Creating Terraform security group rules for TCP and UDP is pretty straightforward, you just list the ports you want and you’re good.

from_port = 443
to_port = 443
protocol = "tcp"

Creating ICMP rules is way less straightforward

Suppose I want a rule to allow ping. What port does ping operate on? It doesn’t have one. So then you Google around a bunch and hopefully wind up here, because here’s how you allow ping:

from_port = 8
to_port = 0
protocol = "icmp"

Where did 0 and 8 come from there? I guess ping is type 8 in the ICMP RFC or something? I’ll leave any further ICMP minutiae to people who want to dig deeper into that, because I mostly just want my security group rules to work so I can move on with life.


I had already found the rule for ping on someone else’s blog, and then a couple days later I wanted a rule for “ALL” ICMP. I Googled around a bit and couldn’t find it, then eventually found that “ALL” ICMP is this:

from_port = -1
to_port = -1
protocol = "icmp"

So there you go, that’s how to do “ALL” icmp in Terraform.

The easy button for figuring out ICMP rules

Here’s how I found that rule on my own, which is how you can figure out the “port numbers” for any ICMP rule:

I just added the rule manually in the AWS console, then ran a describe-security-groups to get the API to tell me what numbers it was using. For those of you who don’t particularly care about the whole history of ICMP implementation, using the console and the CLI to get your “port numbers” is way easier than Googling around until you find someone else who created the same exact rule as you need.