Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Group vs Rule requires apply to be run twice #10095

Closed
atz opened this issue Sep 12, 2019 · 2 comments · Fixed by #12616
Closed

Security Group vs Rule requires apply to be run twice #10095

atz opened this issue Sep 12, 2019 · 2 comments · Fixed by #12616
Assignees
@anGie44
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Milestone
v3.0.0

Comments

@atz
Copy link
Contributor

atz commented Sep 12, 2019

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

After terraform import of a Security Group, both the aws_security_group and associated aws_security_group_rule resources are added to the state file, as noted in other issues.

Apparently there is no way to import a SG to HCL with inline ingress/egress blocks without (at least temporarily) destroying the rules and running terraform apply twice. That is an unacceptable tradeoff, since it imposes downtime on infrastructure, breaks CD, etc.

If SG import requires atomic aws_security_group_rule resources, that requirement should be more explicitly documented.

Terraform Version

  • Terraform v0.12.8
  • provider.aws v2.22.0

Affected Resource(s)

Terraform Configuration Files

resource "aws_security_group" "mygroup" {
  name = "mygroup"
  ingress {...}
  egress {...}
   ...
 }

Expected Behavior

terraform import aws_security_group... should allow targeting inline ingress/egress blocks without requiring downtime and multiple applies.

After the first successful terraform apply, with no changes, terraform plan should show no pending changes.

Actual Behavior

After apply succeeds, plan shows that ingress and egress blocks need to be created. (Indeed, in console the ingress/egress rules of the SG have been destroyed.) The point is, between the first apply and the next, no code or infrastructure has changed. This is the definition of when plan/apply should be clean.

Steps to Reproduce

  1. add resource "aws_security_group" "mygroup" {...} in tf file (but not rules)
  2. terraform import aws_security_group.mygroup sg-123456
  3. terraform apply
  4. terraform apply (again)

References

See:
@ghost ghost added the service/ec2 Issues and PRs that pertain to the ec2 service. label Sep 12, 2019
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Sep 12, 2019
@bflad bflad added breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. technical-debt Addresses areas of the codebase that need refactoring or redesign. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 13, 2019
@bflad bflad added this to the v3.0.0 milestone Sep 13, 2019
@bflad bflad added bug Addresses a defect in current functionality. and removed breaking-change Introduces a breaking change in current functionality; usually deferred to the next major release. technical-debt Addresses areas of the codebase that need refactoring or redesign. labels Sep 13, 2019
@breathingdust breathingdust mentioned this issue May 20, 2020
Closed
@vchawla3 vchawla3 mentioned this issue May 28, 2020
Closed
@anGie44 anGie44 linked a pull request Jul 10, 2020 that will close this issue
Do not import aws_security_group_rule for associated rules during aws_security_group import #12616
Merged
@ghost
Copy link

ghost commented Jul 31, 2020

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

@ghost
Copy link

ghost commented Aug 15, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Aug 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@anGie44 anGie44

Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
v3.0.0
3 participants
@atz @bflad @anGie44