Error removing aws_security_group_rule that has self reference rule

[jedi4ever]

Create succeeds fine but destroy can't.

aws_security_group_rule.allow-elastic_instance-to-elastic_instance-ingress-elastic_instance: Refreshing state... (ID: sg-835539191)
aws_security_group_rule.allow-elastic_instance-to-elastic_instance-ingress-elastic_instance: Destroying...
aws_security_group_rule.allow-elastic_instance-to-elastic_instance-ingress-elastic_instance: Error: 1 error(s) occurred:

* Error revoking security group sg-8f92b4ea rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
aws_vpc.customer: Destroying...
aws_vpc.customer: Error: 1 error(s) occurred:

* Error deleting VPC: DependencyViolation: The vpc 'vpc-8bef5fee' has dependencies and cannot be deleted.

[catsby]

Hey @jedi4ever thanks for this, do you have a minimal config (minus secrets) you can share that reproduces this? Otherwise I'll try to put one together, thanks!

[catsby]

I've tried to reproduce with this config:

provider "aws" {
  region = "us-west-2"
}
resource "aws_security_group" "web" {
  name = "terraform_acceptance_test_example_2"
  description = "Used in the terraform acceptance tests"
  tags {
    Name = "tf_sg_web"
  }
}

resource "aws_security_group" "worker" {
  name = "terraform_acceptance_test_example_worker"
  description = "Used in the terraform acceptance tests"
  tags {
    Name = "tf_sg_worker"
  }
}

resource "aws_security_group_rule" "ingress_1" {
  type = "ingress"
  protocol = "tcp"
  from_port = 22
  to_port = 22
  cidr_blocks = ["10.0.0.0/8"]
  self = true

  security_group_id = "${aws_security_group.web.id}"
}

resource "aws_security_group_rule" "ingress_2" {
  type = "ingress"
  protocol = "tcp"
  from_port = 80
  to_port = 8080 
  cidr_blocks = ["10.0.0.0/8"]
  self = true

  security_group_id = "${aws_security_group.web.id}"
}

I'm using the latest Terraform, 0.5.1 (released today). Can you help me figure what I'm missing in that config?

[nevir]

Unsure if it's the exact same situation as the OP, but I just ran into this by renaming a security group (that had an active instance in it).

In my state file, both the old security group and instance are still around; and apply tries to remove the group before removing the instance (even though the old group is present in the instance's depends_on array in the state file).

Manually removing the old security group from the state file allowed me to work around it (it concurrently removed both resources); sketchy though.

[bodgit]

I've just ran into this same problem, I can bring up a new VPC complete with subnets, instances, etc. but when I try to destroy it again, terraform can't completely remove the security group which makes things explode.

My offending security group rule is:

resource "aws_security_group_rule" "self" {
  type = "ingress"
  protocol = "-1"
  from_port = 0
  to_port = 0
  self = true
  security_group_id = "${aws_security_group.main.id}"
}

Basically an "allow all protocols between instances in the same group" rule. Looking at how my rule differs to the examples @catsby tried, perhaps it's the protocol "-1" that's the key?

Let me know if my redacted config would help.

[bodgit]

I poked about and this is enough to trigger the bug:

variable "aws_access_key" {
  description = "AWS access key"
}

variable "aws_secret_key" {
  description = "AWS secret key"
}

provider "aws" {
  access_key = "${var.aws_access_key}"
  secret_key = "${var.aws_secret_key}"
  region = "us-west-2"
}

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_security_group" "main" {
  name = "main"
  vpc_id = "${aws_vpc.main.id}"
}

resource "aws_security_group_rule" "self" {
  type = "ingress"
  protocol = "-1"
  from_port = 0
  to_port = 0
  self = true
  security_group_id = "${aws_security_group.main.id}"
}

This applies fine, but when destroying yields:

aws_vpc.main: Refreshing state... (ID: vpc-995dd5fc)
aws_security_group.main: Refreshing state... (ID: sg-7910f21d)
aws_security_group_rule.self: Refreshing state... (ID: sg-4235098228)
aws_security_group_rule.self: Destroying...
aws_security_group_rule.self: Error: 1 error(s) occurred:

* Error revoking security group sg-7910f21d rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
    status code: 400, request id: []
aws_vpc.main: Destroying...
aws_vpc.main: Error: 1 error(s) occurred:

* Error deleting VPC: DependencyViolation: The vpc 'vpc-995dd5fc' has dependencies and cannot be deleted.
    status code: 400, request id: []
Error applying plan:

2 error(s) occurred:

* 1 error(s) occurred:

* 1 error(s) occurred:

* Error revoking security group sg-7910f21d rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
    status code: 400, request id: []
* 1 error(s) occurred:

* 1 error(s) occurred:

* Error deleting VPC: DependencyViolation: The vpc 'vpc-995dd5fc' has dependencies and cannot be deleted.
    status code: 400, request id: []

Hope that helps

[jjshoe]

I'm getting into something similar by having two security groups in a VPC, one for an ELB, one for instances. They both reference each other.

[catsby]

This should be fixed in #2305 , can anyone here test out and verify ?

[bodgit]

LGTM 👍

Built and destroyed a VPC environment without error.

[catsby]

Awesome, thanks @bodgit . Thanks to everyone who chimed in and contributed a config too, much appreciated! I'm going to close this, I expect #2305 to be merged later today.

thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.