"Know ahead of time" that create_before_destroy won't work in certain situations (Feature request)

[cjcjameson]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$terraform version
Terraform v0.11.10
+ provider.aws v1.51.0

Affected Resource(s)

• aws_security_group

Terraform Configuration Files

resource "aws_security_group" "sg-elsrc" {
  name        = "nlp-dev-poc-sg-elsrc"
  vpc_id      = "${data.terraform_remote_state.vpc.private_vpc_id_us-west-2_0}"
  # the git diff is that I used to have `description = "foo bar"` here

  ingress {
      from_port   = 9210
    to_port     = 9210
    protocol    = "tcp"
    cidr_blocks = ["${data.aws_subnet.it_vpc_subnet.cidr_block}"]
  }

  ingress {
    from_port   = 9211
    to_port     = 9211
    protocol    = "tcp"
    cidr_blocks = ["${data.aws_subnet.it_vpc_subnet.cidr_block}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = 1
    ignore_changes        = ["tags.Creator"]
  }
}

Debug Output

https://gist.github.com/cjcjameson/b430e1b7fc4a196538831a5d40eb7567

Expected Behavior

terraform plan plans for a destruction and recreation. Although this is annoying that changing a security group's Description means you have to recreate, it's consistent with the explanation given in the docs and in AWS CloudFormation

The security group should have been destroyed, and then new security group created.

Actual Behavior

Terraform tried to create the security group first, but because the name is the same as it was before (only the description had changed)

The code at https://github.com/terraform-providers/terraform-provider-aws/blob/dacf0b4c8a8bd4b6d4fd1b6aa5618f72939121a7/aws/resource_aws_security_group.go#L58-L64 is correct, it seems. So maybe it's a graph issue?

Steps to Reproduce

1. Config up a security group with a description
2. terraform apply
3. Change the config, only changing the description
4. terraform apply

Important Factoids

• I also renamed the filename (on my macOS filesystem) of the Terraform file in the meantime
• I'm on Mojave
• I had also been doing Elasticsearch domain provisioning, but this bug reproduced even when I isolated the security group change only

References

[bflad]

Hi @cjcjameson 👋 Your Terraform configuration has the following:

  lifecycle {
    create_before_destroy = 1
    ignore_changes        = ["tags.Creator"]
  }

The documentation for create_before_destroy can be found here: https://www.terraform.io/docs/configuration/resources.html#create_before_destroy

Since the resource is explicitly configured to create before destroy, you will need to remove that lifecycle configuration to change the graph ordering or consider one of the following which are compatible with create_before_destroy:

• Switching the aws_security_group resource to use the name_prefix argument (Terraform will assign a random suffix)
• Removing the name argument altogether (Terraform will assign a random name)

Hope this helps.

[cjcjameson]

Oh darn. What's that doing there? I thought it was on a different stanza but I put it in the wrong place.

🤦‍♂️ sorry about that!

[cjcjameson]

@bflad wait! Can I convert this into a feature request?!?

Terraform "should" "know" that create_before_destroy won't work when the name stays the same for this type of resource. The error message could show this explanation!

[bflad]

Anything within resource lifecycle configuration (and operation ordering in general) is handled upstream in Terraform core. This information is not accessible to Terraform providers (e.g. resource code) during an operation. If you would like to submit a feature request, it'll have to be upstream to start: https://github.com/hashicorp/terraform/issues/

[cjcjameson]

@bflad good call, thank you! https://github.com/hashicorp/terraform/issues/19631

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!