-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting security groups ingress protocol to "ALL" (-1) results in reapplication #1177
Comments
any love for this one? |
FWIW, I can also replicate this with:
Applying that results in this message each time:
|
+1 on ingress rules |
@tysontate is that the same issue? The OP is regarding ingress rules. |
The main issue I'm seeing here is using Reading the docs here: Using the "ALL" protocol option then opens all ports, so our state file gets a to and from port of |
The
Which makes sense, because AWS automatically adds an |
I'm trying to build a fix for the |
Thanks @ctiwald |
There are two classes of problem here: When passing "-1" to AWS, it drops the port declarations on the floor, meaning the Read result will never match the configuration. I have a fix for that. There's another problem on egress: that default ALL 0.0.0.0/0 rule forces a new hash on read, which the config won't necessarily have locally. I'm not quite sure how to solve that, but #1765 should fix it if it's merged. |
The original issue reported here, with The
has also been resolved. Thanks! |
Hi all is there any way of auto remediation of ports like if I am the admin and I open few ports according to my need now if someone else got my account credentials and try to change the ports which I don't want anyone to do so is there any way if someone trys to change the ports or source is either he is not able to do so or automatic it should role back |
@pratibhadeepti that's a great question, but more of a security/process issue. One think you can do is run terraform regularly to bring your configurations back in line, though if someone got ahold of your account credentials you will have much bigger issues than just validating ports. HashiCorp just published a blog post that talks about this topic: |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
An example ingress rule:
This will apply successfully, and create the rule with ALL protocols as per AWS abilities.
However, when the next terraform plan is created, the it wants to change value:
Interestingly, if you only have one such ALL/ALL rule, this doesn't happen. Add a second, and it happens each time.
The text was updated successfully, but these errors were encountered: