AWS Security Groups are tricky!

Recently I was configuring a security group for a service that uses TCP and UDP ports for ingress connectivity.

Security Groups are an Amazon Web Services feature for Amazon VPC (virtual private cloud) to set up a stateful firewall.

I used Terraform (Terragrunt actually, but that's a detail) to configure the security group's ingress rules.

I wanted to be a smart guy, so I have set the protocol to -1 which means "all protocols", so I didn't need to specify separate rules for TCP and UDP for the same port.

Here comes my surprise, according to the AWS documentation:

Use -1 to specify all protocols. If you specify -1 or a protocol other than tcp, udp, or icmp, traffic on all ports is allowed, regardless of any ports you specify.

I was not aware of that and you might not be aware too!

Honestly, I would expect the AWS API to return an error, or at least a warning, when trying to set a configuration that is impossible to set - it either didn't happen or was silenced in the Terraform provider for AWS (I didn't verify, I suspect the AWS API doesn't give any feedback about that).

It was caught by my workmate who eventually made separate entries for TCP and UDP to get the configuration right - shortcuts, although tempting, are not always good solutions.