Terraform: Cycle definitions in security group

Question

I am defining a couple of instances that belong to an SG (this is from the instance resource definition)

vpc_security_group_ids = ["${aws_security_group.rancher-nodes-sg.id}"]

However, I want to also explicitly allow the public (ie elastic ) IPs of the above instances as follows (this is from the above SG resource definition)

resource "aws_security_group" "rancher-nodes-sg" {

   ingress {
       from_port = 0
       to_port = 0
       protocol = -1
       cidr_blocks = ["${aws_eip.rancher-node-01-eip.public_ip}/32"]
   }


   ingress {
       from_port = 0
       to_port = 0
       protocol = -1
       cidr_blocks = ["${aws_eip.rancher-node-02-eip.public_ip}/32"]
   }

This causes a Cycle problem

$ terraform apply

Error: Error asking for user input: 1 error(s) occurred:

* Cycle: aws_instance.rancher-node-02, aws_eip.rancher-node-02-eip, aws_security_group.rancher-nodes-sg, aws_instance.rancher-node-01, aws_eip.rancher-node-01-eip

Any suggestion on how to go about this?

Answer 1

You don't have to specify IP addresses in security group rules... you can have a security group allow itself with self = true :

resource "aws_security_group" "rancher-nodes-sg" {
  ingress {
    from_port = 0
    to_port = 0
    protocol = -1
    self = true
  }
}

Answer 2

Cycle error occurs when sg1 having ingress rules for sg2 and sg2 having ingress rules for sg1 in same template. It confuse the Terraform. To protect this kind of error always set rule separately using resource aws_security_group_rule. Never create a security group rule using resource aws_security_group in case sg1 is dependent on sg2 and sg2 dependent on sg1. First create the sg and set the rules later.
Regards Sachin