amazon-web-servicesterraformamazon-rdsamazon-auroraaws-security-group

Self referenced Security group inbound rule in AWS RDS terraform?


I'm catching up with the security group with Terraform.

When checking official DOCS, there was self referenced Security group inbound rule.

like this,

 ingress_with_self = [
    {
      from_port   = 3306
      to_port     = 3306
      protocol    = "tcp"
      description = null
    }
  ]

What happens if I attach this to an instance of rds as self - reference?

What are some examples of appropriate use?

I found this comment on reddit:

For example, an EC2 instance with that security group assigned would be able to reach another EC2 instance with that same security group.

But in my case, self-referenced inbound rule was attached on RDS(Aurora, 1 master cluster and 1 readonly instance ).

Does it allow each instance of rds to reach each other?

I searched on google but i can't find appropriate examples


Solution

  • Self-referencing is about referencing the Security Group and not just the RDS instance. Self-referenced SG rule attached to RDS is still referencing to whole SG, not just RDS itself.

    So if you use "ingress_with_self" it will allow ingress traffic from any resource that will be using the same Security Group, whether it`s EC2, RDS, and so on.

    AWS provider docs:

    self - Whether the security group itself will be added as a source to this ingress rule.

    And AWS Documentation:

    When you specify a security group as the source or destination for a rule, the rule affects all instances that are associated with the security groups. The instances can communicate in the specified direction, using the private IP addresses of the instances, over the specified protocol and port.