Terraform Crashes on Security Group Removal

[Evesy]

Terraform Version

Terraform v0.9.8

Affected Resource(s)

Please list the resources as a list, for example:

• cloudstack_security_group
• cloudstack_security_group_rule

Terraform Configuration Files

resource "cloudstack_security_group" "scalr-client" {
  name        = "Scalr Client"
  description = "Allows Scalr/Scalarizr communication"
}

resource "cloudstack_security_group" "shippr" {
  name        = "Shippr"
  description = "Rules for Shippr deployed java apps"
}

resource "cloudstack_security_group" "ssh" {
  name        = "SSH"
  description = "Allow SSH access to a server"
}

resource "cloudstack_security_group" "consul" {
  name        = "Consul"
  description = "Rules required for Consul agents"
}

resource "cloudstack_security_group" "ping" {
  name        = "ICMP Ping"
  description = "Enables ICMP"
}

resource "cloudstack_security_group_rule" "scalr-client" {
  security_group_id = "${cloudstack_security_group.scalr-client.id}"

  rule {
    cidr_list = ["0.0.0.0/0"]
    protocol  = "tcp"
    ports     = ["80", "443", "8007-8014"]
  }
}

resource "cloudstack_security_group_rule" "shippr" {
  security_group_id = "${cloudstack_security_group.shippr.id}"

  rule {
    cidr_list = ["0.0.0.0/0"]
    protocol  = "tcp"
    ports     = ["80", "8080", "9080", "19999"]
  }
}

resource "cloudstack_security_group_rule" "ssh" {
  security_group_id = "${cloudstack_security_group.ssh.id}"

  rule {
    cidr_list = ["0.0.0.0/0"]
    protocol  = "tcp"
    ports     = ["22"]
  }
}

resource "cloudstack_security_group_rule" "consul" {
  security_group_id = "${cloudstack_security_group.consul.id}"

  rule {
    cidr_list = ["0.0.0.0/0"]
    protocol  = "tcp"
    ports     = ["8300-8302", "8400", "8500", "8600"]
  }
  rule {
    cidr_list = ["0.0.0.0/0"]
    protocol  = "udp"
    ports     = ["8301-8302", "8600"]
  }
}

resource "cloudstack_security_group_rule" "ping" {
  security_group_id = "${cloudstack_security_group.ping.id}"

  rule {
    cidr_list = ["0.0.0.0/0"]
    protocol  = "icmp"
    icmp_type = "8"
  }
}

terraform {
  backend "s3" {
    bucket = "<BUCKET>"
    key    = "cloudstack.tfstate"
    region = "eu-west-1"
  }
}

Debug Output

https://gist.github.com/Evesy/f770afc68a1f8cd8c005e8443c03773a

Panic Output

https://gist.github.com/Evesy/429b8d202b774480d5ade503354cadc9

Expected Behavior

• When an individual rule is deleted within a security group (e.g. via the GUI) Terraform should detect this rule no longer exists and recreate it.
• When an entire security group is deleted, Terraform should recreate the group

Actual Behavior

• Terraform does not detect missing rules within groups, even after a refresh
• If a Terraform managed security group is deleted, Terraform will crash on the next plan stage

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Apply the above configuration via Terraform: terraform apply
2. In Cloudstack GUI delete a security rule from one of the groups
3. Run terraform plan -- The missing rule will not be noticed
4. In Cloudstack GUI delete a security group
5. Run terraform plan -- Terraform will crash

(Cloudstack version 4.5.2)