disallow-mixed-sgr
Explanation
Mixing Terraform standalone security_group_rule resource and security_group resource with inline ingress/egress rules results in rules being overwritten during Terraform apply.
Possible Impact
Security group rules will be overwritten and will result in unintended blocking of network traffic
Suggested Resolution
Either define all of a security group's rules inline, or none of the security group's rules inline
Insecure Example
The following example will fail the aws-vpc-disallow-mixed-sgr check.
resource "aws_security_group_rule" "bad_example" {
security_group_id = aws_security_group.bad_example_sg.id
type = "ingress"
cidr_blocks = ["172.31.0.0/16"]
}
resource "aws_security_group" "bad_example_sg" {
ingress {
cidr_blocks = ["10.0.0.0/16"]
}
}
Secure Example
The following example will pass the aws-vpc-disallow-mixed-sgr check.
resource "aws_security_group_rule" "good_example" {
security_group_id = aws_security_group.good_example_sg.id
type = "ingress"
cidr_blocks = ["10.0.0.0/16", "172.31.0.0/16"]
}
resource "aws_security_group" "good_example_sg" {
}