Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Associating pre-existing Security Group Rules to resource.aws_security_group_rule #742

Open
hashibot opened this issue Jun 13, 2017 · 0 comments

Comments

@hashibot
Copy link

commented Jun 13, 2017

This issue was originally opened by @nateww as hashicorp/terraform#14207. It was migrated here as part of the provider split. The original body of the issue is below.


Terraform Version

We're using 0.8.8, but the behavior is identical in 0.9.3/0.9.4

Affected Resource(s)

resource.aws_security_group and resource.aws_security_group_rule

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

TF file representing an existing AWS security group

resource "aws_security_group" "prod_stuffs" {
  vpc_id      = "${var.aws_vpc}"
  name        = "Security Group for Production Stuff"
  description = "Allows access to stuff"

  tags {
    Terraform   = "true"
  }
}

# No Egress rules are necessary since these are added to existing nodes

resource "aws_security_group_rule" "stuff_allow_tcp" {
  type              = "ingress"
  from_port         = 12345
  to_port           = 12345
  protocol          = "tcp"
  cidr_blocks       = "${list(lookup(var.subnets_cidrs, "yellow"))}"
  security_group_id = "${aws_security_group.prod_stuffs.id}"
}

I'd like to add a new rule, so I appened the following to the end of the above file:

resource "aws_security_group_rule" "stuff_allow_icmp" {
  type              = "ingress"
  from_port         = 8
  to_port           = 0
  protocol          = "icmp"
  cidr_blocks       = "${list(lookup(var.remote_cidrs, "other-vpc"))}"
  security_group_id = "${aws_security_group.prod_stuffs.id}"
}

Expected Behavior

We manually added the above rule (as well as an egress rule that allows all traffic).

Because of already reported issues with TF and AWS security groups (and that fact that we've been bitten hard by these bugs in the last few months), we will NOT use TF to modify either security groups and rules nor apply security-group to resources, which leaves our instances with the inability to communicate and our services. fail.

Therefore, we added our new rule manually via the AWS CLI. However, there is no way to associate the newly added rule to TF. TF knows the new rules exist, but it neither reports that the security-group is out-of-sync with TF, nor do I know to associate the above rule with the existing SG.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Create Security Group using Terraform
  2. Realize that Security Group needs new rules
  3. Manually add the new rule to the existing SG using the AWS CLI
  4. Edit the TF file that was used to create the SG by adding a new rule, and attempt to associate the newly added resource.aws_security_group_rule to the AWS rule.

In addition, we have new rules in place on the security group, and I would have expected TF to complain about existing rules that should be removed as they are not represented in the definition files provided to terraform.

Note, here is the (redacted) output of the terraform state, which shows both the existing and new rules, of while only one matches the TF files.

% terraform state show aws_security_group.prod_stuffs
id                                            = sg-15b3096e
description                                   = Allows profile access to stuff
egress.#                                      = 1
egress.482069346.cidr_blocks.#                = 1
egress.482069346.cidr_blocks.0                = 0.0.0.0/0
egress.482069346.from_port                    = 0
egress.482069346.prefix_list_ids.#            = 0
egress.482069346.protocol                     = -1
egress.482069346.security_groups.#            = 0
egress.482069346.self                         = false
egress.482069346.to_port                      = 0
ingress.#                                     = 3
ingress.2145115223.cidr_blocks.#              = 1
ingress.2145115223.cidr_blocks.0              = 10.10.1.0/24
ingress.2145115223.from_port                  = 8
ingress.2145115223.protocol                   = icmp
ingress.2145115223.security_groups.#          = 0
ingress.2145115223.self                       = false
ingress.2145115223.to_port                    = -1
ingress.3696632892.cidr_blocks.#              = 1
ingress.3696632892.cidr_blocks.0              = 10.0.2.0/24
ingress.3696632892.from_port                  = 19389
ingress.3696632892.protocol                   = tcp
ingress.3696632892.security_groups.#          = 0
ingress.3696632892.self                       = false
ingress.3696632892.to_port                    = 19389
ingress.4127962015.cidr_blocks.#              = 0
ingress.4127962015.from_port                  = 19389
ingress.4127962015.protocol                   = tcp
ingress.4127962015.security_groups.#          = 1
ingress.4127962015.security_groups.2968368645 = sg-a720c8c8
ingress.4127962015.self                       = false
ingress.4127962015.to_port                    = 19389
name                                          = Security Group for Production Profile
owner_id                                      = 382513426234
tags.%                                        = 3
tags.Environment                              = staging
tags.Name                                     = Production Profile Proxy Security Group
tags.Terraform                                = true
vpc_id                                        = vpc-asdfasdfadf

References

hashicorp/terraform#11011
hashicorp/terraform#12252 - We've switched to using separate aws_security_group_rule and aws_security_group_rule for both documentation purposes, and because of this.
hashicorp/terraform#13314
hashicorp/terraform#13827

@hashibot hashibot added the bug label Jun 13, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.