Terraform-provider-aws: Terraform want to change description even if its not needed
_This issue was originally opened by @jensskott as hashicorp/terraform#16518. It was migrated here as a result of the provider split. The original body of the issue is below._
Terraform Version
Terraform v0.10.8
provider "aws" (1.2.0)
Terraform Configuration Files
resource "aws_security_group_rule" "allow_self_tcp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "tcp"
self = true
description = "Access from within this SG"
security_group_id = "${aws_security_group.instance_sg.id}"
}
# full access from the elb
resource "aws_security_group_rule" "allow_elb_tcp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "tcp"
description = "Access from ELBs"
security_group_id = "${aws_security_group.instance_sg.id}"
source_security_group_id = "${aws_security_group.elb_sg.id}"
}
# access from office
resource "aws_security_group_rule" "allow_office_tcp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "tcp"
description = "Access from office public network"
security_group_id = "${aws_security_group.instance_sg.id}"
cidr_blocks = ["${var.admin_cidr_ingress}"]
}
resource "aws_security_group_rule" "allow_office_local_tcp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "tcp"
description = "Access from office localnet"
security_group_id = "${aws_security_group.instance_sg.id}"
cidr_blocks = ["${var.office_cidr}"]
}
resource "aws_security_group_rule" "allow_office_vpn_tcp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "tcp"
description = "Access from office VPN net"
security_group_id = "${aws_security_group.instance_sg.id}"
cidr_blocks = ["${var.office_vpn_cidr}"]
}
# allow all outbound internet access
resource "aws_security_group_rule" "allow_outbound_tcp" {
type = "egress"
from_port = 0
to_port = 0
protocol = "tcp"
description = "Any destination"
security_group_id = "${aws_security_group.instance_sg.id}"
cidr_blocks = ["0.0.0.0/0"]
}
# full access from the sg itself
resource "aws_security_group_rule" "allow_self_ucp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "udp"
self = true
description = "Access from within this SG"
security_group_id = "${aws_security_group.instance_sg.id}"
}
# full access from the elb
resource "aws_security_group_rule" "allow_elb_udp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "udp"
description = "Access from ELBs"
security_group_id = "${aws_security_group.instance_sg.id}"
source_security_group_id = "${aws_security_group.elb_sg.id}"
}
# access from office
resource "aws_security_group_rule" "allow_office_udp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "udp"
description = "Access from office public network"
security_group_id = "${aws_security_group.instance_sg.id}"
cidr_blocks = ["${var.admin_cidr_ingress}"]
}
resource "aws_security_group_rule" "allow_office_local_udp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "udp"
description = "Access from office localnet"
security_group_id = "${aws_security_group.instance_sg.id}"
cidr_blocks = ["${var.office_cidr}"]
}
resource "aws_security_group_rule" "allow_office_vpn_udp" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "udp"
description = "Access from office VPN net"
security_group_id = "${aws_security_group.instance_sg.id}"
cidr_blocks = ["${var.office_vpn_cidr}"]
}
# allow all outbound internet access
resource "aws_security_group_rule" "allow_outbound_udp" {
type = "egress"
from_port = 0
to_port = 0
protocol = "udp"
description = "Any destination"
security_group_id = "${aws_security_group.instance_sg.id}"
cidr_blocks = ["0.0.0.0/0"]
}
Expected Behavior
No changes. Infrastructure is up-to-date.
Actual Behavior
Apply
module.ecs.module.network.aws_security_group_rule.allow_office_udp: Modifying... (ID: sgrule-876667411)
description: "Access from within this SG" => "Access from office public network"
module.ecs.module.network.aws_security_group_rule.allow_office_vpn_udp: Modifying... (ID: sgrule-551534353)
description: "Access from within this SG" => "Access from office VPN net"
module.ecs.module.network.aws_security_group_rule.allow_office_local_tcp: Modifying... (ID: sgrule-3638646769)
description: "Access from within this SG" => "Access from office localnet"
module.ecs.module.network.aws_security_group_rule.allow_office_tcp: Modifying... (ID: sgrule-2182054516)
description: "Access from within this SG" => "Access from office public network"
module.ecs.module.network.aws_security_group_rule.allow_office_vpn_tcp: Modifying... (ID: sgrule-160621870)
description: "Access from within this SG" => "Access from office VPN net"
module.ecs.module.network.aws_security_group_rule.allow_elb_udp: Modifying... (ID: sgrule-1681102072)
description: "Access from within this SG" => "Access from ELBs"
module.ecs.module.network.aws_security_group_rule.allow_office_local_udp: Modifying... (ID: sgrule-1856911254)
description: "Access from within this SG" => "Access from office localnet"
module.ecs.module.network.aws_security_group_rule.allow_elb_tcp: Modifying... (ID: sgrule-4037030785)
description: "Access from within this SG" => "Access from ELBs"
Plan
Terraform will perform the following actions:
~ module.ecs.module.network.aws_security_group_rule.allow_elb_tcp
description: "Access from within this SG" => "Access from ELBs"
~ module.ecs.module.network.aws_security_group_rule.allow_elb_udp
description: "Access from within this SG" => "Access from ELBs"
~ module.ecs.module.network.aws_security_group_rule.allow_office_local_tcp
description: "Access from within this SG" => "Access from office localnet"
~ module.ecs.module.network.aws_security_group_rule.allow_office_local_udp
description: "Access from within this SG" => "Access from office localnet"
~ module.ecs.module.network.aws_security_group_rule.allow_office_tcp
description: "Access from within this SG" => "Access from office public network"
~ module.ecs.module.network.aws_security_group_rule.allow_office_udp
description: "Access from within this SG" => "Access from office public network"
~ module.ecs.module.network.aws_security_group_rule.allow_office_vpn_tcp
description: "Access from within this SG" => "Access from office VPN net"
~ module.ecs.module.network.aws_security_group_rule.allow_office_vpn_udp
description: "Access from within this SG" => "Access from office VPN net"
Steps to Reproduce
terraform initterraform applyterraform plan
Am I missing something here or it this expected behavior from terraform in this case?
hashibot
👍4
All 5 comments
Running into this problem on aws provider 1.1.0 and 1.2.0. Workaround for now is to add a ignore_changes lifecycle on the description.
nocode99
on 1 Nov 2017
👍3
It seems #1959 has fixed this.
trung
on 28 Nov 2017
I think @trung is correct. I'm also not able to reproduce this on 1.24.0.
brandonstevens
on 22 Jun 2018
There have been a few improvements to the rule gathering and description handling with security group rules. If you are still having issues on the latest version of Terraform and the AWS provider (0.11.7 and 1.24.0 as of this writing), please open a new issue with all the details of the issue template and we'll investigate further. Thanks!
bflad
on 22 Jun 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 5 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
hashibot
ยท
3Comments
blaltarriba
ยท
3Comments
hashibot
ยท
3Comments
hashibot
ยท
3Comments
hashibot
ยท
3Comments
Most helpful comment
Running into this problem on aws provider
1.1.0and1.2.0. Workaround for now is to add aignore_changeslifecycle on the description.