New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_network_acl with icmp rule always recreates network acl #4423
Comments
Just been bitten by this too - glad i'm not going mad! |
Also seeing this issue |
Confirmed here too, terraform 0.6.11. Affects VPC network ACLs (aws_network_acl) and security groups (aws_security_group). |
Confirmed this impacts version 0.6.12; the issue does not occur if you describe the ICMP rule as a standalone aws_network_acl_rule resource rather than defining the rule inline with the ACL. This is broken:
This works just fine:
|
When ICMP rules are present and from_port or to_port are set to non-zero values, terraform always sees the rules as changed and recreates them (issue: hashicorp#4423). This change forces the affected values to zero for ICMP rules when creating a hash of the ACL values to detect if a change is needed. Values are hashed in the same order as before, so users should not see any change unless they were affected by this issue already; affected users should see only one change, after which the new hash values will be stored in the .tfstate file. Documentation updated to clarify that a 0 value is needed (as it is possible to guess "-1" after looking at the protocol "all" value).
When ICMP rules are present and from_port or to_port are set to non-zero values, terraform always sees the rules as changed and recreates them (issue: hashicorp#4423). This change forces the affected values to zero for ICMP rules when creating a hash of the ACL values to detect if a change is needed. Values are hashed in the same order as before, so users should not see any change unless they were affected by this issue already; affected users should see only one change, after which the new hash values will be stored in the .tfstate file. Documentation updated to clarify that a 0 value is needed (as it is possible to guess "-1" after looking at the protocol "all" value).
I've had a go at fixing this in PR #5602 - it's a bit hacky, basically I changed the code that computes the hash of the rule properties to set from/to port to always be counted as zero for ICMP rules. Any feedback/testing appreciated... |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
A rule like:
Creates an icmp any rule, but terraform always thinks it's different.
plan
says:Changing the egress rule so that
from_port = 0
andto_port = 0
eliminates the diff.The text was updated successfully, but these errors were encountered: