[WIP] r/aws_security_group_rule: Terraform plan non empty even no change in Description field #2335
Conversation
trung
changed the title
There was a problem hiding this comment.
Hey there – Sorry to say that this is unlikely something we can merge. AWS uses the combination of to_port, from_port, and protocol to make "rules" Having matching to, from, and protocol port rules but with different cidr blocks in different stanzas is going to throw reoccurring diffs. In the web console it shows as 2 rules as you would expect, but unfortunately they are really 1, which adds to the confusion, but. Example where the API returns them in their true form, this config:
ingress {
description = "IP1"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["1.2.3.4/32", "5.6.7.8/32"]
}
Makes this one rule in AWS:
$ aws ec2 describe-security-groups --group-ids=sg-<my-sg-id> --output=json
{
"SecurityGroups": [
{
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"PrefixListIds": [],
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"IpPermissions": [
{
"IpProtocol": "-1",
"PrefixListIds": [],
"IpRanges": [
{
"Description": "IP1",
"CidrIp": "1.2.3.4/32"
},
{
"Description": "IP2",
"CidrIp": "5.6.7.8/32"
}
],
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"GroupName": "TestTerraformBug",
"VpcId": "vpc-<my-vpc-id>",
"OwnerId": "<my-owner-id>",
"GroupId": "sg-<my-sg-id>"
}
]
}
|
It seems some of the scenarios have been fixed in #1959 . I closed this PR. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
Fixes #2141
There are number of scenarios need to be covered. Each scenario, reproduce issue with failing acceptance test then fix
count