Bug: autoscale_gwlb module (v1.0.4) fails to apply with "InvalidParameterValue: You may not specify all protocols and specific ports" #21
Description
Module Version: 1.0.4 (latest)
Description
When running terraform apply using the autoscale_gwlb module, the plan fails with an AWS API error. This happens because the security group rules for "All traffic" are using outdated port values.
Error
Error: updating VPC Security Group Rule (sgr-xxxxxxx)
with module.autoscale_gwlb.aws_vpc_security_group_ingress_rule.ingress_rule_ipv4
on .terraform/modules/autoscale_gwlb/modules/autoscale_gwlb/main.tf line 16, in resource "aws_vpc_security_group_ingress_rule" "ingress_rule_ipv4":
16: resource "aws_vpc_security_group_ingress_rule" "ingress_rule_ipv4" {
operation error EC2: ModifySecurityGroupRules, https response error StatusCode: 400, RequestID: ed0552a6-2b9c-4d07-a7c7-xxxx, api error InvalidParameterValue: You may not specify all protocols and specific ports. Please specify each protocol and port range combination individually, or all protocols and no port range.
Analysis of the Bug
This error is caused by the code in modules/autoscale_gwlb/main.tf.
The resources aws_vpc_security_group_ingress_rule.ingress_rule_ipv4 and aws_vpc_security_group_egress_rule.egress_rule_ipv4 are defined with:
ip_protocol = "-1" (All)
from_port = -1
to_port = -1
The modern AWS Terraform provider and the underlying AWS API no longer accept -1 for ports when the protocol is -1. To specify "all protocols and all ports," the API now requires from_port = 0 and to_port = 0.
The API is rejecting the module's code because it interprets from_port = -1 as a specific port, which violates the rule of "all protocols and no port range."
Proposed Solution
The from_port and to_port values in both resources must be changed from -1 to 0.
File to Fix: modules/autoscale_gwlb/main.tf
Current (Buggy) Code:
resource "aws_vpc_security_group_ingress_rule" "ingress_rule_ipv4" {
security_group_id = aws_security_group.permissive_sg.id
ip_protocol = "-1"
from_port = -1 # <--- BUG
to_port = -1 # <--- BUG
cidr_ipv4 = "0.0.0.0/0"
description = "Permissive IPv4 ingress rule."
}
resource "aws_vpc_security_group_egress_rule" "egress_rule_ipv4" {
security_group_id = aws_security_group.permissive_sg.id
ip_protocol = "-1"
from_port = -1 # <--- BUG
to_port = -1 # <--- BUG
cidr_ipv4 = "0.0.0.0/0"
description = "Permissive IPv4 egress rule."
}
Proposed (Fixed) Code:
resource "aws_vpc_security_group_ingress_rule" "ingress_rule_ipv4" {
security_group_id = aws_security_group.permissive_sg.id
ip_protocol = "-1"
from_port = 0 # <--- FIX
to_port = 0 # <--- FIX
cidr_ipv4 = "0.0.0.0/0"
description = "Permissive IPv4 ingress rule."
}
resource "aws_vpc_security_group_egress_rule" "egress_rule_ipv4" {
security_group_id = aws_security_group.permissive_sg.id
ip_protocol = "-1"
from_port = 0 # <--- FIX
to_port = 0 # <--- FIX
cidr_ipv4 = "0.0.0.0/0"
description = "Permissive IPv4 egress rule."
}