Terraform-provider-aws: aws_security_group: no way to delete egress rule
_This issue was originally opened by @lra as hashicorp/terraform#13314. It was migrated here as part of the provider split. The original body of the issue is below._
Terraform Version
Terraform v0.9.2
Affected Resource(s)
aws_security_group
Terraform Configuration Files
resource "aws_vpc" "test-vpc" {
cidr_block = "172.20.0.0/16"
enable_classiclink = true
enable_dns_support = true
enable_dns_hostnames = true
}
resource "aws_security_group" "test-sg" {
name = "test-sg"
vpc_id = "${aws_vpc.test-vpc.id}"
egress {
from_port = 3306
to_port = 3306
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
Expected Behavior
When commenting out the egress rule, I except terraform to delete the egress rule on apply
Actual Behavior
When I comment out the egress rule, terraform applies no change.
Steps to Reproduce
terraform apply- comment out the egress section
terraform apply
Workaround
I can taint the security group and apply.
hashibot
All 5 comments
the last comment on the original issue (https://github.com/hashicorp/terraform/issues/13314) included the following:
@deftflux's solution, however, does help solve the issue for users who have multiple remote statefiles, as it forces the user to contain all of their security group rules in a single resource. However, this doesn't solve the issue for users who still wish to create a single security group in one statefile, and separate rules in multiple different statefiles.
I would like to +1 the usefulness of containing all security group rules into a resource that would enforce something like "these rules, and only these rules" - we initially started to use Terraform specifically for this feature, which seemed to work when all the rules were inline. Turns out that it doesn't work, and moving rules to their own resources doesn't work either (because new rules created via GUI are not detected by terraform)
yn-academia
on 14 Jun 2017
I've found a workaround; set egress = [] and the default rule will magically disappear after running terraform.
jzafran
on 21 Jun 2017
Is anyone who commented on the original (@grubernaut @apparentlymart @catsby) still looking into implementing this?
I'm looking for much the same as @yn-academia for infosec / audit compliance - I want to apply a set of ingress/egress rules and have them 100% clobber anything that's out there without having to manually taint every security group before applying them. For my case I will always have at least one ingress and one egress, so I will always have "something" to set the state explicitly, versus trying to apply an empty state.
I got surprised yesterday when one of my SGs was more permissive than it should be immediately after doing a full terraform apply. It had all of the TF rules, plus one that was applied by hand that I had expected to go away.
CC #1824 since @deftflux seems to be solving this as well?
007
on 3 Apr 2018
@007 apart from the issue of "no egress" or "no ingress" not being applied without the = [] workaround mentioned above, TF does seem to remove manually added rules for me when the rules are managed inline in the aws_security_group resource. Are you using aws_security_group_rule?
ksperling
on 5 Jul 2018
Just want to bring this issue to your attention, @grubernaut @apparentlymart . Don't forget it please.
ckyoog
on 30 Jul 2019
Related issues
dvishniakov
路
3Comments
hashibot
路
3Comments
andywirv
路
3Comments
carmas
路
3Comments
hashibot
路
3Comments
Most helpful comment
I've found a workaround; set
egress = []and the default rule will magically disappear after running terraform.