Security Group not restored on VMs when removed outside of terraform

[ArnaultMICHEL]

Terraform Version

$ terraform version
Terraform v1.4.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/hashicorp/time v0.9.1
+ provider registry.terraform.io/outscale/outscale v0.9.1
+ provider registry.terraform.io/ovh/ovh v0.30.0

Your version of Terraform is out of date! The latest version
is 1.5.3. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration Files

resource "outscale_vm" "vm" {

  image_id           = var.image_id
  vm_type            = var.vm_type
  keypair_name       = var.ssh_keypair_name
  security_group_ids = ["${outscale_security_group.sg_kafka_nodes.id}","${data.outscale_security_group.sg_allow_ssh_from_jumphosts.id}"]
  subnet_id          = var.subnet_id

  placement_tenancy     = "default"
  nested_virtualization = false

  #user_data             = data.template_cloudinit_config.cloudinit.rendered

  dynamic "tags" {
    for_each = merge(local.vm_tags,var.tags)
    content {
      key           = tags.key
      value         = tags.value
    }
  }

  #AML - switch rootdisk to 50G and SSD
  block_device_mappings {
    device_name = "/dev/sda1"     # /dev/sda1 corresponds to the root device of the VM
    bsu {
      volume_size = var.root_volume_size
      volume_type = var.root_volume_type
      delete_on_vm_deletion = true
    }
  }

  lifecycle {
    ignore_changes = [
      user_data
    ]
  }
}
resource "outscale_security_group" "sg_kafka_nodes" {
  security_group_name = "secgroup-kafka"
  description = "kafka node security group"
  net_id      = data.outscale_net.vpc_poc_mdw.net_id
}
data "outscale_net" "vpc_poc_mdw" {
  filter {
      name   = "tag_values"
      values = ["vpc_poc_mdw${var.infra_env_suffix}"]
  }
}
# Retreive existing security group of jumphost to be member of to allow communication
data "outscale_security_group" "sg_allow_ssh_from_jumphosts" {
  filter {
      name   = "security_group_names"
      values = ["sg_allow_ssh_from_jumphosts"]
  }
}

Debug Output

Crash Output

Expected Behavior

1. VM ressource is generated with two security groups ID.
2. Outside of terraform, with osc-cli, we reduce the number of Security Group to one.
3. Then, aterraform apply should update the security groups attached to the VM, but the "lost" security group is not detected / reaffected to the VM.

Actual Behavior

Steps to Reproduce

1. terraform init
2. terraform apply
3. osc-cli api UpdateVm --profile ${OSC_PROFILE} --VmId "${vmid}" --SecurityGroupIds "[\"${VM_SG_TO_KEEP}\"]"
4. terraform apply is detecting no change

Additional Context

References

[outscale-toa]

Hi @ArnaultMICHEL

Thanks for reaching us, we are looking at your issue

Best regards,

[outscale-toa]

Hi @ArnaultMICHEL,

With terraform :

• when you create resources with terraform, It is better to update/delete with terraform.

• terraform doesn't really handle resources that it doesn't created or imported.
  In your case, you can just remove the security_group_id in you terrafrom configuration and terrafom will update resources.

• If you want to keep outscale_security_group.sg_kafka_nodes.id

resource "outscale_vm" "vm" {

  image_id           = var.image_id
  vm_type            = var.vm_type
  keypair_name       = var.ssh_keypair_name
  security_group_ids = ["${outscale_security_group.sg_kafka_nodes.id}"] #,"${data.outscale_security_group.sg_allow_ssh_from_jumphosts.id}"]
  subnet_id          = var.subnet_id
....
}

Best Regards,