default"
  region  = "default"
}

 

Let's say you have a Virtual Private Cloud (VPC) named my-vpc.

 

data.tf in your virtual_private_clouds directory could have something like this, where the "data" block is used to get the ID of my-vpc.

data "aws_vpc" "my-vpc" {
  filter {
    name = "tag-key"
    values = ["Name"]
  }
  filter {
    name = "tag-value"
    values = ["my-vpc"]
  }
}

 

And resources.tf in your security_groups directory could have something like this.

resource "aws_security_group" "my-security-group" {
  name        = "my security group for port 443"
  description = "security group for port 443"
  vpc_id      = data.aws_vpc.my-vpc.id

  ingress {
    description      = "Allow incoming (ingress) requests on port 443"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    cidr_blocks      = ["10.0.0.0/16"]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
  }

  tags = {
    Name = "security group for port 443"
  }
}

 

You may need to reissue the terraform init command.

~]# terraform init
Initializing the backend...
Initializing modules...
Initializing provider plugins...
Terraform has been successfully initialized!

 

The terraform plan command can be used to see what Terraform will try to do.

terraform plan

 

By default, the terraform.tfstate file should be found in your root module directory (/usr/local/terraform/aws in this example).

  • If the Security Group does not exist and the terraform.tfstate file does not contain the Security Group, Terraform will create the Security Group.
  • If the Security Groupexists and the terraform.tfstate file contains the Security Group and a difference is found between the sg.tf file and the terraform.tfstate file, Terraform will update the Security Group.
  • If the Security Groupexists and the terraform.tfstate file contains the Security Group and the Security Group is removed from the sg.tf file, Terraform will destroy (delete) the Security Groups.

The terraform apply command can be used to create, update or delete the Security Group.

terraform apply

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter f70f19 in the box below so that we can be sure you are a human.