Security Group Updates are Broken.

[alexandros-genies]

Description

Due to the lifecycle rule of create_before_destroy, updating the inbound security group rules is extremely unstable. Somertimes, the apply goes through and changes are reflected. Other times, the apply errors out on "duplicate security groups" and the state file gets corrupted (the ingress and egress resources are removed from the state file).

Versions

• Module version [Required]: 7.2.2

• Terraform version: 1.2.4

• Provider version(s): ">= 4.5"

Reproduction Code [Required]

Steps to reproduce the behavior:

1. Create a postgres RDS aurora instance
2. Change the inbound security group rule via the allowed_cidr_blocks variable.
3. Change the inbound security group rule again after step 2.
4. View the state file, the ingress and egress resources are gone, and the apply from step 3 should error out

This sometimes works, sometimes doesn't, due to the unstable nature of "create_before_destroy"

What is the reason to use "create_before_destroy" for the security group? AFAIK aren't the updates made inplace anyways?

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[jpriebe]

@alexandros-genies - I'm a little unclear about your steps 2 and 3; it sounds like you're talking about making one change, applying, then making another change, and applying.

I see the duplicate rule problem with just a single change to the allowed_cidr_blocks list.

Plan:

  # module.vpc-tenant[0].module.aurora.module.cluster-primary.aws_security_group_rule.cidr_ingress[0] must be replaced
+/- resource "aws_security_group_rule" "cidr_ingress" {
      ~ cidr_blocks              = [ # forces replacement
            # (1 unchanged element hidden)
            "10.212.32.0/20",
          - "10.212.8.0/22",
            "10.212.48.0/20",
            # (15 unchanged elements hidden)
        ]
      ~ id                       = "sgrule-2304924885" -> (known after apply)
      + security_group_rule_id   = (known after apply)
      + source_security_group_id = (known after apply)
        # (7 unchanged attributes hidden)
    }

Apply:

Error: [WARN] A duplicate Security Group rule was found on (sg-0200d25e93a96964b)

I believe this is the same issue that the eks module has:

terraform-aws-modules/terraform-aws-eks#984

the fix seems to be creating a separate rule for each CIDR block in the allowed_cidr_blocks list. Maybe the same fix would help the rds-aurora module?

[jpriebe]

Looks like somebody has already thought of this, based on the comment in the code here:

https://github.com/terraform-aws-modules/terraform-aws-rds-aurora/blob/master/main.tf#L348

[alexandros-genies]

@jpriebe Yes! that's exactly it.

If you apply a change to a security group ingress rule, and change the rule afterwards to apply again, you'll (sometimes) run into the duplicate security group rule issue.

That's good to see there is a todo to fix this issue.

[bryantbiggs]

this will be resolved soon in #335

[jpriebe]

So our solution was to apply the CIDR range security group rules outside of the module. The module outputs the security group ID, so you can put your own rules in CIDR by CIDR.

I converted the list to a map, so that order is not important, otherwise you will have large numbers of rules being rewritten if you reorder the list in any way.

[that-kampe-steak]

Is this likely to get released soon? Seems work is done but release is halted on another feature.