Remove security group from Terraform-managed resources

harshavemula-ua · harshavemula-ua · commit 11c500d381e2 · 2026-02-19T14:51:03.000-06:00
EC2 instances will use default VPC security group instead of a
Terraform-managed one, avoiding destroy conflicts when instances
are still running.
diff --git a/infra/aws/terraform/modules/orchestration/outputs.tf b/infra/aws/terraform/modules/orchestration/outputs.tf
@@ -3,11 +3,6 @@ output "datastream_arn" {
   description = "State machine ARN for the datastream workflow"
 }
 
-output "ec2_security_group_id" {
-  value       = aws_security_group.datastream_ec2_sg.id
-  description = "Security group ID for EC2 instances"
-}
-
 output "lambda_role_arn" {
   value       = aws_iam_role.lambda_role.arn
   description = "IAM role ARN used by Lambda functions"
diff --git a/infra/aws/terraform/modules/orchestration/security_group.tf b/infra/aws/terraform/modules/orchestration/security_group.tf
@@ -1,23 +0,0 @@
-# Security Group for EC2 instances launched by Step Functions
-
-resource "aws_security_group" "datastream_ec2_sg" {
-  name_prefix = "${var.resource_prefix}_ec2_sg_"
-  description = "Security group for NRDS datastream EC2 instances"
-  vpc_id      = data.aws_vpc.default.id
-
-  egress {
-    description = "Allow all outbound"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "${var.resource_prefix}_ec2_sg"
-  }
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
diff --git a/infra/aws/terraform/services/nrds-cfe-nom/main.tf b/infra/aws/terraform/services/nrds-cfe-nom/main.tf
@@ -49,7 +49,6 @@ module "schedules" {
   state_machine_arn     = module.nrds_orchestration.datastream_arn
 
   # EC2 config from orchestration
-  ec2_security_groups  = [module.nrds_orchestration.ec2_security_group_id]
   ec2_instance_profile = module.nrds_orchestration.ec2_instance_profile_name
 
   # Model AMI
diff --git a/infra/aws/terraform/services/nrds-cfe-nom/modules/schedules/main.tf b/infra/aws/terraform/services/nrds-cfe-nom/modules/schedules/main.tf
@@ -26,11 +26,6 @@ variable "state_machine_arn" {
 }
 
 # EC2 Configuration
-variable "ec2_security_groups" {
-  type        = list(string)
-  description = "Security group IDs for EC2 instances"
-}
-
 variable "ec2_instance_profile" {
   type        = string
   description = "IAM instance profile name for EC2"
diff --git a/infra/aws/terraform/services/nrds-cfe-nom/modules/schedules/schedules.tf b/infra/aws/terraform/services/nrds-cfe-nom/modules/schedules/schedules.tf
@@ -9,7 +9,6 @@ locals {
 
   # Common CFE_NOM configuration
   cfe_nom_ami_id           = var.cfe_nom_ami_id
-  cfe_nom_security_groups  = jsonencode(var.ec2_security_groups)
   cfe_nom_instance_profile = var.ec2_instance_profile
 
   # Short range forecast config mapping
@@ -166,7 +165,6 @@ resource "aws_scheduler_schedule" "datastream_schedule_short_range_cfe_nom" {
     nprocs             = each.value.nprocs
     ami_id             = local.cfe_nom_ami_id
     instance_type      = each.value.instance_type
-    security_group_ids = local.cfe_nom_security_groups
     instance_profile   = local.cfe_nom_instance_profile
     volume_size        = each.value.volume_size
     environment_suffix = var.environment_suffix
@@ -210,7 +208,6 @@ resource "aws_scheduler_schedule" "datastream_schedule_medium_range_cfe_nom" {
     nprocs             = each.value.nprocs
     ami_id             = local.cfe_nom_ami_id
     instance_type      = each.value.instance_type
-    security_group_ids = local.cfe_nom_security_groups
     instance_profile   = local.cfe_nom_instance_profile
     volume_size        = each.value.volume_size
     environment_suffix = var.environment_suffix
@@ -254,7 +251,6 @@ resource "aws_scheduler_schedule" "datastream_schedule_AnA_range_cfe_nom" {
     nprocs             = each.value.nprocs
     ami_id             = local.cfe_nom_ami_id
     instance_type      = each.value.instance_type
-    security_group_ids = local.cfe_nom_security_groups
     instance_profile   = local.cfe_nom_instance_profile
     volume_size        = each.value.volume_size
     environment_suffix = var.environment_suffix
diff --git a/infra/aws/terraform/services/nrds-cfe-nom/modules/schedules/templates/execution_datastream_cfe_nom_VPU_template.json.tpl b/infra/aws/terraform/services/nrds-cfe-nom/modules/schedules/templates/execution_datastream_cfe_nom_VPU_template.json.tpl
@@ -13,7 +13,6 @@
   "instance_parameters": {
     "ImageId": "${ami_id}",
     "InstanceType": "${instance_type}",
-    "SecurityGroupIds": ${security_group_ids},
     "IamInstanceProfile": {
       "Name": "${instance_profile}"
     },
diff --git a/infra/aws/terraform/services/nrds-cfe-nom/outputs.tf b/infra/aws/terraform/services/nrds-cfe-nom/outputs.tf
@@ -4,11 +4,6 @@ output "datastream_arn" {
   description = "State machine ARN for the datastream workflow"
 }
 
-output "ec2_security_group_id" {
-  value       = module.nrds_orchestration.ec2_security_group_id
-  description = "Security group ID for EC2 instances"
-}
-
 output "lambda_role_arn" {
   value       = module.nrds_orchestration.lambda_role_arn
   description = "IAM role ARN used by Lambda functions"
diff --git a/infra/aws/terraform/services/nrds-routing-only/main.tf b/infra/aws/terraform/services/nrds-routing-only/main.tf
@@ -49,7 +49,6 @@ module "schedules" {
   state_machine_arn     = module.nrds_orchestration.datastream_arn
 
   # EC2 config from orchestration
-  ec2_security_groups  = [module.nrds_orchestration.ec2_security_group_id]
   ec2_instance_profile = module.nrds_orchestration.ec2_instance_profile_name
 
   # Model AMI
diff --git a/infra/aws/terraform/services/nrds-routing-only/modules/schedules/main.tf b/infra/aws/terraform/services/nrds-routing-only/modules/schedules/main.tf
@@ -23,11 +23,6 @@ variable "state_machine_arn" {
 }
 
 # EC2 Configuration
-variable "ec2_security_groups" {
-  type        = list(string)
-  description = "Security group IDs for EC2 instances"
-}
-
 variable "ec2_instance_profile" {
   type        = string
   description = "IAM instance profile name for EC2"
diff --git a/infra/aws/terraform/services/nrds-routing-only/modules/schedules/schedules.tf b/infra/aws/terraform/services/nrds-routing-only/modules/schedules/schedules.tf
@@ -13,7 +13,6 @@ locals {
 
   # Common Routing-Only configuration
   routing_only_ami_id           = var.routing_only_ami_id
-  routing_only_security_groups  = jsonencode(var.ec2_security_groups)
   routing_only_instance_profile = var.ec2_instance_profile
 
   # Short range forecast config mapping
@@ -75,7 +74,6 @@ resource "aws_scheduler_schedule" "datastream_schedule_short_range_routing_only"
     nprocs             = each.value.nprocs
     ami_id             = local.routing_only_ami_id
     instance_type      = each.value.instance_type
-    security_group_ids = local.routing_only_security_groups
     instance_profile   = local.routing_only_instance_profile
     volume_size        = each.value.volume_size
     environment_suffix = var.environment_suffix
diff --git a/infra/aws/terraform/services/nrds-routing-only/modules/schedules/templates/execution_datastream_routing_only_VPU_template.json.tpl b/infra/aws/terraform/services/nrds-routing-only/modules/schedules/templates/execution_datastream_routing_only_VPU_template.json.tpl
@@ -13,7 +13,6 @@
   "instance_parameters": {
     "ImageId": "${ami_id}",
     "InstanceType": "${instance_type}",
-    "SecurityGroupIds": ${security_group_ids},
     "IamInstanceProfile": {
       "Name": "${instance_profile}"
     },
diff --git a/infra/aws/terraform/services/nrds-routing-only/outputs.tf b/infra/aws/terraform/services/nrds-routing-only/outputs.tf
@@ -4,11 +4,6 @@ output "datastream_arn" {
   description = "State machine ARN for the datastream workflow"
 }
 
-output "ec2_security_group_id" {
-  value       = module.nrds_orchestration.ec2_security_group_id
-  description = "Security group ID for EC2 instances"
-}
-
 output "lambda_role_arn" {
   value       = module.nrds_orchestration.lambda_role_arn
   description = "IAM role ARN used by Lambda functions"
