Can't add depends_on or pass conditional expression to create, so can't add elb private IPs to security group.

[jlundy2]

Due to some outstanding issues with Terraform's AWS provider, I'm trying to find a way to pass some calculated CIDRs into a security group.

Right now the following snippet runs

# Look up the newly created ELB's private IP address
# https://github.com/terraform-providers/terraform-provider-aws/issues/3007#issuecomment-382494881
# https://forums.aws.amazon.com/thread.jspa?threadID=263245
# https://github.com/terraform-providers/terraform-provider-aws/pull/2901
data "aws_network_interface" "elb" {
  depends_on = ["aws_lb.web-lb"]
  count = "${length(data.aws_subnet_ids.all.ids)}"

  filter = {
    name   = "description"
    values = ["ELB ${aws_lb.web-lb.arn_suffix}"]
  }

  filter = {
    name   = "subnet-id"
    values = ["${element(data.aws_subnet_ids.all.ids, count.index)}"]
  }
}

data "aws_network_interface" "elb-tcp" {
  depends_on = ["aws_lb.web-lb-tcp"]
  count = "${length(data.aws_subnet_ids.all.ids)}"

  filter = {
    name   = "description"
    values = ["ELB ${aws_lb.web-lb-tcp.arn_suffix}"]
  }

  filter = {
    name   = "subnet-id"
    values = ["${element(data.aws_subnet_ids.all.ids, count.index)}"]
  }
}

##################################################################
# Security Group
# https://registry.terraform.io/modules/terraform-aws-modules/security-group/aws/2.9.0
##################################################################
module "security-group" {
  source  = "terraform-aws-modules/security-group/aws"
  version = "2.9.0"

  name        = "Concourse"
  description = "Allows public inbound access to the Concourse API and GUI"
  vpc_id      = "${data.aws_vpc.default.id}"

  use_name_prefix = false

  computed_ingress_with_cidr_blocks = [
    {
      from_port   = 2222
      to_port     = 2222
      protocol    = "tcp"
      description = "Concourse TSA port"
      cidr_blocks = "${join(",", var.allowed-ips)}"
    },
    {
      rule        = "ssh-tcp"
      cidr_blocks = "${join(",", var.allowed-ips)}"
      description = "SSH Access"
    },
    {
      rule        = "http-8080-tcp"
      cidr_blocks = "${join(",", var.allowed-ips)}"
      description = "HTTP Access"
    },
    {
      rule        = "http-8080-tcp"
      cidr_blocks = "${join(",", formatlist("%s/32",flatten(data.aws_network_interface.elb.*.private_ips)))}"
      description = "HTTP - ELB health check"
    },
    {
      from_port   = 2222
      to_port     = 2222
      protocol    = "tcp"
      description = "Concourse TSA port - ELB health check"
      cidr_blocks = "${join(",", formatlist("%s/32",flatten(data.aws_network_interface.elb-tcp.*.private_ips)))}"
    }
  ]
  number_of_computed_ingress_with_cidr_blocks = 5

  egress_cidr_blocks      = ["0.0.0.0/0"]
  egress_rules            = ["all-all"]
}

but gives the following error on first terraform apply

Error: Error applying plan:

1 error(s) occurred:

* data.aws_network_interface.elb[1]: data.aws_network_interface.elb.1: no matching network interface found

I thought that I could perhaps add a depends on to the security-group module like so:

depends_on = ["aws_lb.web-lb-tcp.arn_suffix","aws_lb.web-lb.arn_suffix"]

But that gives the following error:

Error: module "security-group": "depends_on" is not a valid argument

Given that I'm implementing a work around anyway, I'm fine with running apply twice, so I thought I would just set create of the security-group to false if the load balancers hadn't been setup yet. So I added the following:

# Only create once the load balancers have been created
  create = "${data.aws_network_interface.elb-tcp.count > 1 ? true : false}"

But that gives me a ton of errors of the form:

Error: module.security-group.aws_security_group_rule.computed_egress_rules: 1 error(s) occurred:

* module.security-group.aws_security_group_rule.computed_egress_rules: At column 46, line 1: list "var.computed_egress_rules" does not have any elements so cannot determine type. in:

${element(var.rules[var.computed_egress_rules[count.index]], 0)}



Error: module.security-group.aws_security_group_rule.ingress_rules: 1 error(s) occurred:

* module.security-group.aws_security_group_rule.ingress_rules: At column 38, line 1: list "var.ingress_rules" does not have any elements so cannot determine type. in:

${element(var.rules[var.ingress_rules[count.index]], 1)}



Error: module.security-group.aws_security_group_rule.ingress_with_self: 1 error(s) occurred:

* module.security-group.aws_security_group_rule.ingress_with_self: At column 31, line 1: list "var.ingress_with_self" does not have any elements so cannot determine type. in:

${lookup(var.ingress_with_self[count.index], "description", "Ingress Rule")}

Right now I'm just running apply twice and ignoring the error, but I would really like a cleaner workaround for my workaround. 😄

[antonbabenko]

Thanks for the long issue.

The issue you are describing mostly sums up as one of the most popular issues with Terraform 0.11, which will be fixed in upcoming 0.12.

Read more:

• depends_on cannot be used in a module hashicorp/terraform#10462
• Data Resource Lifecycle Adjustments hashicorp/terraform#17034

There is not much what this module can do, really. So, running it twice is the easiest solution if you don't use wrapper scripts to do this for you.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.