Import of aws_security_group_rule with multiple cidr_blocks and a source security id is invalid #8827
Labels
Comments
|
I just saw something very similar. Got the plan to delete the rules. When I applied, the security group lost all the ingress rules. When I planned next time it showed the ingress rules ready to be applied. Running apply one more time recreated the rules properly, but I don't want to do that outside of my testing environment. |
|
Seems like a dupe (or at least related) to #8166. |
|
I believe this is addressed in #13630, but if you could verify that would be amazing 😄 |
|
OK, bear with me here since I don't do much of this validation: Create some test security groups for this exercise: (py) jbender@jbender-mbp terraform (master) $ aws ec2 create-security-group --group-name "tf-8827-test" --description "test of terraform/8827" --region us-west-1
{
"GroupId": "sg-33531a54"
}
(py) jbender@jbender-mbp terraform (master) $ aws ec2 authorize-security-group-ingress --group-id sg-33531a54 --ip-permissions IpProtocol=tcp,FromPort=8042,ToPort=8042,IpRanges=[{CidrIp="172.18.0.0/16"},{CidrIp="172.19.0.0/16"}] --region us-west-1
(py) jbender@jbender-mbp terraform (master) $ aws ec2 create-security-group --group-name "tf-8827-test-2" --description "test-2 of terraform/8827" --region us-west-1
{
"GroupId": "sg-0b5e176c"
}
(py) jbender@jbender-mbp terraform (master) $ aws ec2 authorize-security-group-ingress --group-id sg-33531a54 --ip-permissions IpProtocol=tcp,FromPort=8042,ToPort=8042,UserIdGroupPairs=[{GroupId="sg-0b5e176c"}] --region us-west-1
(py) jbender@jbender-mbp terraform (master) $ aws ec2 describe-security-groups --group-id sg-33531a54 --region us-west-1
{
"SecurityGroups": [
{
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"PrefixListIds": []
}
],
"Description": "test of terraform/8827",
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 8042,
"IpRanges": [
{
"CidrIp": "172.18.0.0/16"
},
{
"CidrIp": "172.19.0.0/16"
}
],
"ToPort": 8042,
"IpProtocol": "tcp",
"UserIdGroupPairs": [
{
"UserId": "898611095813",
"GroupId": "sg-0b5e176c"
}
]
}
],
"GroupName": "tf-8827-test",
"VpcId": "vpc-66160d04",
"OwnerId": "898611095813",
"GroupId": "sg-33531a54"
}
]
}Import them using an older terraform version (py) jbender@jbender-mbp terraform (master) $ terraform version
Terraform v0.7.7
Your version of Terraform is out of date! The latest version
is 0.9.3. You can update by downloading from www.terraform.io
(py) jbender@jbender-mbp terraform (master) $ terraform import aws_security_group.test-tf sg-33531a54
provider.aws.region
The region where AWS operations will take place. Examples
are us-east-1, us-west-2, etc.
Default: us-east-1
Enter a value: us-west-1
aws_security_group.test-tf: Importing from ID "sg-33531a54"...
aws_security_group.test-tf: Import complete!
Imported aws_security_group (ID: sg-33531a54)
Imported aws_security_group_rule (ID: sgrule-2570052314)
Imported aws_security_group_rule (ID: sgrule-2682829166)
aws_security_group.test-tf: Refreshing state... (ID: sg-33531a54)
aws_security_group_rule.test-tf-1: Refreshing state... (ID: sgrule-2682829166)
aws_security_group_rule.test-tf: Refreshing state... (ID: sgrule-2570052314)
Import success! The resources imported are shown above. These are
now in your Terraform state. Import does not currently generate
configuration, so you must do this next. If you do not create configuration
for the above resources, then the next `terraform plan` will mark
them for destruction.
(py) jbender@jbender-mbp terraform (master) $ cp terraform.tfstate terraform-original.tfstateImport again with the latest master build: (py) jbender@jbender-mbp terraform (master) $ terraform version
Terraform v0.9.4-dev (d7212405a296a273863ac3f80a1f98c4afc0cf01+CHANGES)
(py) jbender@jbender-mbp terraform (master) $ terraform import aws_security_group.test-tf sg-33531a54
provider.aws.region
The region where AWS operations will take place. Examples
are us-east-1, us-west-2, etc.
Default: us-east-1
Enter a value: us-west-1
aws_security_group.test-tf: Importing from ID "sg-33531a54"...
aws_security_group.test-tf: Import complete!
Imported aws_security_group (ID: sg-33531a54)
Imported aws_security_group_rule (ID: sgrule-3727857758)
Imported aws_security_group_rule (ID: sgrule-292622449)
Imported aws_security_group_rule (ID: sgrule-2682829166)
aws_security_group_rule.test-tf: Refreshing state... (ID: sgrule-3727857758)
aws_security_group_rule.test-tf-1: Refreshing state... (ID: sgrule-292622449)
aws_security_group_rule.test-tf-2: Refreshing state... (ID: sgrule-2682829166)
aws_security_group.test-tf: Refreshing state... (ID: sg-33531a54)
Import success! The resources imported are shown above. These are
now in your Terraform state. Import does not currently generate
configuration, so you must do this next. If you do not create configuration
for the above resources, then the next `terraform plan` will mark
them for destruction.Diff the two: (py) jbender@jbender-mbp terraform (master) $ diff -u terraform-original.tfstate terraform.tfstate
--- terraform-original.tfstate 2017-04-21 12:18:23.000000000 -0700
+++ terraform.tfstate 2017-04-21 12:26:47.000000000 -0700
@@ -1,8 +1,8 @@
{
"version": 3,
- "terraform_version": "0.7.7",
+ "terraform_version": "0.9.4",
"serial": 0,
- "lineage": "41a4d098-660f-4bed-8b64-e7729ca94aa6",
+ "lineage": "448b245c-2d26-4d14-91b1-ecbe3c456dde",
"modules": [
{
"path": [
@@ -21,6 +21,7 @@
"egress.482069346.cidr_blocks.#": "1",
"egress.482069346.cidr_blocks.0": "0.0.0.0/0",
"egress.482069346.from_port": "0",
+ "egress.482069346.ipv6_cidr_blocks.#": "0",
"egress.482069346.prefix_list_ids.#": "0",
"egress.482069346.protocol": "-1",
"egress.482069346.security_groups.#": "0",
@@ -32,6 +33,7 @@
"ingress.3419285585.cidr_blocks.0": "172.18.0.0/16",
"ingress.3419285585.cidr_blocks.1": "172.19.0.0/16",
"ingress.3419285585.from_port": "8042",
+ "ingress.3419285585.ipv6_cidr_blocks.#": "0",
"ingress.3419285585.protocol": "tcp",
"ingress.3419285585.security_groups.#": "1",
"ingress.3419285585.security_groups.3830927927": "sg-0b5e176c",
@@ -52,18 +54,18 @@
"type": "aws_security_group_rule",
"depends_on": [],
"primary": {
- "id": "sgrule-2570052314",
+ "id": "sgrule-3727857758",
"attributes": {
"cidr_blocks.#": "2",
"cidr_blocks.0": "172.18.0.0/16",
"cidr_blocks.1": "172.19.0.0/16",
"from_port": "8042",
- "id": "sgrule-2570052314",
+ "id": "sgrule-3727857758",
+ "ipv6_cidr_blocks.#": "0",
"prefix_list_ids.#": "0",
"protocol": "tcp",
"security_group_id": "sg-33531a54",
"self": "false",
- "source_security_group_id": "sg-0b5e176c",
"to_port": "8042",
"type": "ingress"
},
@@ -79,12 +81,39 @@
"type": "aws_security_group_rule",
"depends_on": [],
"primary": {
+ "id": "sgrule-292622449",
+ "attributes": {
+ "cidr_blocks.#": "0",
+ "from_port": "8042",
+ "id": "sgrule-292622449",
+ "ipv6_cidr_blocks.#": "0",
+ "prefix_list_ids.#": "0",
+ "protocol": "tcp",
+ "security_group_id": "sg-33531a54",
+ "self": "false",
+ "source_security_group_id": "sg-0b5e176c",
+ "to_port": "8042",
+ "type": "ingress"
+ },
+ "meta": {
+ "schema_version": "2"
+ },
+ "tainted": false
+ },
+ "deposed": [],
+ "provider": "aws"
+ },
+ "aws_security_group_rule.test-tf-2": {
+ "type": "aws_security_group_rule",
+ "depends_on": [],
+ "primary": {
"id": "sgrule-2682829166",
"attributes": {
"cidr_blocks.#": "1",
"cidr_blocks.0": "0.0.0.0/0",
"from_port": "0",
"id": "sgrule-2682829166",
+ "ipv6_cidr_blocks.#": "0",
"prefix_list_ids.#": "0",
"protocol": "-1",
"security_group_id": "sg-33531a54",Observe that the security group rule with the Seem to be fixed now, Q.E.D. @catsby feel free to close if that's enough proof. |
|
wow @jonbender that's way more than I was expecting, thank you for the diligence! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Terraform Version
Terraform v0.7.3
Affected Resource(s)
Sample Terraform Resource
Resource to import
Expected Behavior
A separate security group rule for cidr_blocks and source_security_groups is created
Actual Behavior
The rules are combined into a single rule (which cannot be mapped to a terraform resource as cidr_block and source_security_group_id is either/or)
Steps to Reproduce
With a security group similar to the one created above:
terraform import -state=hashicorp_demo.tfstate aws_security_group.hashicorp_demo sg-c57610bfIt's worth noting that I had to add a second cidr_block to the rule to reproduce. With a single cidr_block and source_security_group_id the rules were split up properly.
The text was updated successfully, but these errors were encountered: