Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot import aws_security_group with multiple rules specifying source groups #9459

Closed
tomwilkie opened this issue Oct 19, 2016 · 3 comments · Fixed by #9477
Closed

Cannot import aws_security_group with multiple rules specifying source groups #9459

tomwilkie opened this issue Oct 19, 2016 · 3 comments · Fixed by #9477
Labels
bug provider/aws

Comments

@tomwilkie
Copy link
Contributor

Terraform Version

$ terraform -v
Terraform v0.7.5

Affected Resource(s)

  • aws_security_group
  • aws_security_group_rule

Example

$ aws ec2 describe-security-groups --group-id sg-83bcaaf9
{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1", 
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ], 
                    "UserIdGroupPairs": [], 
                    "PrefixListIds": []
                }
            ], 
            "Description": "Kubernetes security group applied to master nodes", 
            "Tags": [
                {
                    "Value": "kubernetes_tom", 
                    "Key": "KubernetesCluster"
                }
            ], 
            "IpPermissions": [
                {
                    "IpProtocol": "-1", 
                    "IpRanges": [], 
                    "UserIdGroupPairs": [
                        {
                            "UserId": "376248598259", 
                            "GroupId": "sg-80bcaafa"
                        }, 
                        {
                            "UserId": "376248598259", 
                            "GroupId": "sg-83bcaaf9"
                        }
                    ], 
                    "PrefixListIds": []
                }, 
                {
                    "PrefixListIds": [], 
                    "FromPort": 22, 
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ], 
                    "ToPort": 22, 
                    "IpProtocol": "tcp", 
                    "UserIdGroupPairs": []
                }, 
                {
                    "PrefixListIds": [], 
                    "FromPort": 443, 
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ], 
                    "ToPort": 443, 
                    "IpProtocol": "tcp", 
                    "UserIdGroupPairs": []
                }
            ], 
            "GroupName": "kubernetes-master-kubernetes_tom", 
            "VpcId": "vpc-dc0e0cbb", 
            "OwnerId": "376248598259", 
            "GroupId": "sg-83bcaaf9"
        }
    ]
}

$ terraform import aws_security_group.test sg-83bcaaf9
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: 

aws_security_group.test: Importing from ID "sg-83bcaaf9"...
aws_security_group.test: Import complete!
  Imported aws_security_group (ID: sg-83bcaaf9)
  Imported aws_security_group_rule (ID: sgrule-3198309751)
  Imported aws_security_group_rule (ID: sgrule-114861958)
  Imported aws_security_group_rule (ID: sgrule-253799570)
  Imported aws_security_group_rule (ID: sgrule-3072042539)
aws_security_group_rule.test-2: Refreshing state... (ID: sgrule-253799570)
aws_security_group_rule.test: Refreshing state... (ID: sgrule-3198309751)
aws_security_group_rule.test-3: Refreshing state... (ID: sgrule-3072042539)
aws_security_group.test: Refreshing state... (ID: sg-83bcaaf9)
aws_security_group_rule.test-1: Refreshing state... (ID: sgrule-114861958)

Import success! The resources imported are shown above. These are
now in your Terraform state. Import does not currently generate
configuration, so you must do this next. If you do not create configuration
for the above resources, then the next `terraform plan` will mark
them for destruction.

$ cat terraform.tfstate 
{
    "version": 3,
    "terraform_version": "0.7.5",
    "serial": 0,
    "lineage": "9de8438f-7198-4806-b7a0-9824c8b8b2cf",
    "modules": [
        {
            "path": [
                "root"
            ],
            "outputs": {},
            "resources": {
                "aws_security_group.test": {
                    "type": "aws_security_group",
                    "depends_on": [],
                    "primary": {
                        "id": "sg-83bcaaf9",
                        "attributes": {
                            "description": "Kubernetes security group applied to master nodes",
                            "egress.#": "1",
                            "egress.482069346.cidr_blocks.#": "1",
                            "egress.482069346.cidr_blocks.0": "0.0.0.0/0",
                            "egress.482069346.from_port": "0",
                            "egress.482069346.prefix_list_ids.#": "0",
                            "egress.482069346.protocol": "-1",
                            "egress.482069346.security_groups.#": "0",
                            "egress.482069346.self": "false",
                            "egress.482069346.to_port": "0",
                            "id": "sg-83bcaaf9",
                            "ingress.#": "3",
                            "ingress.2211002184.cidr_blocks.#": "0",
                            "ingress.2211002184.from_port": "0",
                            "ingress.2211002184.protocol": "-1",
                            "ingress.2211002184.security_groups.#": "1",
                            "ingress.2211002184.security_groups.3938065707": "sg-80bcaafa",
                            "ingress.2211002184.self": "true",
                            "ingress.2211002184.to_port": "0",
                            "ingress.2541437006.cidr_blocks.#": "1",
                            "ingress.2541437006.cidr_blocks.0": "0.0.0.0/0",
                            "ingress.2541437006.from_port": "22",
                            "ingress.2541437006.protocol": "tcp",
                            "ingress.2541437006.security_groups.#": "0",
                            "ingress.2541437006.self": "false",
                            "ingress.2541437006.to_port": "22",
                            "ingress.2617001939.cidr_blocks.#": "1",
                            "ingress.2617001939.cidr_blocks.0": "0.0.0.0/0",
                            "ingress.2617001939.from_port": "443",
                            "ingress.2617001939.protocol": "tcp",
                            "ingress.2617001939.security_groups.#": "0",
                            "ingress.2617001939.self": "false",
                            "ingress.2617001939.to_port": "443",
                            "name": "kubernetes-master-kubernetes_tom",
                            "owner_id": "376248598259",
                            "tags.%": "1",
                            "tags.KubernetesCluster": "kubernetes_tom",
                            "vpc_id": "vpc-dc0e0cbb"
                        },
                        "meta": {},
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-3198309751",
                        "attributes": {
                            "cidr_blocks.#": "0",
                            "from_port": "0",
                            "id": "sgrule-3198309751",
                            "prefix_list_ids.#": "0",
                            "protocol": "-1",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "false",
                            "source_security_group_id": "sg-80bcaafa",
                            "to_port": "0",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test-1": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-114861958",
                        "attributes": {
                            "cidr_blocks.#": "1",
                            "cidr_blocks.0": "0.0.0.0/0",
                            "from_port": "22",
                            "id": "sgrule-114861958",
                            "prefix_list_ids.#": "0",
                            "protocol": "tcp",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "false",
                            "to_port": "22",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test-2": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-253799570",
                        "attributes": {
                            "cidr_blocks.#": "1",
                            "cidr_blocks.0": "0.0.0.0/0",
                            "from_port": "443",
                            "id": "sgrule-253799570",
                            "prefix_list_ids.#": "0",
                            "protocol": "tcp",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "false",
                            "to_port": "443",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test-3": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-3072042539",
                        "attributes": {
                            "cidr_blocks.#": "1",
                            "cidr_blocks.0": "0.0.0.0/0",
                            "from_port": "0",
                            "id": "sgrule-3072042539",
                            "prefix_list_ids.#": "0",
                            "protocol": "-1",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "false",
                            "to_port": "0",
                            "type": "egress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                }
            },
            "depends_on": []
        }
    ]
}

Expected Behavior

Should import 4 ingress and 1 egress rules:

screen shot 2016-10-19 at 18 14 24

screen shot 2016-10-19 at 18 14 30

### Actual Behavior

Only imported 3 ingress rules and 1 egress rule

References

Seems related to
@tomwilkie
Copy link
Contributor Author

Problem seems to stem from assumption in https://github.com/hashicorp/terraform/blob/master/builtin/providers/aws/import_aws_security_group.go#L59 that UserIdGroupPairs will only contain a single element.

Given the id hash ipPermissionIDHash iterates over UserIdGroupPairs (

terraform/builtin/providers/aws/resource_aws_security_group_rule.go

Line 472 in 58b8c35

for _, pair := range ip.UserIdGroupPairs {
) the solution seems to be to make source_security_group_id a list, although I have no idea how to make that backwards compatible.

@tomwilkie
Copy link
Contributor Author

/cc @catsby - any thoughts?

@tomwilkie tomwilkie mentioned this issue Oct 20, 2016
Merged
@ghost
Copy link

ghost commented Apr 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
2 participants
@jbardin @tomwilkie