-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update of cidr_blocks in ingress_with_cidr_blocks forces new resource #67
Comments
Hi Andres! The code you have is good and every time you change IPs it just recreates new Please tell me if I am missing the point of what you are trying to do. |
I suspect the issue, which I have as well, is not about it regenerating a security group. The issue is that in order to alter the cidr list, this actually removes the entire existing rule set, and then creates a new one. So in practice, this means you have a brief moment where your security group no longer has any of the rules from the list. So say we have cidr_blocks a, b and c. |
does setting proper lifecycle solve the problem?
|
I'm seeing this same issue as well. I tried applying the lifecycle, but that didn't work. I get the error Like @aolley mentioned, I think the problem is the rules get dropped before the new ones are added. Here's an example where I switched the ingress cidr block from
|
@mikealbert Could you paste the complete code which fails and tell which argument you are changing. I will try to run it myself and see if there is anything we can do to improve this module. |
Sure. Here's what I've been testing with.
Updating |
I tested it as well for Terraform 0.11 and 0.12 (using latest release), and it works as expected. It deletes rules one by one and recreates them. I also tried to change the number of blocks in |
Thanks for testing. I'm new to terraform, so I might be misinterpreting the output but I think the question is can the new rules be created before the old ones are dropped. So if a single Perhaps it'd be better to just add the new cidr block to the list, apply, remove the old cidr block and then apply. Thanks again for the help. |
You are welcome! Terraform should do this for you natively, so you don't have to apply this in multiple steps. In the output individual rules are being created after deletion which is the right way. Closing this issue. |
We want the new rules created before the old ones are deleted in order to avoid a brief outage. |
Right, I read that, the solution proposed won't work sure. But that doesn't mean the problem doesn't exist anymore. If you're suggesting there's no way to address the issue within this module due to whatever limitations imposed on it from how terraform does things - then that's fine. But it's definitely possible to edit an existing security group in-place via the AWS console without having to delete all the rules in it and re-add them (last I checked at least). |
There is a limitation in Terraform and, as a result, this module identifies individual rules by index. For example, when the new rule is added at the beginning then all rules after that are recreated because their index has increased. I don't think we can do anything with it without increasing complexity very much. |
Fair enough, I was afraid that was the case. At least there's a workaround for when this does come up :) |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Hi,
I have the following state (https://gist.github.com/amontalban/0af3064d958f2d1e648848f342b34b2f) and whenever I add/remove an IP to sysadmins_networks variable it produces:
Thing is that I have to frequently add/remove IPs from security groups, I have been doing this by using plain Terraform security groups just fine but can't find the way to do it with this module.
Any input is highly appreciated!
Thanks!
The text was updated successfully, but these errors were encountered: