Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Altering a primary security group defaults to destroy/creating; fails due to a 'dependent object' #3328

Closed
diemonster opened this issue Sep 25, 2015 · 4 comments
Closed

Altering a primary security group defaults to destroy/creating; fails due to a 'dependent object' #3328

diemonster opened this issue Sep 25, 2015 · 4 comments
Labels
provider/aws

Comments

@diemonster
Copy link

I have a primary security group "nat" which looks something like this:

resource "aws_security_group" "nat" {
    name = "app-${var.l0_prefix}-nat-SG"
    description = "Enable incoming and outgoing traffic for NAT"
    vpc_id = "${aws_vpc.vpc.id}"
    ingress {
        from_port = 80
        to_port = 80
        protocol = "tcp"
        cidr_blocks = ["${var.cidr_prefix}.0.0/16"]
    }
    ingress {
        from_port = 443
        to_port = 443
        protocol = "tcp"
        cidr_blocks = ["${var.cidr_prefix}.0.0/16"]
    }
    ingress {
        from_port = -1
        to_port = -1
        protocol = "icmp"
        cidr_blocks = ["${var.cidr_prefix}.0.0/16"]
    }
    ingress {
        from_port = 123
        to_port = 123
        protocol = "udp"
        cidr_blocks = ["${var.cidr_prefix}.0.0/16"]
    }
    egress {
        from_port = 80
        to_port = 80
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
    egress {
        from_port = 443
        to_port = 443
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
    egress {
        from_port = -1
        to_port = -1
        protocol = "icmp"
        cidr_blocks = ["0.0.0.0/0"]
    }
    egress {
        from_port = 123
        to_port = 123
        protocol = "udp"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

When modifying this group to include new ingress/egress rules, I get:

aws_security_group.nat: Destroying...
Error applying plan:

1 error(s) occurred:

* aws_security_group.nat: DependencyViolation: resource sg-f268e296 has a dependent object
        status code: 400, request id: []

This appears to be a similar issue to #3260
@paulcdejean
Copy link

Simple steps to reproduce this in: #3341

@diemonster
Copy link
Author

As an update to this issue, we discovered that if you change the description value for an existing security group, Terraform/AWS will try to recreate the group (destroy & create) when you attempt to modify/upgrade it. This always fails in our case. Our workaround for now is to simply not change the description value 💫

@catsby
Copy link
Member

catsby commented Nov 17, 2015

Hey all – I explained in #3341 that in order to change a security group description/name or any attribute that recreates the security group, you need to use the lifecycle block with create_before_destroy = true if said Security Group is in use by an Instances.

@catsby catsby closed this as completed Nov 17, 2015
@achalupa74 achalupa74 mentioned this issue May 21, 2016
Closed
@ghost
Copy link

ghost commented Apr 30, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 30, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@catsby @paulcdejean @diemonster