Necessary Security Group not Created for SSM, KMS and ECR DKR Endpoints

[markmsmith]

Problem

When creating interface VPC Endpoints for SSM, KMS and ECR DKR (using the module variables enable_ssm_endpoint, enable_kms_endpoint and enable_ecr_dkr_endpoint respectively), the necessary security groups are not created, resulting in the errors:

module.network.module.vpc.aws_vpc_endpoint.ssm: 1 error(s) occurred:
* aws_vpc_endpoint.ssm: An Interface VPC Endpoint must always have at least one Security Group
* module.network.module.vpc.aws_vpc_endpoint.kms: 1 error(s) occurred:
* aws_vpc_endpoint.kms: An Interface VPC Endpoint must always have at least one Security Group
* module.network.module.vpc.aws_vpc_endpoint.ecr_dkr: 1 error(s) occurred:
* aws_vpc_endpoint.ecr_dkr: An Interface VPC Endpoint must always have at least one Security Group

There are already variables exposed to allow passing in pre-existing security groups for each of these, but since the security groups require the field vpc_id to be specified and we haven't created the VPC yet, there's no way to create one prior to invoking this module (unless I'm missing something).

Desired Behavior

A security group with the necessary ports (443 inbound etc) is created and associated to the endpoints whenever one or more interface VPC Endpoints are enabled, and is exposed as an output.

[markmsmith]

As some additional detail, if I attempt to omit the vpc_id field on the aws_security_group resource, I get the error:

* aws_security_group.vpc_endpoint: Error creating Security Group: VPCIdNotSpecified: No default VPC for this user
        status code: 400, request id: 04c59b28-501d-443f-a627-0ecf59b1a4b1

which I believe is due to it trying to fallback to using the default VPC, which we've deleted for this region (and would be the wrong VPC anyway).

[joan-s-molas]

I was having the same issue then had a look at:

https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/examples/issue-224-vpcendpoint-apigw/main.tf

Creating an aws_security_group data resource pointing to default then referencing it in the module should help you - although I admit the security groups should probably be generated by the module itself.

[markmsmith]

Thanks for the suggestion @joan-serra .
I'm still learning all the terraform tricks, can you help me understand why that doesn't setup create a circular reference between the security group's reference to the vpc module and the vpc module's reference to that security group? Looking at the data source lifecycle docs it seems like the data source's vpc reference won't resolve until apply time, but I don't follow why the vpc module wouldn't be blocked until its apigw_endpoint_security_group_ids property can be resolved, causing a deadlock.

Also, won't that just use the default security group that's created with a new VPC, which allows all traffic out and any port in the same SG? Is there any way to use a different security group, or do we just have to modify the rules on the default one?

[joan-s-molas]

I haven't dug further - using the default group from a data resource does seem like a workaround. Unless there is another way to do it which I haven't figured out I'd say that the security group should indeed be created by the module...

[markmsmith]

Ok, thanks. For now I'm just going to stick with creating the VPC Endpoints externally so that I can control the Security Groups. Hopefully they'll get a chance to fix this soon.

[antonbabenko]

Security groups should be created externally.

I have updated the example to demonstrate how VPC endpoint can be created in ef915dc.

v2.6.0 has been just released.

[markmsmith]

I have to admit, I don't understand why that doesn't count as a cyclic dependency between module. http_sg.vpc_id and module.vpc. apigw_endpoint_security_group_ids, but ok.
Thanks.

[antonbabenko]

Mark, this is easy to explain. Dependencies are calculated between resources and not between modules (as a whole).

Roughly speaking the order is like this: module.vpc.vpc_id => module.http_sg.this_security_group_id => module.vpc.apigw_endpoint_security_group_ids

[markmsmith]

Thanks Anton, that helps.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.