Explaining AWS Security Groups on the Example of Terraform Drift
The aim of this page📝 is to summarize our conversation about Terraform and AWS security groups.
2 min readJul 20, 2023
- Terraform is an infrastructure as code tool that allows you to define and manage your infrastructure using code.
- AWS security groups act as virtual firewalls for your EC2 instances to control inbound and outbound traffic.
- Ingress rules control inbound traffic, while egress rules control outbound traffic.
- Security groups are stateful, meaning that responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules.
- You can create, view, update, and delete security groups and security group rules using the Amazon EC2 console and the command line tools.
- Security groups are associated with network interfaces. When you launch an instance in a VPC, you can assign up to five security groups to the network interface.
- You can specify separate rules for inbound and outbound traffic. By default, no inbound traffic is allowed until you add inbound rules to the security group, and all outbound traffic is allowed until you add outbound rules to the security group.
- You can add or remove rules at any time. Your changes are automatically applied to the instances associated with the security group after a short period.
- You can reference security groups in peered VPCs in a rule for a security group in your VPC. This allows instances in either VPC to communicate with each other as if they are within the same network.
- You can use prefix lists in your security group rules to specify the traffic for an entire AWS service instead of specifying individual IP addresses.
CODE
Here is a particular example I have experienced:
## PLAN: Terraform will perform the following actions:
### module.redshift.module.cluster.aws_security_group.public_sg[0] will be updated in-place
~ resource "aws_security_group" "public_sg" {
arn = "arn:aws:ec2:us-east-2:000000000000:security-group/sg-00000000000000000"
description = "Managed by Terraform"
egress = [
{
cidr_blocks = [
"0.0.0.0/0",
]
description = ""
from_port = 0
ipv6_cidr_blocks = []
prefix_list_ids = []
protocol = "tcp"
security_groups = []
self = false
to_port = 65535
},
]
id = "sg-00000000000000000"
~ ingress = [
- {
- cidr_blocks = [
- "10.200.20.0/24",
- "10.200.21.0/24",
]
- description = ""
- from_port = 5439
- ipv6_cidr_blocks = []
- prefix_list_ids =RUBBERDUCK
MERMAID
graph LR;
A[Terraform] --> B[AWS Security Group];
B --> C[Ingress Rules];
B --> D[Egress Rules];
C --> E[Inbound Traffic];
D --> F[Outbound Traffic];
E --> G[Allowed];
F --> H[Allowed];
