-
Notifications
You must be signed in to change notification settings - Fork 9.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removing ingress rules from aws_security_group is not detected #4399
Comments
I am also seeing this issue. Removing the last ingress or egress rule from the security group results in no plan being generated. I have tested the following scenarios
I think any change that removes the last rule of either type does not work correctly. |
Using separate aws_security_group_rule resources instead of inline rules works around this problem. |
Also seeing this.
|
This does work, unless you are trying to transition from inline ingress rules to separate aws_security_group_rule resources. Then you just get errors back from AWS telling you that you have duplicate rules. A (somewhat ugly) solution that I'm using is to add a dummy ingress rule to force it to remove the real ingress rules as I move them to aws_security_group_rule resources. Then later the dummy rule can be removed (though the actual ingress rule won't be removed until/unless this bug is fixed at some point or someone manually fixes it). Edit: Actually doing it this way will cause it to cycle back and forth between removing external rules and adding them back in, so there's no good non-manual solution I have found yet. |
FYI, there's an open pull request to support |
Same problem
|
I ran into this on egress rules as well. I feel like it is a pretty important bug since |
It does make me wonder how many other list-removal-related bugs there are currently if it's systematic to both this, Kubernetes, and other programs written in Go. |
What happens if you set ingress/egress to an empty list, rather than removing it entirely?
|
This worked for me. Thanks! |
This one works and can also be applied as workaroud when you tried to use the Bugged with dynamic "ingress" {
for_each = var.security_group_ingress_rules
content {
from_port = ingress.value.from_port
to_port = ingress.value.to_port
protocol = ingress.value.protocol
cidr_blocks = ingress.value.cidr_blocks
security_groups = ingress.value.security_groups
self = ingress.value.self
}
} Workaround using a ingress = [for _, rule in var.security_group_ingress_rules : {
from_port = rule.from_port
to_port = rule.to_port
protocol = rule.protocol
cidr_blocks = rule.cidr_blocks
security_groups = rule.security_groups
self = rule.self
description = null
ipv6_cidr_blocks = null
prefix_list_ids = null
}] the downside is that you have to provide all parameters (event the ones that are not required) and set unused to It's ugly, but it works for now if you cannot use |
Two years later, aws provider version 3.58.0 - issue is still here. It is disappointing that terraform can not handle crucial for security resources well. |
Still occurring for me as well on:
|
This functionality has been released in v5.8.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
This issue was originally opened by @BookOfGreg as hashicorp/terraform#17967. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform Configuration Files
Removing Ingress from a security group has no effect
Before:
After:
Expected Behavior
My security group has no ingress on it
Actual Behavior
My security group still has port 80
References
I've seen issues with similar symptoms for tools written in Go, such as this K8s bug I found:
kubernetes/kubernetes#59482
Not sure if relevant or not, feel free to remove the link from this post if it's a red herring.
The text was updated successfully, but these errors were encountered: