AWSAmazon VPCaws_security_group_rulePro

How to Import an AWS Security Group Rule into Terraform

To import an existing AWS Security Group Rule into Terraform, scan it with Terraback and run terraback aws import --method bulk. Terraback writes the matching aws_security_group_rule resource block and the Terraform 1.5+ import block for you, so you do not have to run terraform import by hand. The import ID is an underscore-joined tuple of security group ID, type, protocol, from-port, to-port, and each source, SG-ID_TYPE_PROTOCOL_FROM_TO_SOURCE (for example, sg-0123456789abcdef0_ingress_tcp_443_443_0.0.0.0/0).

Import AWS Security Group Rule with Terraback (recommended)

Terraback reverse-engineers your live infrastructure: it reads the Amazon VPC resource with read-only credentials, generates the HCL, and produces the exact import block. Two commands take you from a live AWS Security Group Rule to managed Terraform.

1

Scan your AWS account

terraback scan all aws --region us-east-1
2

Generate import blocks and import into state

terraback aws import --method bulk

The Terraform import block

Terraback emits a Terraform 1.5+ import block like the one below. Because the block lives in your configuration, the import is reviewable in a pull request and repeatable across environments.

import {
  to = aws_security_group_rule.https_in
  id = "sg-0123456789abcdef0_ingress_tcp_443_443_0.0.0.0/0"
}

Example aws_security_group_rule configuration

Here is a realistic AWS Security Group Rule block. Terraback generates a fuller version from your actual resource attributes; this is a minimal, valid starting point.

resource "aws_security_group_rule" "https_in" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
  security_group_id = "sg-0123456789abcdef0"
}

Gotchas when importing a AWS Security Group Rule

  • The import ID is a composite underscore-joined tuple (sg-id_type_protocol_from_to_source); a multi-source rule appends each CIDR or source SG, which makes the ID fragile to build by hand.
  • aws_security_group_rule is the older model; the modern aws_vpc_security_group_ingress_rule / aws_vpc_security_group_egress_rule resources are one-rule-per-resource and import by a simple sgr- rule ID, which is far easier.
  • Do not mix standalone rule resources with inline ingress/egress blocks on the same aws_security_group, or Terraform will continuously add and remove rules.
  • A rule referencing another security group uses source_security_group_id (not cidr_blocks); the import ID then ends in that sg- ID instead of a CIDR.

Doing it manually with terraform import

The native approach is to write the aws_security_group_rule block by hand, then run terraform import aws_security_group_rule.example <import-id> for every resource, one at a time. That works for a handful of resources, but it does not scale: you author all the HCL yourself and repeat the command for each item. Terraback generates the HCL and the import blocks for your whole account in one pass.

Import your whole AWS account in minutes

Terraback scans 80+ AWS resource types and emits clean Terraform plus import blocks, running locally with read-only credentials. $499 once, no SaaS.