Dealing with tfsec aws-vpc-add-description-to-security-group
In terraform, an AWS Security Group resource is flagged as a violation by the aws-vpc-add-description-to-security-group rule in the following cases.
- It has no
description description = "Managed by Terraform"
You can avoid the rule by changing the description, but doing so causes the security group to be recreated.
1 | $ terraform plan |
You can work around it temporarily with tfsec:ignore:aws-vpc-add-description-to-security-group.
1 | resource "aws_security_group" "this" { |
You cannot update a security group’s description with the aws-cli
As of 2022-05-13,
there was no aws-cli command to update a security group’s description.
- Note: there is a command to update the description of a security group rule.
Sometimes there are cases where terraform requires recreation but the aws-cli can perform an update, but for a security group’s description it was not possible.
You cannot change it in the AWS console either
I was not able to change it in the AWS console.
So, what to do
It seems best to create a copy of the existing resource in terraform and re-attach it.
1 | resource "aws_security_group" "this" { |
This is the same as selecting the security group in the AWS console and clicking Actions > Copy to new security group.
That said, considering the cost and risk of the work, the priority is not high, and since changing the description of a security group rule is possible, I felt it was best to handle that as appropriate.
I want to keep this in mind when creating security group resources going forward.
That’s all.
I hope this is helpful.
Dealing with tfsec aws-vpc-add-description-to-security-group
https://kenzo0107.github.io/en/2022/05/13/fix-tfsec-aws-vpc-add-description-to-security-group/