Terraform-provider-aws: aws_security_group_rule created intentionally and removed unintentionally

Created on 22 Mar 2018  ·  4Comments  ·  Source: hashicorp/terraform-provider-aws

Terraform Version

Running command as: arn:aws:sts::292051043935:assumed-role/sudo_admin/[email protected]
Terraform v0.11.5
+ provider.aws v1.7.0
+ provider.mysql v1.0.1
+ provider.template v1.0.0
+ provider.terraform v1.0.2

Affected Resource(s)

  • aws_security_group_rule

Terraform Configuration Files

resource "aws_security_group" "aggregator-alb" {
  name = "${lower(var.product)}-${terraform.workspace}-${lower(var.env_name)}-aggregator-alb-sg"
  vpc_id      = "${local.vpc_id}"

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port = 80
    to_port = 80
    protocol = "tcp"
    security_groups = [
      "${aws_security_group.container_instance.id}"
    ]
  }

  # lifecycle {
  #   create_before_destroy = true
  # }
}


resource "aws_security_group" "container_instance" {
  name = "${lower(var.product)}-${terraform.workspace}-${lower(var.env_name)}-ecs-sg"
  description = "Managed by Terraform"
  vpc_id      = "${local.vpc_id}"

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["${local.mgmt_cidr}"]
  }
  ingress {
    from_port       = 32768
    to_port         = 65535
    protocol        = "tcp"
    security_groups = [
      "${aws_security_group.mgmt-coyote-alb.id}"
    ]
 }

resource "aws_security_group_rule" "mgmt-aggregator-connection" {
  type                     = "ingress"
  from_port                = 32768
  to_port                  = 65535
  protocol                 = "tcp"
  security_group_id        = "${aws_security_group.container_instance.id}"
  source_security_group_id = "${aws_security_group.aggregator-coyote-alb.id}"

  depends_on = [
    "aws_security_group.container_instance"
  ]
}

Debug Output

https://gist.github.com/AkhterAli/121e77ff1bc13dee9778e5c1f1170a1d

Panic Output

Expected Behavior

I expected the state file to pick up and save ingress rule from aws_security_group_rule.mgmt-aggregator-connection into aws_security_group.container_instance

Actual Behavior

Every terraform plan shows that the aws_security_group_rule.mgmt-aggregator-connection is either being added or removed from aws_security_group.container_instance. We want it added and never removed

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform plan
  2. terraform apply
question servicec2
Source
picture AkhterAli

Most helpful comment

Hi @AkhterAli 👋 Sorry for any confusion here. As noted at the top of the aws_security_group resource documentation:

NOTE on Security Groups and Security Group Rules: Terraform currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

You'll need to either exclusively use the aws_security_group resource to manage all rules of the security group or not define any ingress/egress configuration with the aws_security_group resource and instead use the aws_security_group_rule resources for all rules.

picture bflad on 22 Mar 2018
👍2

All 4 comments

Hi @AkhterAli 👋 Sorry for any confusion here. As noted at the top of the aws_security_group resource documentation:

NOTE on Security Groups and Security Group Rules: Terraform currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

You'll need to either exclusively use the aws_security_group resource to manage all rules of the security group or not define any ingress/egress configuration with the aws_security_group resource and instead use the aws_security_group_rule resources for all rules.

bflad picture bflad on 22 Mar 2018
👍2

@bflad Thanks, that clarifies things.

AkhterAli picture AkhterAli on 26 Mar 2018

this is really lame limitation, seems like you are just using the same underlying API endpoint to add the rule, I was always under the impression your tool is smarter than that. Is able to produce an aggregated state of the environment. Just pointing to a documentation where you have written a lame excuse is a terrible. You didn't even consider to add this as a feature?

devzer01 picture devzer01 on 5 Feb 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 5 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ·  50Comments
hashibot picture hashibot  ·  45Comments
jsi-p picture jsi-p  ·  33Comments
jayanderson picture jayanderson  ·  44Comments
hashibot picture hashibot  ·  38Comments