Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Provider in 0.5.3- Can not taint aws_security_group_rule #2291

Closed
zxjinn opened this issue Jun 9, 2015 · 5 comments
Closed

AWS Provider in 0.5.3- Can not taint aws_security_group_rule #2291

zxjinn opened this issue Jun 9, 2015 · 5 comments
Labels
bug provider/aws

Comments

@zxjinn
Copy link

zxjinn commented Jun 9, 2015

First of all, Terraform is magnificent! I use it daily and just love it so much, thanks a ton for all of your hard work.
I have found at least two issues with the aws_security_group_rule resource that I didn't see anyone else had reported, so please forgive me if my searching ability isn't great. I will report the other one in another issue, since I'm not sure they are related.

I hope this is not too verbose!

File structure and contents

tree

$ tree
.
├── main.tf
└── terraform.tfvars
0 directories, 2 files

main.tf

variable "access_key" {}
variable "region" {}
variable "secret_key" {}

provider "aws" {
  access_key = "${var.access_key}"
  secret_key = "${var.secret_key}"
  region     = "${var.region}"
}
resource "aws_vpc" "vpc" {
  cidr_block           = "172.16.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
  tags {
    Name = "asgr1-vpc"
  }
}

resource "aws_security_group" "nat" {
  description = "nat security group"
  name        = "asgr1-nat"
  vpc_id      = "${aws_vpc.vpc.id}"
  tags {
    Name = "asgr1-nat"
  }
}
resource "aws_security_group_rule" "nat_ingress_self" {
  from_port         = 0
  protocol          = "-1"
  security_group_id = "${aws_security_group.nat.id}"
  self              = true
  to_port           = 0
  type              = "ingress"
}

terraform.tfvars

access_key = "<actual_access_key_here>"
region = "us-west-2"
secret_key = "<actual_secret_key_here>"

Terraform version

Tested with both:

$ terraform --version
Terraform v0.5.3

$ terraform --version
Terraform v0.6.0-dev (2b9318651236807c29add41a9119c92f59bf58ba)

Problem

After creating the VPC with the security group, then assigning a rule, you can not taint that rule (which will cause a destroy and a re-create). As far as real world usage goes, I'm not sure the purpose as to why anyone would actually do it, but in tracking down another problem, I ran into this.

Commands ran and statefiles

Plan

$ terraform plan
Refreshing Terraform state prior to plan...


The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

+ aws_security_group.nat
    description: "" => "nat security group"
    egress.#:    "" => "<computed>"
    ingress.#:   "" => "<computed>"
    name:        "" => "asgr1-nat"
    owner_id:    "" => "<computed>"
    tags.#:      "" => "1"
    tags.Name:   "" => "asgr1-nat"
    vpc_id:      "" => "${aws_vpc.vpc.id}"

+ aws_security_group_rule.nat_ingress_self
    from_port:                "" => "0"
    protocol:                 "" => "-1"
    security_group_id:        "" => "${aws_security_group.nat.id}"
    self:                     "" => "1"
    source_security_group_id: "" => "<computed>"
    to_port:                  "" => "0"
    type:                     "" => "ingress"

+ aws_vpc.vpc
    cidr_block:                "" => "172.16.0.0/16"
    default_network_acl_id:    "" => "<computed>"
    default_security_group_id: "" => "<computed>"
    dhcp_options_id:           "" => "<computed>"
    enable_dns_hostnames:      "" => "1"
    enable_dns_support:        "" => "1"
    main_route_table_id:       "" => "<computed>"
    tags.#:                    "" => "1"
    tags.Name:                 "" => "asgr1-vpc"

Apply

$ terraform apply
aws_vpc.vpc: Creating...
  cidr_block:                "" => "172.16.0.0/16"
  default_network_acl_id:    "" => "<computed>"
  default_security_group_id: "" => "<computed>"
  dhcp_options_id:           "" => "<computed>"
  enable_dns_hostnames:      "" => "1"
  enable_dns_support:        "" => "1"
  main_route_table_id:       "" => "<computed>"
  tags.#:                    "" => "1"
  tags.Name:                 "" => "asgr1-vpc"
aws_vpc.vpc: Creation complete
aws_security_group.nat: Creating...
  description: "" => "nat security group"
  egress.#:    "" => "<computed>"
  ingress.#:   "" => "<computed>"
  name:        "" => "asgr1-nat"
  owner_id:    "" => "<computed>"
  tags.#:      "" => "1"
  tags.Name:   "" => "asgr1-nat"
  vpc_id:      "" => "vpc-efee648a"
aws_security_group.nat: Creation complete
aws_security_group_rule.nat_ingress_self: Creating...
  from_port:                "" => "0"
  protocol:                 "" => "-1"
  security_group_id:        "" => "sg-ca917fae"
  self:                     "" => "1"
  source_security_group_id: "" => "<computed>"
  to_port:                  "" => "0"
  type:                     "" => "ingress"
aws_security_group_rule.nat_ingress_self: Creation complete

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

The state of your infrastructure has been saved to the path
below. This state is required to modify and destroy your
infrastructure, so keep it safe. To inspect the complete state
use the `terraform show` command.

State path: terraform.tfstate

Statefile, after first apply

{
    "version": 1,
    "serial": 1,
    "modules": [
        {
            "path": [
                "root"
            ],
            "outputs": {},
            "resources": {
                "aws_security_group.nat": {
                    "type": "aws_security_group",
                    "depends_on": [
                        "aws_vpc.vpc"
                    ],
                    "primary": {
                        "id": "sg-ca917fae",
                        "attributes": {
                            "description": "nat security group",
                            "egress.#": "0",
                            "id": "sg-ca917fae",
                            "ingress.#": "0",
                            "name": "asgr1-nat",
                            "owner_id": "317085423413",
                            "tags.#": "1",
                            "tags.Name": "asgr1-nat",
                            "vpc_id": "vpc-efee648a"
                        }
                    }
                },
                "aws_security_group_rule.nat_ingress_self": {
                    "type": "aws_security_group_rule",
                    "depends_on": [
                        "aws_security_group.nat"
                    ],
                    "primary": {
                        "id": "sg-4235098228",
                        "attributes": {
                            "cidr_blocks.#": "0",
                            "from_port": "0",
                            "id": "sg-4235098228",
                            "protocol": "-1",
                            "security_group_id": "sg-ca917fae",
                            "self": "true",
                            "source_security_group_id": "sg-ca917fae",
                            "to_port": "0",
                            "type": "ingress"
                        }
                    }
                },
                "aws_vpc.vpc": {
                    "type": "aws_vpc",
                    "primary": {
                        "id": "vpc-efee648a",
                        "attributes": {
                            "cidr_block": "172.16.0.0/16",
                            "default_network_acl_id": "acl-e4da4a81",
                            "default_security_group_id": "sg-cc917fa8",
                            "dhcp_options_id": "dopt-05080167",
                            "enable_dns_hostnames": "true",
                            "enable_dns_support": "true",
                            "id": "vpc-efee648a",
                            "main_route_table_id": "rtb-1b1b857e",
                            "tags.#": "1",
                            "tags.Name": "asgr1-vpc"
                        }
                    }
                }
            }
        }
    ]
}

Taint

$ terraform taint aws_security_group_rule.nat_ingress_self
The resource aws_security_group_rule.nat_ingress_self in the module root has been marked as tainted!

Statefile diff, after taint

--- terraform.tfstate.backup Tue Jun  9 14:48:28 2015
+++ terraform.tfstate Tue Jun  9 14:48:28 2015
@@ -1,6 +1,6 @@
 {
     "version": 1,
+   "serial": 2,
-   "serial": 1,
     "modules": [
         {
             "path": [
@@ -33,23 +33,20 @@
                     "depends_on": [
                         "aws_security_group.nat"
                     ],
+                   "primary": null,
+                   "tainted": [
+                       {
-                    "primary": {
-                        "id": "sg-4235098228",
-                        "attributes": {
-                            "cidr_blocks.#": "0",
-                            "from_port": "0",
                             "id": "sg-4235098228",
+                           "attributes": {
+                               "cidr_blocks.#": "0",
+                               "from_port": "0",
+                               "id": "sg-4235098228",
+                               "protocol": "-1",
+                               "security_group_id": "sg-ca917fae",
+                               "self": "true",
+                               "source_security_group_id": "sg-ca917fae",
+                               "to_port": "0",
+                               "type": "ingress"
+                           }
-                            "protocol": "-1",
-                            "security_group_id": "sg-ca917fae",
-                            "self": "true",
-                            "source_security_group_id": "sg-ca917fae",
-                            "to_port": "0",
-                            "type": "ingress"
                         }
+                   ]
-                    }
                 },
                 "aws_vpc.vpc": {
                     "type": "aws_vpc",

Plan, after taint

$ terraform plan -refresh=true
Refreshing Terraform state prior to plan...

aws_security_group_rule.nat_ingress_self: Refreshing state... (ID: sg-4235098228)
aws_vpc.vpc: Refreshing state... (ID: vpc-efee648a)
aws_security_group.nat: Refreshing state... (ID: sg-ca917fae)

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

-/+ aws_security_group_rule.nat_ingress_self
    from_port:                "" => "0"
    protocol:                 "" => "-1"
    security_group_id:        "" => "sg-ca917fae"
    self:                     "" => "1"
    source_security_group_id: "" => "<computed>"
    to_port:                  "" => "0"
    type:                     "" => "ingress"

Apply, after taint

$ terraform apply
aws_security_group_rule.nat_ingress_self: Refreshing state... (ID: sg-4235098228)
aws_vpc.vpc: Refreshing state... (ID: vpc-efee648a)
aws_security_group.nat: Refreshing state... (ID: sg-ca917fae)
aws_security_group_rule.nat_ingress_self: Destroying...
Error applying plan:

1 error(s) occurred:

* 1 error(s) occurred:

* Error revoking security group sg-ca917fae rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
    status code: 400, request id: []

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

That's pretty much it, you can't taint an aws_security_group_rule. Not sure if that is intentional or not.
I'll comment on here with a link to the other issue I create after I create it.
@zxjinn zxjinn mentioned this issue Jun 9, 2015
Closed
@zxjinn
Copy link
Author

zxjinn commented Jun 9, 2015

The other, potentially related, issue: #2294

@catsby catsby mentioned this issue Jun 10, 2015
Merged
@catsby
Copy link
Contributor

catsby commented Jun 10, 2015

Hey @zxjinn

First, thank you so much for the very detailed bug report here and in #2294. Both are above and beyond and I really appreciate the extra effort.

That said, I tested this out and it seems fixed in #2305 . Maybe you can verify?

@zxjinn
Copy link
Author

zxjinn commented Jun 10, 2015

@catsby Indeed! This appears to be fixed with #2305

$ terraform --version
Terraform v0.6.0-dev (1b80674c92bc73812f01c1d3533563970fef4997)

I did test the other ticket I filed against this same code and it's still busted, but you probably already knew that. Thanks for a speedy response!

@catsby
Copy link
Contributor

catsby commented Jun 10, 2015

Thanks for confirming! I haven't dug into #2294 yet, it looks entirely separate from this.
I'm going to close this issue then, I expect #2305 to be merged later today.

Thanks again!

@catsby catsby closed this as completed Jun 10, 2015
@ghost
Copy link

ghost commented May 2, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators May 2, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@catsby @zxjinn