Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provider/aws: Use the GroupName in EC2-Classic security group #5184

Closed
wants to merge 1 commit into from
Closed

provider/aws: Use the GroupName in EC2-Classic security group #5184

wants to merge 1 commit into from

Conversation

ephemeralsnow
Copy link
Contributor

It is related to #4983

This PR is a fix of the problems that are caused by repeating the terraform apply.

The fixes is the following.

  • The EC2-Classic will use the GroupName rather than the GroupId.
  • Handling of the OwnerId. For example, amazon-elb/amazon-elb-sg

test.tf.json

variable "external_security_groups" {
    default = {
        amazon-elb-sg = "amazon-elb/amazon-elb-sg"
        other         = "other"
    }
}

resource "aws_instance" "test" {
    ami = "ami-383c1956"
    instance_type = "m3.medium"
    security_groups = [
        "${aws_security_group.test.name}"
    ]
    count = 1
}

resource "aws_security_group" "test" {
    name = "test"

    ingress = {
        protocol  = "tcp"
        from_port = 22
        to_port   = 22
        security_groups = [
            "${var.external_security_groups.other}"
        ]
    }

    ingress = {
        protocol  = "tcp"
        from_port = 80
        to_port   = 80
        self      = true
        security_groups = [
            "${var.external_security_groups.amazon-elb-sg}"
        ]
    }
}

Part of the terraform.tfstate that have been created by running the terraform apply on v0.6.11.

"aws_security_group.test": {
    "type": "aws_security_group",
    "primary": {
        "id": "sg-5b7c865b",
        "attributes": {
            "description": "Managed by Terraform",
            "egress.#": "0",
            "id": "sg-5b7c865b",
            "ingress.#": "2",
            "ingress.2988994747.cidr_blocks.#": "0",
            "ingress.2988994747.from_port": "80",
            "ingress.2988994747.protocol": "tcp",
            "ingress.2988994747.security_groups.#": "1",
            "ingress.2988994747.security_groups.4257846120": "sg-d2c979d3",
            "ingress.2988994747.self": "true",
            "ingress.2988994747.to_port": "80",
            "ingress.4120346219.cidr_blocks.#": "0",
            "ingress.4120346219.from_port": "22",
            "ingress.4120346219.protocol": "tcp",
            "ingress.4120346219.security_groups.#": "1",
            "ingress.4120346219.security_groups.3428955302": "sg-24adc325",
            "ingress.4120346219.self": "false",
            "ingress.4120346219.to_port": "22",
            "name": "test",
            "tags.#": "0",
            "vpc_id": ""
        }
    }
}

Part of the terraform.tfstate that have been created by running the terraform apply on this PR.

"aws_security_group.test": {
    "type": "aws_security_group",
    "primary": {
        "id": "sg-f77e84f7",
        "attributes": {
            "description": "Managed by Terraform",
            "egress.#": "0",
            "id": "sg-f77e84f7",
            "ingress.#": "2",
            "ingress.2205382729.cidr_blocks.#": "0",
            "ingress.2205382729.from_port": "22",
            "ingress.2205382729.protocol": "tcp",
            "ingress.2205382729.security_groups.#": "1",
            "ingress.2205382729.security_groups.2282622326": "admin",
            "ingress.2205382729.self": "false",
            "ingress.2205382729.to_port": "22",
            "ingress.711875606.cidr_blocks.#": "0",
            "ingress.711875606.from_port": "80",
            "ingress.711875606.protocol": "tcp",
            "ingress.711875606.security_groups.#": "1",
            "ingress.711875606.security_groups.1062146483": "amazon-elb/amazon-elb-sg",
            "ingress.711875606.self": "true",
            "ingress.711875606.to_port": "80",
            "name": "test",
            "tags.#": "0",
            "vpc_id": ""
        }
    }
}

@ephemeralsnow ephemeralsnow mentioned this pull request Feb 18, 2016
Closed
@ephemeralsnow ephemeralsnow force-pushed the bugfix/ec2_classic_security_group branch from 3046200 to 0c3b159 Compare February 24, 2016 09:54
@ephemeralsnow
Copy link
Contributor Author

rebased

@ephemeralsnow ephemeralsnow changed the title Use the GroupName in EC2-Classic security group provider/aws: Use the GroupName in EC2-Classic security group Feb 25, 2016
@ephemeralsnow ephemeralsnow mentioned this pull request Mar 2, 2016
Closed
@ephemeralsnow ephemeralsnow force-pushed the bugfix/ec2_classic_security_group branch from 0c3b159 to 4c23103 Compare March 4, 2016 08:39
@catsby
Copy link
Member

catsby commented Mar 8, 2016

Hey @ephemeralsnow – sorry for the silence here, I'm just returning from a leave.

I like your implementation over mine in #4983, but in testing I've hit a snag.

Consider this tf config:

provider "aws" {
  region = "us-east-1"
}

resource "aws_security_group" "other_web" {
  name        = "tf_other_acc_tests"
  description = "Used in the terraform acceptance tests"

  tags {
    Name = "tf-acc-test"
  }
}

resource "aws_security_group" "web" {
  name        = "terraform_acceptance_test_example"
  description = "Used in the terraform acceptance tests"

  ingress {
    protocol        = "tcp"
    from_port       = 80
    to_port         = 8000
    security_groups = ["${aws_security_group.other_web.name}"]
  }

  ingress = {
    protocol  = "tcp"
    from_port = 80
    to_port   = 80
    self      = true

    security_groups = [
      "${aws_elb.bar.source_security_group}",
      #"amazon-elb/amazon-elb-sg",
    ]
  }

  tags {
    Name = "tf-acc-test"
  }
}

# Create a new load balancer
resource "aws_elb" "bar" {
  name               = "foobar-terraform-elb"
  availability_zones = ["us-east-1d", "us-east-1c"]

  listener {
    instance_port     = 8000
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }

  tags {
    Name = "foobar-terraform-elb"
  }
}

output "elb_sg" {
  value = "${aws_elb.bar.source_security_group}"
}

The important part there is the ${aws_elb.bar.source_security_group} reference in the web security group. We're gathering that in aws_elb.go and we only end up with the name part, not the owner id part.

In your example in 4983 you're using the combination, though we need to support both. I'm curious if you have thoughts on how best to do that? My first inclination is to special case any time we get "amazon-elb-sg" as a security group, and automatically prepend "amazon-elb" to it. Honestly though, I don't use EC2 Classic that much so I'm curious if you had thoughts on that.

@ephemeralsnow
Copy link
Contributor Author

Hey @catsby

I tried to test the this change. (prepend the owner id)
ephemeralsnow/terraform@bugfix/ec2_classic_security_group...ephemeralsnow:test/pr5184/issuecomment-194005675

  • A part of result in EC2-Classic. works fine.
"outputs": {
    "elb_sg": "amazon-elb/amazon-elb-sg"
},
"resources": {
    "aws_elb.bar": {
        "type": "aws_elb",
        "primary": {
            "id": "foobar-terraform-elb",
            "attributes": {
                "availability_zones.#": "2",
                "availability_zones.2762590996": "us-east-1d",
                "availability_zones.986537655": "us-east-1c",
                "id": "foobar-terraform-elb",
                "name": "foobar-terraform-elb",
                "security_groups.#": "0",
                "source_security_group": "amazon-elb/amazon-elb-sg"
            }
        }
    },
    "aws_security_group.other_web": {
        "type": "aws_security_group",
        "primary": {
            "id": "sg-0d223f67",
            "attributes": {
                "egress.#": "0",
                "id": "sg-0d223f67",
                "ingress.#": "0",
                "name": "tf_other_acc_tests",
                "owner_id": "0123456789"
            }
        }
    },
    "aws_security_group.web": {
        "type": "aws_security_group",
        "depends_on": [
            "aws_elb.bar",
            "aws_security_group.other_web"
        ],
        "primary": {
            "id": "sg-d7223fbd",
            "attributes": {
                "egress.#": "0",
                "id": "sg-d7223fbd",
                "ingress.#": "2",
                "ingress.2770275604.cidr_blocks.#": "0",
                "ingress.2770275604.from_port": "80",
                "ingress.2770275604.protocol": "tcp",
                "ingress.2770275604.security_groups.#": "1",
                "ingress.2770275604.security_groups.1579452417": "tf_other_acc_tests",
                "ingress.2770275604.self": "false",
                "ingress.2770275604.to_port": "8000",
                "ingress.711875606.cidr_blocks.#": "0",
                "ingress.711875606.from_port": "80",
                "ingress.711875606.protocol": "tcp",
                "ingress.711875606.security_groups.#": "1",
                "ingress.711875606.security_groups.1062146483": "amazon-elb/amazon-elb-sg",
                "ingress.711875606.self": "true",
                "ingress.711875606.to_port": "80",
                "name": "terraform_acceptance_test_example",
                "owner_id": "0123456789"
            }
        }
    }
}
  • A part of result in VPC.
    I added a few changes to the config.
    And it was changed from ${aws_elb.bar.source_security_group} to ${aws_elb.bar.source_security_group_id}.
    This seems to work well.
"outputs": {
    "elb_sg": "0123456789/default"
},
"resources": {
    "aws_elb.bar": {
        "type": "aws_elb",
        "primary": {
            "id": "foobar-terraform-elb",
            "attributes": {
                "availability_zones.#": "2",
                "availability_zones.2762590996": "us-east-1d",
                "availability_zones.986537655": "us-east-1c",
                "id": "foobar-terraform-elb",
                "internal": "true",
                "name": "foobar-terraform-elb",
                "security_groups.#": "1",
                "security_groups.3303078197": "sg-59da6321",
                "source_security_group": "0123456789/default",
                "source_security_group_id": "sg-59da6321",
                "subnets.#": "2",
                "subnets.2204613306": "subnet-da70ecac",
                "subnets.851475844": "subnet-517bd67b"
            }
        }
    },
    "aws_security_group.other_web": {
        "type": "aws_security_group",
        "primary": {
            "id": "sg-9cc47de4",
            "attributes": {
                "egress.#": "0",
                "id": "sg-9cc47de4",
                "ingress.#": "0",
                "name": "tf_other_acc_tests",
                "owner_id": "0123456789",
                "vpc_id": "vpc-e66d5a82"
            }
        }
    },
    "aws_security_group.web": {
        "type": "aws_security_group",
        "depends_on": [
            "aws_elb.bar",
            "aws_security_group.other_web"
        ],
        "primary": {
            "id": "sg-8ec47df6",
            "attributes": {
                "egress.#": "0",
                "id": "sg-8ec47df6",
                "ingress.#": "2",
                "ingress.1464029306.cidr_blocks.#": "0",
                "ingress.1464029306.from_port": "80",
                "ingress.1464029306.protocol": "tcp",
                "ingress.1464029306.security_groups.#": "1",
                "ingress.1464029306.security_groups.2915257036": "sg-9cc47de4",
                "ingress.1464029306.self": "false",
                "ingress.1464029306.to_port": "8000",
                "ingress.2815128728.cidr_blocks.#": "0",
                "ingress.2815128728.from_port": "80",
                "ingress.2815128728.protocol": "tcp",
                "ingress.2815128728.security_groups.#": "1",
                "ingress.2815128728.security_groups.3303078197": "sg-59da6321",
                "ingress.2815128728.self": "true",
                "ingress.2815128728.to_port": "80",
                "name": "terraform_acceptance_test_example",
                "owner_id": "0123456789",
                "vpc_id": "vpc-e66d5a82"
            }
        }
    }
}

In EC2-Classic, I think ${aws_elb.bar.source_security_group} is always to be the amazon-elb/amazon-elb-sg, I believe that there is no problem in this fix.
Also in the following pages have been written so.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-groups.html

In EC2-Classic, Elastic Load Balancing provides a special source security group that you can use to ensure that back-end instances receives traffic only from your load balancer.
You can't modify this source security group.

In VPC, I think that there is no problem because it use the ${aws_elb.bar.source_security_group_id}.

Please tell me if there is a place likely to be a problem something to the other.

Thanks

@catsby
Copy link
Member

catsby commented Mar 9, 2016

Hey @ephemeralsnow thanks for the reply. I agree and think this will work out, so I'm going to take your branch and merge in some of my tests from mine and post a new PR with the two combined, then likely merge that.

Thanks for your help and work here!

@ephemeralsnow
Copy link
Contributor Author

Please do not forget to fix the document.
https://github.com/hashicorp/terraform/pull/4983/files#r51801104
master...ephemeralsnow:doc/ec2_security_group

:D

catsby pushed a commit that referenced this pull request Mar 9, 2016
@ephemeralsnow @catsby
provider/aws: Fix EC2 Classic SG Rule issue
54cb5ff 
Fixes an issue where security groups would fail to update after applying an
initial security_group, because we were improperly saving the id of the group
and not the name (EC2 Classic only).

This is a PR combining #4983 and
#5184 . It's majority
@ephemeralsnow's work.
@catsby catsby mentioned this pull request Mar 9, 2016
Merged
@catsby
Copy link
Member

catsby commented Mar 9, 2016

Consolidated into #5533

@catsby catsby closed this Mar 9, 2016
grubernaut pushed a commit to hashicorp/terraform-provider-aws that referenced this pull request Jun 9, 2017
@ephemeralsnow @catsby
provider/aws: Fix EC2 Classic SG Rule issue
6354cfb 
Fixes an issue where security groups would fail to update after applying an
initial security_group, because we were improperly saving the id of the group
and not the name (EC2 Classic only).

This is a PR combining hashicorp/terraform#4983 and
hashicorp/terraform#5184 . It's majority
@ephemeralsnow's work.
@ghost
Copy link

ghost commented Apr 27, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 27, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ephemeralsnow @catsby