Recreate "Security Group Rule" each time I execute “terrafrom apply/plan” #11011
Comments
|
Seeing same behavior Terraform 0.8.5 & 0.8.7 where security group resource is defined in a module and references to security group from security group rule cause cyclical create (security group rule)/ change (security group) state. Might have to wait until this approach can persist being modularized. My code is almost exact to what @AdimUser described. |
|
Hi @AdimUser thanks for the issue! Would you be able to clarify for me if you are specifying For example, the following psuedo-config will reproduce the error you're seeing: This is a known issue, as the Does this match what you have in your configuration, or does the source security group not include any inline |
|
Also seeing this behavior on Terraform v0.8.6 I have a module for creating an RDS cluster and two security groups that should be used by the RDS cluster. Each of my security groups are defined with an aws_security_group resource and a aws_security_group_rule rule, like this: When I run apply, it strips all of the ingress rules. The next time I run apply, it adds them all back. Unfortunately, since I have two security groups, they are staggered so TF is always stripping ingress rules from one SG and re-adding them to the other SG. In other words, I can't get to the desired state of having both SGs populated with their ingress rules. Example output (subnets replaced with 'dummy' values): |
|
Just re-read your comment @grubernaut, looks like I fall squarely into the known issue space. What's the suggested workaround/solution? Don't use aws_security_group_rule resources for the time being? |
|
@aglover-zendesk This happens "by design". At some point in the future we may look into allowing all of the The main purpose of designing the The best solution is to either define all of a security group's rules inline, or none of the security group's rules inline. It's when a user defines both that the mismatch occurs, as the inline rules are parsed as "definitive" and attempt to overwrite the individually defined security group rules. Hopefully this answers your question, happy to discuss further though! |
|
Hey @grubernaut thanks, that does make sense. I see you already have a warning/notice at the top of the aws_security_group page in the docs too, so that's on me. Thanks for the quick answer. |
|
Hello all, Going to close this for now, more than happy to discuss further if the issue persists. Thanks! |
…itions this change takes guidance from terraforms behavior explained here: hashicorp/terraform#11011 [#147690737]
…itions this change takes guidance from terraforms behavior explained here: hashicorp/terraform#11011 [#147690737]
|
Thanks for your notes on this. The design does make sense. I feel the user experience could be improved with a meaningful error though. If an |
…itions this change takes guidance from terraforms behavior explained here: hashicorp/terraform#11011 [#147690737]
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
When I execute terraform apply or plan without doing any changes into any terraform scripts, terraform is going to add same security group rules again and again.
let me describe about my terraform scripts.I have designed my terraform script as modules, security group is a module and security group rule is also a module.
++++++++++++++++Main.tf++++++++++++++++++++++++++++++++++++++++++++++++++
module "application_sg" {
source = "modules/securitygroups"
security_group_name = "Application Security Group"
vpc_id = "${module.vpc.vpc_id}"
}
module "rule2"{
source = "modules/securitygroups/rules"
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = ["20.0.1.0/24"]
security_group_id = "${module.application_sg.security_group}"
}
module "rule3"{
source = "modules/securitygroups/rules"
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["20.0.1.0/24"]
security_group_id = "${module.application_sg.security_group}"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Lets say I am executing this scripts again and again using terraform plan.
This is the output I am getting.See it tries to add rule which is already existing.
~ module.application_sg.aws_security_group.security_group
ingress.#: "3" => "1"
ingress.2358522502.cidr_blocks.#: "1" => "0"
ingress.2358522502.cidr_blocks.0: "20.0.1.0/24" => ""
ingress.2358522502.from_port: "443" => "0"
ingress.2358522502.protocol: "tcp" => ""
ingress.2358522502.security_groups.#: "0" => "0"
ingress.2358522502.self: "false" => "false"
ingress.2358522502.to_port: "443" => "0"
ingress.3250959853.cidr_blocks.#: "1" => "0"
ingress.3250959853.cidr_blocks.0: "20.0.1.0/24" => ""
ingress.3250959853.from_port: "8080" => "0"
ingress.3250959853.protocol: "tcp" => ""
ingress.3250959853.security_groups.#: "0" => "0"
ingress.3250959853.self: "false" => "false"
ingress.3250959853.to_port: "8080" => "0"
ingress.753360330.cidr_blocks.#: "0" => "0"
ingress.753360330.from_port: "0" => "0"
ingress.753360330.protocol: "-1" => "-1"
ingress.753360330.security_groups.#: "0" => "0"
ingress.753360330.self: "true" => "true"
ingress.753360330.to_port: "0" => "0"
cidr_blocks.#: "1"
cidr_blocks.0: "20.0.1.0/24"
from_port: "80"
protocol: "tcp"
security_group_id: "sg-17c13770"
self: "false"
source_security_group_id: ""
to_port: "80"
type: "ingress"
==============================================================================
The text was updated successfully, but these errors were encountered: