-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_security_group: Deletes and recreates all group rules on changes #2382
Comments
This caused an outage for us yesterday. We had a long list of IP blocks to whitelist and there was a duplicate IP in the list. Terraform happily dropped all of the entries from the Security Group, but then bailed on recreating all of the entries because the API threw an error about the duplicate entry. The Security Group was empty while we scrambled to look up what the function to remove duplicate entries from a list or spot the offending duplicated entry. For this case, and I suppose going forward, we are going to |
I have noticed the same behaviour. Although the Revoke/Authorize is quick, it does leave a small period where a security group ruleset has no CIDR block associated with it. Agree with @stmarier that a better approach would be to determine the differences between security group rules in current and desired state and either add or remove the differences, not remove all rules from current state and add all rules required for desired. A workaround for the moment is to make the security group changes in the AWS console, then write Terraform config to match. |
This causes the output from |
In #4726, which has been merged into master, the |
This has been released in version 1.27.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. |
I'm pretty sure it's still broken. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Terraform Version
2017/11/20 11:54:47 [INFO] Terraform version: 0.10.8
terraform-provider-aws_v0.1.4_x4
Affected Resource(s)
aws_security_group
Terraform Configuration Files
Unnecessary?
Debug Output
Here are the important parts:
Expected Behavior
Terraform should not delete every rule from a security group when the difference between desired state and actual state is only additive.
Actual Behavior
Terraform deletes and then recreates all configured rules on a security group when adding new rules.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
1.1.1.1/32
to the cidr_blocks listImportant Factoids
The important security group on our end controls access to a critical database. We cannot, in good conscience, embrace a tool that deletes rules from this security group every time we want to make a change.
There's a comment about this in resource_aws_security_group.go:
We have processes that monitor the state of these critical resources as part of various compliance controls, and having to explain the appearance of
RevokeSecurityGroupIngress
in our cloudtrail logs referencing these critical resources is not pleasant.Given what happens here under the hood, I'm surprised this isn't mentioned in the documentation. If this were better communicated, we probably would have avoided this gotcha entirely by only ever using the
aws_security_group_rule
resource.So, 2 feature requests:
The documentation should probably be updated to note the fact that, while temporary, every configured security group rule is deleted from this security group during every rule change.
It would be cool if Terraform could determine what operations need to happen here. The comment in the resource code seems a little naive (please correct me if I'm wrong) -- I don't feel like we need to choose between "add before remove" and "remove before add", shouldn't we be able to get the difference between
current
anddesired
and make changes based on that? If there is some fundamental problem, prioritizing the aforementioned "complicated unrolling" would be greatly appreciated.The text was updated successfully, but these errors were encountered: