aws_security_group_rule creates then destroy additionnal SG port every 2 apply

[mperriere]

Terraform Version

Terraform v0.8.6

Affected Resource(s)

• aws_security_group_rule
• aws_security_group

Terraform Configuration Files

resource "aws_security_group" "elb_nge_wsexpinternal" {
  name = "elb_wsexpinternal_sg-${data.consul_keys.ck.var.resource_customer}"
  description = "security group for internal ELB-WSEXP"
  vpc_id = "${data.terraform_remote_state.network.aws_vpc_id}"
  ingress {
      from_port = "80"
      to_port = "80"
      protocol = "tcp"
# enabled sg source = all ASG SG (excepted himself = tg32):
        security_groups = [
      "${module.asg_dmd_tg21.ec2_sg}",
      "${module.asg_dmd_tg22.ec2_sg}",
      "${module.asg_dmd_tg23.ec2_sg}",
      "${module.asg_dmd_tg24.ec2_sg}",
      "${module.asg_dmd_tg25.ec2_sg}",
      "${module.asg_meter_tg11.ec2_sg}",
      "${module.asg_meter_tg12.ec2_sg}",
      "${module.asg_meter_tg14.ec2_sg}",
      "${module.asg_meter_tg15.ec2_sg}",
      "${module.asg_meter_tg16.ec2_sg}",
      "${module.asg_service_tg31.ec2_sg}",
      "${module.asg_service_tg33.ec2_sg}",
      "${module.asg_service_tg34.ec2_sg}",
      "${module.asg_service_tg35.ec2_sg}"
        ]
  }
  egress {
      from_port = 0
      to_port = 0
      protocol = "-1"
      cidr_blocks = ["0.0.0.0/0"]
  }
  tags {
    resource_name = "wsexpinternal-${data.consul_keys.ck.var.resource_customer}"
    BillingBusinessApp = "${var.BillingBusinessApp}"
    resource-env = "${data.consul_keys.ck.var.resource_env}"
    resource-layer = "service"
    resource-name = "${data.consul_keys.ck.var.resource_name}"
    resource-customer = "${data.consul_keys.ck.var.resource_customer}"
    }
}

resource "aws_security_group_rule" "alb-sg-additionnal" {
  type                     = "ingress"
  from_port                = 8080
  to_port                  = 8080
  protocol                 = "tcp"
  source_security_group_id = "${aws_security_group.elb_nge_wsexpinternal.id}"
  security_group_id        = "${module.asg_service_tg32.ec2_sg}"
}

Debug Output

terraform apply
-> add tcp 8080 to the existing security group elb_nge_wsexpinternal
[…]
terraform apply
-> remove tcp 8080 to the existing security group elb_nge_wsexpinternal
[…]
~ module.asg_service_tg32.aws_security_group.lc_ec2_sg
ingress.#: "2" => "1"
ingress.157001861.cidr_blocks.#: "0" => "0"
ingress.157001861.from_port: "8080" => "0"
ingress.157001861.protocol: "tcp" => ""
ingress.157001861.security_groups.#: "1" => "0"
ingress.157001861.security_groups.3563814243: "sg-339a8f55" => ""
ingress.157001861.self: "false" => "false"
ingress.157001861.to_port: "8080" => "0"
ingress.414090347.cidr_blocks.#: "0" => "0"
ingress.414090347.from_port: "8080" => "8080"
ingress.414090347.protocol: "tcp" => "tcp"
ingress.414090347.security_groups.#: "1" => "1"
ingress.414090347.security_groups.541904824: "sg-92576af4" => "sg-92576af4"
ingress.414090347.self: "false" => "false"
ingress.414090347.to_port: "8080" => "8080"

and so on.

Expected Behavior

By calling resource "aws_security_group_rule", we want to add a secondary ALB SG on an already existing EC2 SG.
During the first apply, we add tcp 8080
The next apply should do nothing.

Actual Behavior

First apply: add tcp 8080 with new ALB SG ID as source.
Second apply: removes it.
Third apply: add tcp 8080 with new ALB SG ID as source.
Fourth apply: removes it.

Steps to Reproduce

1. terraform apply
2. terraform apply

[mperriere]

saw in issue #11011:
@aglover-zendesk This happens "by design"

and doc update:
NOTE on Security Groups and Security Group Rules: Terraform currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

i'll try a different way :-)

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.