Terraform: Can not create a resource to match import from AWS Security Group with cidr/sourceSg
Terraform Version
v0.7.0
Affected Resource(s)
- AWS_SECURITY_GROUP_RULE (import)
I am trying to use the new TF import feature to import some kubernetes resources. While importing a security group the tf state file was updated as such:
"aws_security_group_rule.k8s-minion-1": {
"type": "aws_security_group_rule",
"primary": {
"id": "sgrule-2890345480",
"attributes": {
"cidr_blocks.#": "1",
"cidr_blocks.0": "10.200.0.0/16",
"from_port": "0",
"id": "sgrule-2890345480",
"prefix_list_ids.#": "0",
"protocol": "-1",
"security_group_id": "sg-e1426f87",
"self": "true",
"source_security_group_id": "sg-e5426f83",
"to_port": "0",
"type": "ingress"
},
"meta": {
"schema_version": "2"
}
},
"provider": "aws"
},
I then created the following resource in my TF files:
resource "aws_security_group_rule" "k8s-minion-1" {
security_group_id = "${aws_security_group.k8s-minion.id}"
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
self = true
cidr_blocks = ["10.200.0.0/16"]
source_security_group_id = "sg-e5426f83"
}
This resource was generated via
terraform import aws_security_group.k8s-minion sg-e1426f87
Panic Output
- aws_security_group_rule.k8s-minion-1: "self": conflicts with cidr_blocks ([]interface {}{"10.200.0.0/16"})
- aws_security_group_rule.k8s-minion-1: "source_security_group_id": conflicts with cidr_blocks ([]interface {}{"10.200.0.0/16"})
Expected Behavior
I would expect to be able to create the TF resource via a tf file exactly as it appears from the output of import.
Actual Behavior
It is not possible to write a resource to match the generated resource. This is/was documented, stating you could not include both cidr/sourceSG in the same rule however that seems to be exactly what the import function is doing.
https://github.com/hashicorp/terraform/pull/6917
Steps to Reproduce
Create a security group with the following ingress via AWS Console
-all traffic/ports for 'self'
-all traffic/ports on a subnet
-all traffic/ports from a secondary SG
Import this SG via TF import
Attempt to match the generated resource in the tfstate file and properly plan/apply.
Edit: For the record this was easy enough to manually fix but I had to edit the SG to remove all rules then add AWS_SECURITY_GROUP_RULEs for self, cidr, and sourceSg.
swinterberger
All 8 comments
Terraform v0.7.1
I am running into this exact same error. I cannot replicated my SG rules because you cannot have self = true AND cidr blocks, yet that is EXACTLY what the import function is giving me.
resource "aws_security_group" "internal" {
description = "internal access rules"
tags {
Name = "internal"
}
}
#resource "aws_security_group_rule" "internal-allow-all-vpc" {
resource "aws_security_group_rule" "internal" {
security_group_id = "${aws_security_group.internal.id}"
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["172.16.16.0/22","172.16.8.0/22","172.16.4.0/22"]
}
#resource "aws_security_group_rule" "internal-allow-all-outgoing" {
resource "aws_security_group_rule" "internal-1" {
security_group_id = "${aws_security_group.internal.id}"
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
plan output
-/+ aws_security_group_rule.internal
cidr_blocks.#: "3" => "3"
cidr_blocks.0: "172.16.16.0/22" => "172.16.16.0/22"
cidr_blocks.1: "172.16.8.0/22" => "172.16.8.0/22"
cidr_blocks.2: "172.16.4.0/22" => "172.16.4.0/22"
from_port: "0" => "0"
protocol: "-1" => "-1"
security_group_id: "sg-bb4055de" => "sg-bb4055de"
self: "true" => "false" (forces new resource)
source_security_group_id: "sg-bb4055de" => "<computed>"
to_port: "0" => "0"
type: "ingress" => "ingress"
However if I try to match this by adding self=true.
Errors:
* aws_security_group_rule.internal: "self": conflicts with cidr_blocks ([]interface {}{"172.16.16.0/22", "172.16.8.0/22", "172.16.4.0/22"})
brianbianco
on 25 Aug 2016
Compiled 07.3 with the following line commented out and, expectedly, i am able to import just fine and things match.
brianbianco
on 25 Aug 2016
This bug still exists in terraform 0.7.11
brianbianco
on 17 Nov 2016
This bug still exists in terraform 0.8.1.
The security this is affecting is highly utilized, so I'd prefer not to have any removed then readded due to this bug. Please fix soon!
chbaran
on 21 Dec 2016
Also exists on 0.8.4
s1lv3r40
on 20 Jan 2017
Even having a rule with 1 IP and 1 SG is enough to reproduce this.
Please fix :-)
alourie
on 20 Feb 2017
@brianbianco can you update your "workaround" (wherein you commented out a line in the TF code) to point to a commit hash instead of master? It seems to have gone out of date...
eherot
on 28 Feb 2017
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 13 Apr 2020
Related issues
rjinski
ยท
3Comments
ketzacoatl
ยท
3Comments
shanmugakarna
ยท
3Comments
jrnt30
ยท
3Comments
thebenwaters
ยท
3Comments
Most helpful comment
Even having a rule with 1 IP and 1 SG is enough to reproduce this.
Please fix :-)