Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Recreate "Security Group Rule" each time I execute “terrafrom apply/plan” #11011
When I execute terraform apply or plan without doing any changes into any terraform scripts, terraform is going to add same security group rules again and again.
let me describe about my terraform scripts.I have designed my terraform script as modules, security group is a module and security group rule is also a module.
Lets say I am executing this scripts again and again using terraform plan.
Seeing same behavior Terraform 0.8.5 & 0.8.7 where security group resource is defined in a module and references to security group from security group rule cause cyclical create (security group rule)/ change (security group) state. Might have to wait until this approach can persist being modularized.
My code is almost exact to what @AdimUser described.
Hi @AdimUser thanks for the issue!
Would you be able to clarify for me if you are specifying
For example, the following psuedo-config will reproduce the error you're seeing:
This is a known issue, as the
Does this match what you have in your configuration, or does the source security group not include any inline
Also seeing this behavior on Terraform v0.8.6
I have a module for creating an RDS cluster and two security groups that should be used by the RDS cluster. Each of my security groups are defined with an aws_security_group resource and a aws_security_group_rule rule, like this:
When I run apply, it strips all of the ingress rules. The next time I run apply, it adds them all back. Unfortunately, since I have two security groups, they are staggered so TF is always stripping ingress rules from one SG and re-adding them to the other SG. In other words, I can't get to the desired state of having both SGs populated with their ingress rules. Example output (subnets replaced with 'dummy' values):
@aglover-zendesk This happens "by design". At some point in the future we may look into allowing all of the
The main purpose of designing the
The best solution is to either define all of a security group's rules inline, or none of the security group's rules inline. It's when a user defines both that the mismatch occurs, as the inline rules are parsed as "definitive" and attempt to overwrite the individually defined security group rules.
Hopefully this answers your question, happy to discuss further though!