You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're using 0.8.8, but the behavior is identical in 0.9.3/0.9.4
Affected Resource(s)
resource.aws_security_group and resource.aws_security_group_rule
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
TF file representing an existing AWS security group
resource"aws_security_group""prod_stuffs" {
vpc_id="${var.aws_vpc}"name="Security Group for Production Stuff"description="Allows access to stuff"tags {
Terraform="true"
}
}
# No Egress rules are necessary since these are added to existing nodesresource"aws_security_group_rule""stuff_allow_tcp" {
type="ingress"from_port=12345to_port=12345protocol="tcp"cidr_blocks="${list(lookup(var.subnets_cidrs, "yellow"))}"security_group_id="${aws_security_group.prod_stuffs.id}"
}
I'd like to add a new rule, so I appened the following to the end of the above file:
We manually added the above rule (as well as an egress rule that allows all traffic).
Because of already reported issues with TF and AWS security groups (and that fact that we've been bitten hard by these bugs in the last few months), we will NOT use TF to modify either security groups and rules nor apply security-group to resources, which leaves our instances with the inability to communicate and our services. fail.
Therefore, we added our new rule manually via the AWS CLI. However, there is no way to associate the newly added rule to TF. TF knows the new rules exist, but it neither reports that the security-group is out-of-sync with TF, nor do I know to associate the above rule with the existing SG.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
Create Security Group using Terraform
Realize that Security Group needs new rules
Manually add the new rule to the existing SG using the AWS CLI
Edit the TF file that was used to create the SG by adding a new rule, and attempt to associate the newly added resource.aws_security_group_rule to the AWS rule.
In addition, we have new rules in place on the security group, and I would have expected TF to complain about existing rules that should be removed as they are not represented in the definition files provided to terraform.
Note, here is the (redacted) output of the terraform state, which shows both the existing and new rules, of while only one matches the TF files.
#11011 #12252 - We've switched to using separate aws_security_group_rule and aws_security_group_rule for both documentation purposes, and because of this. #13314 #13827
The text was updated successfully, but these errors were encountered:
My pull request #14332 would improve this. Using a single aws_security_group_rules resource to define all rules will make Terraform manage all the rules within a security group (like inline rules in aws_security_group) but still allow two security groups to refer to each other in their rules without creating a circular dependency (like when using aws_security_group_rule).
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
ghost
locked and limited conversation to collaborators
Apr 9, 2020
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Terraform Version
We're using 0.8.8, but the behavior is identical in 0.9.3/0.9.4
Affected Resource(s)
resource.aws_security_group and resource.aws_security_group_rule
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
TF file representing an existing AWS security group
I'd like to add a new rule, so I appened the following to the end of the above file:
Expected Behavior
We manually added the above rule (as well as an egress rule that allows all traffic).
Because of already reported issues with TF and AWS security groups (and that fact that we've been bitten hard by these bugs in the last few months), we will NOT use TF to modify either security groups and rules nor apply security-group to resources, which leaves our instances with the inability to communicate and our services. fail.
Therefore, we added our new rule manually via the AWS CLI. However, there is no way to associate the newly added rule to TF. TF knows the new rules exist, but it neither reports that the security-group is out-of-sync with TF, nor do I know to associate the above rule with the existing SG.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
In addition, we have new rules in place on the security group, and I would have expected TF to complain about existing rules that should be removed as they are not represented in the definition files provided to terraform.
Note, here is the (redacted) output of the terraform state, which shows both the existing and new rules, of while only one matches the TF files.
References
#11011
#12252 - We've switched to using separate aws_security_group_rule and aws_security_group_rule for both documentation purposes, and because of this.
#13314
#13827
The text was updated successfully, but these errors were encountered: