Workaround for bug when updating description of a rule with protocol …

…all (#34) * Workaround for bug when updating description of a rule with protocol all Error: "Error updating security group rule description: InvalidParameterValue: When protocol is ALL, you cannot specify from-port." Issue: hashicorp/terraform-provider-aws#1920 * Add known issues to README
terraform-aws-modules · Jan 16, 2018 · f4b4368 · f4b4368
1 parent 1e365b8
commit f4b4368
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -102,6 +102,11 @@ How to add/update rules/groups?
 
 Rules and groups are defined in [rules.tf](rules.tf). Run `update_groups.sh` when content of that file has changed to recreate content of all automatic modules.
 
+Known issues
+------------
+
+* Due to an [issue #1920](https://github.com/terraform-providers/terraform-provider-aws/issues/1920) in AWS provider, updates to the `description` of security group rules are ignored by this module. If you need to update `description` after the security group has been created you need to recreate security group rule.
+
 Authors
 -------
 

diff --git a/main.tf b/main.tf
@@ -29,6 +29,10 @@ resource "aws_security_group_rule" "ingress_rules" {
   from_port = "${element(var.rules[var.ingress_rules[count.index]], 0)}"
   to_port   = "${element(var.rules[var.ingress_rules[count.index]], 1)}"
   protocol  = "${element(var.rules[var.ingress_rules[count.index]], 2)}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 ##########################
@@ -49,6 +53,10 @@ resource "aws_security_group_rule" "ingress_with_source_security_group_id" {
   from_port = "${lookup(var.ingress_with_source_security_group_id[count.index], "from_port", element(var.rules[lookup(var.ingress_with_source_security_group_id[count.index], "rule", "_")], 0))}"
   to_port   = "${lookup(var.ingress_with_source_security_group_id[count.index], "to_port", element(var.rules[lookup(var.ingress_with_source_security_group_id[count.index], "rule", "_")], 1))}"
   protocol  = "${lookup(var.ingress_with_source_security_group_id[count.index], "protocol", element(var.rules[lookup(var.ingress_with_source_security_group_id[count.index], "rule", "_")], 2))}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 # Security group rules with "cidr_blocks", but without "ipv6_cidr_blocks", "source_security_group_id" and "self"
@@ -65,6 +73,10 @@ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
   from_port = "${lookup(var.ingress_with_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.ingress_with_cidr_blocks[count.index], "rule", "_")], 0))}"
   to_port   = "${lookup(var.ingress_with_cidr_blocks[count.index], "to_port", element(var.rules[lookup(var.ingress_with_cidr_blocks[count.index], "rule", "_")], 1))}"
   protocol  = "${lookup(var.ingress_with_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.ingress_with_cidr_blocks[count.index], "rule", "_")], 2))}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 # Security group rules with "ipv6_cidr_blocks", but without "cidr_blocks", "source_security_group_id" and "self"
@@ -81,6 +93,10 @@ resource "aws_security_group_rule" "ingress_with_ipv6_cidr_blocks" {
   from_port = "${lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 0))}"
   to_port   = "${lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "to_port", element(var.rules[lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 1))}"
   protocol  = "${lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.ingress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 2))}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 # Security group rules with "self", but without "cidr_blocks" and "source_security_group_id"
@@ -98,6 +114,10 @@ resource "aws_security_group_rule" "ingress_with_self" {
   from_port = "${lookup(var.ingress_with_self[count.index], "from_port", element(var.rules[lookup(var.ingress_with_self[count.index], "rule", "_")], 0))}"
   to_port   = "${lookup(var.ingress_with_self[count.index], "to_port", element(var.rules[lookup(var.ingress_with_self[count.index], "rule", "_")], 1))}"
   protocol  = "${lookup(var.ingress_with_self[count.index], "protocol", element(var.rules[lookup(var.ingress_with_self[count.index], "rule", "_")], 2))}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 #################
@@ -122,6 +142,10 @@ resource "aws_security_group_rule" "egress_rules" {
   from_port = "${element(var.rules[var.egress_rules[count.index]], 0)}"
   to_port   = "${element(var.rules[var.egress_rules[count.index]], 1)}"
   protocol  = "${element(var.rules[var.egress_rules[count.index]], 2)}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 #########################
@@ -142,6 +166,10 @@ resource "aws_security_group_rule" "egress_with_source_security_group_id" {
   from_port = "${lookup(var.egress_with_source_security_group_id[count.index], "from_port", element(var.rules[lookup(var.egress_with_source_security_group_id[count.index], "rule", "_")], 0))}"
   to_port   = "${lookup(var.egress_with_source_security_group_id[count.index], "to_port", element(var.rules[lookup(var.egress_with_source_security_group_id[count.index], "rule", "_")], 1))}"
   protocol  = "${lookup(var.egress_with_source_security_group_id[count.index], "protocol", element(var.rules[lookup(var.egress_with_source_security_group_id[count.index], "rule", "_")], 2))}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 # Security group rules with "cidr_blocks", but without "ipv6_cidr_blocks", "source_security_group_id" and "self"
@@ -158,6 +186,10 @@ resource "aws_security_group_rule" "egress_with_cidr_blocks" {
   from_port = "${lookup(var.egress_with_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.egress_with_cidr_blocks[count.index], "rule", "_")], 0))}"
   to_port   = "${lookup(var.egress_with_cidr_blocks[count.index], "to_port", element(var.rules[lookup(var.egress_with_cidr_blocks[count.index], "rule", "_")], 1))}"
   protocol  = "${lookup(var.egress_with_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.egress_with_cidr_blocks[count.index], "rule", "_")], 2))}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 # Security group rules with "ipv6_cidr_blocks", but without "cidr_blocks", "source_security_group_id" and "self"
@@ -174,6 +206,10 @@ resource "aws_security_group_rule" "egress_with_ipv6_cidr_blocks" {
   from_port = "${lookup(var.egress_with_ipv6_cidr_blocks[count.index], "from_port", element(var.rules[lookup(var.egress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 0))}"
   to_port   = "${lookup(var.egress_with_ipv6_cidr_blocks[count.index], "to_port", element(var.rules[lookup(var.egress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 1))}"
   protocol  = "${lookup(var.egress_with_ipv6_cidr_blocks[count.index], "protocol", element(var.rules[lookup(var.egress_with_ipv6_cidr_blocks[count.index], "rule", "_")], 2))}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 # Security group rules with "self", but without "cidr_blocks" and "source_security_group_id"
@@ -191,6 +227,10 @@ resource "aws_security_group_rule" "egress_with_self" {
   from_port = "${lookup(var.egress_with_self[count.index], "from_port", element(var.rules[lookup(var.egress_with_self[count.index], "rule", "_")], 0))}"
   to_port   = "${lookup(var.egress_with_self[count.index], "to_port", element(var.rules[lookup(var.egress_with_self[count.index], "rule", "_")], 1))}"
   protocol  = "${lookup(var.egress_with_self[count.index], "protocol", element(var.rules[lookup(var.egress_with_self[count.index], "rule", "_")], 2))}"
+
+  lifecycle {
+    ignore_changes = ["description"]
+  }
 }
 
 ################