manage_default_security_group with empty eg/ingress doesn't remove rules

[spanktar]

Description

If you have existing VPCs with default SGs and want to bring them under management in order to remove the default SG's rules, you cannot. When the VPC is created, its default SG has default ingress & egress rules. I would expect that the following would remove them (and maintain that state).

  manage_default_security_group  = true
  default_security_group_egress  = []
  default_security_group_ingress = []
  default_security_group_name    = "DEFAULT: Do Not Use"

Instead, existing rules remain. I also tested creating a new VPC with the default SG managed by the module as shown above, and then went and added an ingress rule manually. On the next TF apply, it did not remove the rule, as would be expected.

We need to manage, and maintain, the default SG to be empty, and I can't seem to find a way to accomplish that with the way it currently works.

Versions

• Terraform: v1.0.6 on darwin_arm64

• Provider(s):

• provider registry.terraform.io/fluxcd/flux v0.8.0
• provider registry.terraform.io/gavinbunney/kubectl v1.13.1
• provider registry.terraform.io/hashicorp/aws v3.74.3
• provider registry.terraform.io/hashicorp/cloudinit v2.2.0
• provider registry.terraform.io/hashicorp/kubernetes v2.8.0
• provider registry.terraform.io/hashicorp/local v2.1.0
• provider registry.terraform.io/hashicorp/null v3.1.0
• provider registry.terraform.io/hashicorp/random v3.1.0
• provider registry.terraform.io/hashicorp/tls v3.1.0
• provider registry.terraform.io/integrations/github v4.9.2
• provider registry.terraform.io/terraform-aws-modules/http v2.4.1

• Module:

Reproduction

Create a new VPC with this module, with the manage_default options set.
Apply
Manually add a rule to the default SG
Apply

The new rule is not removed.

Code Snippet to Reproduce

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "2.77.0"

  cidr                           = "10.0.0.0/16"
  default_security_group_egress  = []
  default_security_group_ingress = []
  default_security_group_name    = "DEFAULT: Do Not Use"
  manage_default_security_group  = true
  name                           = "test"
  private_subnets                = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets                 = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
}

Expected behavior

When a VPC's default SG comes under "management", it should respect the defined rules, even if the rules are empty: []

Actual behavior

The empty rules defined the default security group are not respected. Manually added rules presist.

Additional context

This is becoming a more and more common request from cloud vulnerability scanners (the actual validity of this can be argued elsewhere), so it's important to be able to maintain a default SG with no ingress or egress rules.

Updating to the latest version: 3.12.0 did not seem to change the behavior.
Also upgraded TF to 1.1.6 with no change.

[bryantbiggs]

I think what you are referring to is hashicorp/terraform-provider-aws#3234

rules that are added manually, outside of Terraform's control, are not detected for deletion

There are also some other issues that might be related, but they are constrained to the provider, not this module:

• aws_security_group egress rules are not removed hashicorp/terraform-provider-aws#1555
• Resource aws_default_security_group won't remove existing rules hashicorp/terraform-provider-aws#20697

[spanktar]

@bryantbiggs Is this not this module?

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"

I'm checking right now to see if I get anything different using:

resource "aws_default_security_group" "default" {
  vpc_id = module.vpc.vpc_id
}

[spanktar]

OK, it looks like from doing more reading that the behavior I desire is simply not possible, whether it be with the VPC module or the aws_default_security_group resource. I guess we'll just have to manually manage the rules.

[geoffreywiseman]

@spanktar AFAIK, using aws_default_security_group works. If I do:

resource "aws_vpc" "test" {
  cidr_block = "172.16.0.0/22"
}

resource "aws_default_security_group" "default" {
  vpc_id  = aws_vpc.test.id
  ingress = []
  egress  = []
}

output "test_default_security_group_id" {
  value = aws_default_security_group.default.id
}

And then do:
aws ec2 describe-security-groups --group-ids <output group id>

I get:

{
    "SecurityGroups": [
        {
            "Description": "default VPC security group",
            "GroupName": "default",
            "IpPermissions": [],
            "OwnerId": "057199631211",
            "GroupId": "sg-032183a78fa089a89",
            "IpPermissionsEgress": [],
            "VpcId": "vpc-00eb285da1e9706fb"
        }
    ]
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.