amazon web services - Update and append new properties on exising resource on AWS using Terraform

Question

I'm very new to Terraform and excited to use it.

I've created the security group A by Terraform and I want to attach the security group A into the existing security group B. I was trying to figure it out that it looks like object assign and spread operator in javascript.

I imagined like below,

data "aws_security_group" "A" {
  id = "<id>"
}

resource "aws_security_group" "A" {
  ...data.aws_security_group.A,
  ingress = [ ...data.aws_security_group.A.ingress]
}

and this is what I thought so far,

resource "aws_security_group" "A" {
  vpc_id = var.a_vpc_id

  ingress = [module.eks.aws_security_group.cluster] // I only want to add this ingress into the existing ingress at security group A
  lifecycle = {
    ignore_changes = [
      ingress // ignore existing ingress
    ]
  }
}

Is there any syntax or tweak to accomplish what I want? Any reference and keyword will make me happy.

---

(Updated) almost real code.

variable "internal_vpc_id" {
  default = "vpc-12345678"
}

module "eks" {
 ....
}

resource "aws_security_group" "internal" {
  vpc_id = var.internal_vpc_id
  
  ingress = [
               module.eks.aws_security_group.cluster,
               module.eks.aws_security_group.workers, 
               module.eks.aws_security_group_rule.cluster_egress_internet,
            module.eks.aws_security_group_rule.cluster_https_worker_ingress
            ]
  lifecycle {
    ignore_changes = [
      ingress
    ]
  }
}

question from:https://stackoverflow.com/questions/65839907/update-and-append-new-properties-on-exising-resource-on-aws-using-terraform

Answer 1

I want to attach the security group A into the existing security group B

You can't directly modify SG B in terraform (TF) if its not managed by AWS using aws_security_group. To do that you would have to import B into TF. This would allow you to modify it.

To avoid the import procedure, you can use aws_security_group_rule. This will only create a rule that want, and will attach it to an existing SG B, even if it is not managed by TF.

Therefore, using aws_security_group_rule you could do (pseudo code):

data "aws_security_group" "B" {
  id = "SG-B-id"
}

resource "aws_security_group_rule" "ruleB" {
  type                       = "ingress"
  from_port                  = 0
  to_port                    = 65535
  protocol                   = "tcp"
  source_security_group_id   = aws_security_group.A.id
  security_group_id          = data.aws_security_group.B.id
}