-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
r/aws_security_group_rule create_before_destroy fails when changing CIDRs #25173
Comments
Linking hashicorp/terraform#2376 since it's mentioned in the output. |
This is a limitation, or feature (?), of the AWS API that doesn't allow duplicated entries + the fact that the resource Later on when trying to change that list something goes terribly wrong and either
I'd advise the following workaround
You might need to increase your account SG rule per SG attachments |
Relates #20104. |
The challenge working with the Attempts to use Create Before Destroy lifecycle management with this resource will frequently result in duplcate rule failures. The only generalization solution that I can think of is to have users create a single I am working to solve this at the module level by unpacking user provided rules such that the user can specify any permutation of rule argument groups in the Terraform while guaranteeing that |
I just released v2.0.0 of the terraform-aws-security-group-v2 module with support for what I call
The core module "unpack" {
source = "aidanmelen/security-group-v2/aws"
version = ">= 2.0.0"
rules = [
{
from_port = "443"
to_port = "443"
protocol = "tcp"
cidr_blocks = ["10.0.1.0/24", "10.0.2.0/24"]
ipv6_cidr_blocks = ["2001:db8::/64"]
prefix_list_ids = [data.aws_prefix_list.private_s3.id]
source_security_group_id = data.aws_security_group.default.id
self = true
description = "managed by Terraform"
}
]
}
# Outputs:
# rules = [
# {
# "cidr_blocks" = [
# "10.0.1.0/24",
# ]
# "description" = "managed by Terraform"
# "from_port" = "443"
# "protocol" = "tcp"
# "to_port" = "443"
# },
# {
# "cidr_blocks" = [
# "10.0.2.0/24",
# ]
# "description" = "managed by Terraform"
# "from_port" = "443"
# "protocol" = "tcp"
# "to_port" = "443"
# },
# {
# "description" = "managed by Terraform"
# "from_port" = "443"
# "ipv6_cidr_blocks" = [
# "2001:db8::/64",
# ]
# "protocol" = "tcp"
# "to_port" = "443"
# },
# {
# "description" = "managed by Terraform"
# "from_port" = "443"
# "prefix_list_ids" = [
# "pl-11111111",
# ]
# "protocol" = "tcp"
# "to_port" = "443"
# },
# {
# "description" = "managed by Terraform"
# "from_port" = "443"
# "protocol" = "tcp"
# "self" = true
# "to_port" = "443"
# },
# {
# "description" = "managed by Terraform"
# "from_port" = "443"
# "protocol" = "tcp"
# "source_security_group_id" = "sg-11111111"
# "to_port" = "443"
# },
# ] In this way each rule gets a dedicated Please see the Unpack Example for more information. |
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
Terraform CLI and Terraform AWS Provider Version
Affected Resource(s)
Terraform Configuration Files
Click to reveal
Expected Behavior
I want to use
create_before_destroy = true
for Security Group Rules so that I can avoid the service interruption that comes when existing rules are destroyed before the new rules are created. I expect the provider to be smart enough to avoid trying to create an existing rule.Actual Behavior
Whenever an CIDR is added or removed from a rule, the apply fails if an existing CIDR is retained.
Unlike with other, similar issues (see References below), in this case the change is not actually made.
Steps to Reproduce
terraform apply -auto-approve
terraform apply -auto-approve -var other_vpc_allowed=true # error
terraform apply -auto-approve -var ipv6_allowed=true # error
terraform destroy
terraform apply -auto-approve -var other_vpc_allowed=true
terraform apply -auto-approve # error
References
Similar to, but different from these other issues. Different because in this case the rules are not properly updated and there is no good workaround. The only fix that does not cause a service interruption is to add the new rule manually.
The text was updated successfully, but these errors were encountered: