8

When you look at terraform's docs for security group, you can see that there is an option to define a security_groups argument inside the ingress/egress security rules.

It seems quite strange to me, but maybe I'm missing something here.

I saw this post but there are no real world use cases mentioned.

My question is: In which cases we'll want to use this kind of configuration?

Adil B
  • 14,635
  • 11
  • 60
  • 78
Rot-man
  • 18,045
  • 12
  • 118
  • 124

1 Answers1

13

You can use this syntax to apply those ingress/egress rules to any infrastructure that belongs to a particular security group.

This Terraform code, for example:

ingress {
    from_port = "80"
    to_port   = "80"
    protocol  = "tcp"

    security_groups = [
      "${aws_security_group.elb_sg.id}",
    ]
}

will allow HTTP access to any infrastructure that belongs to the elb_sg security group. This is helpful if you've got a large amount of infrastructure that needs to have the ingress/egress access and don't want to name all of the parts individually.

Another example: you could create a security group for an Elastic Search cluster, and then state that all elements of an EC2 app server security group should have ingress/egress access to that cluster by using this syntax.

Adil B
  • 14,635
  • 11
  • 60
  • 78
  • Thanks @Adil B, in your example, if all EC2 instances share the same security group, it means they share the same inbound rule. so i didn't understand what did we save here? – Rot-man Mar 06 '19 at 21:54
  • 2
    This syntax will let you define an egress rule without knowing the actual CIDR blocks or IPs of the infrastructure itself -- let's say I didn't have static IPs for my EC2 instances but still wanted to allow all of them to access my Elastic Search cluster. – Adil B Mar 06 '19 at 21:59
  • 1
    Do you have another example - lets say an ALB in front of some some backend? could that be useful there? – Rot-man Mar 06 '19 at 22:02
  • 1
    Yes - you could create a security group for your ALB and allow any infrastructure in that group ingress/egress access to certain ports on your backend, for example. – Adil B Mar 06 '19 at 22:33
  • 1
    Though I'd mostly use this syntax if I had an SG with many infrastructure pieces in it and wanted to allow all items in the SG to ingress to items in another SG - the ALB example would likely just have one item in its SG. – Adil B Mar 06 '19 at 22:42