Can aws_directory_service_directory return the security group

[msnelling]

When creating a directory service using aws_directory_service_directory it would be helpful to return the id of the associated security group created at the same time. This would allow the security group to be used when creating other resources.

[phinze]

Hi @msnelling - good call here. I'm trying to figure out which SecurityGroupId is the correct one for us to set.

There's one here: https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DirectoryConnectSettings.html

And there's one here: https://docs.aws.amazon.com/directoryservice/latest/devguide/API_DirectoryVpcSettingsDescription.html

The second one seems to be legacy though. If you have a bit more context, can you point us in the right direction here?

[msnelling]

I haven't used the API but imagine that it maps closely to the "aws cli" command set. When creating a directory service with create-directory, create-microsoft-ad or connect-directory you don't get back the security group. I think the only way to get that info is with describe-directories which I think is your DirectoryVpcSettingsDescription API.

[phinze]

So the thing that makes me hesitate on the VpcSettings one is this part of the description:

If the directory was created before 8/1/2014, this is the identifier of the directory members security group that was created when the directory was created. If the directory was created after this date, this value is null.

I suppose whoever picks this up can do some quick testing to see whether the other value gets populated. Should be pretty simple to implement! 👍

[msnelling]

Hmm, looking at the results of the describe-directories cli command it doesn't return the security group fro a directory I created today. Perhaps an oversight by Amazon?
I've opened a support case with Amazon to ask how to retrieve this value.

[phinze]

Perhaps! Or based on that quote I cited - perhaps that is old behavior they no longer perform?

[msnelling]

I got a response from AWS support, they say that currently the only way to get security group is to use the directory id and filter the security groups based on that. For example using the AWS CLI tool
aws ec2 describe-security-groups --filters Name=group-name,Values="d-1234567890_controllers" --query SecurityGroups[].[GroupId]
Would this be possible with the API? It's not the prettiest solution and assumes that the security group follows the pattern d-<directory id>_controllers.
The support person was going to request the feature be added to the API and CLI tool.

[apparentlymart]

Might be a pretty heavy cost to pay just to get this feature, but one way we could make this work is to finish up #4961, after which I was expecting that many of the AWS "Describe" APIs would get exposed as data sources. In this case, it might look something like this:

resource "aws_directory_service_directory" "main" {
    // ...
}

data "aws_security_group" "directory_group" {
    name = "d-${aws_directory_service_directory.main.id}_controllers"

    // (and any of the other "filter" arguments here, optionally)

    // the data source returns a single matching security group if exactly
    // one is returned, or fails if the response returns zero or more than one
    // security group. (query is over- or under-specified)
}

some other resource, for example {
    vpc_security_group_id = "${data.aws_security_group.directory_group.id}"
    // ...
}

Again, this makes a relatively simple suggestion dependent on a big architectural change, which isn't great, but it does have the advantage of avoiding hard-coding that naming convention within Terraform itself, allowing the user's Terraform config (which is easier to adapt as needed) to use the convention as I did above.

[msnelling]

In the meantime, is it possible in anyway to use a provisioner to run the aws ec2 --output text describe-security-groups --filters Name=group-name,Values="d-1234567890_controllers" --query SecurityGroups[].[GroupId] and use the value returned as a variable?

[msnelling]

I thought the following might work but got hamstrung by #6460

resource "null_resource" "directory_sg_file" {
  triggers {
    directory_ids = "${aws_directory_service_directory.ad.id}"
  }

  provisioner "local-exec" {
    command = "aws --output text ec2 describe-security-groups --filters Name=group-name,Values=${aws_directory_service_directory.ad.id}_controllers --query SecurityGroups[].[GroupId] >> directory_sg.txt"
  }
}

resource "template_file" "directory_sg" {
  template = "${file("directory_sg.txt")}"
  depends_on = ["null_resource.directory_sg_file"]
}

output "directory_sg" {
  value = "${template_file.directory_sg.rendered}"
}

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.