-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding security rule AFTER applying causes error #2463
Comments
Hey @timothykimball – what version of Terraform are you using? There was a recent bug very similar to this that I fixed and is now patched in the |
terraform 0.5.3 |
@catsby - I have tried using Terraform v0.6.0-dev (cddd54c) and I now receive:
|
Hey @timothykimball Sorry for the trouble here. Unforunately as #2376 explains, there was a bug in 0.5.x that in certain situations with Security Group Rules, the state file would not be saved correctly leading to the behavior you describe here. By upgrading, a migration is ran internally to attempt to correct this, but as you've seen there exists a scenario that it cannot mend. The remediation is to manually identify and remove the rule in the AWS Console. In your case, you need to find the security group in question and remove the matching port 5432 rule. After doing so, re-running I apologize for the trouble here. Please let me know if you need anything else. |
@catsby - Right. Did all of that. But I I have to remove the rules every time I do any kind of change to the terraform scripts, otherwise I get the following errors
I even blew my state files away and started from scratch on the off chance it was a lingering state bug from v0.5.3. I am still using Terraform v0.6.0-dev (cddd54c) |
@catsby - Sorry - a nob here - Do I need to re-open bug? Shall I file another one? |
Sorry for the trouble, I'll take another look here 😦 |
@catsby I'm running on the current master and |
Correct. I need to refactor security group rules here. Essentially, a specific rule resource can't support multiple rules on AWS side. Specifically speaking to this issue, there are two rule resources being generated, and they only differ by the CIDR. On the AWS side, however, that's resulting in a single "rule" with 2 IPRanges in the IpPermissions as described here. The rule(s) on AWS side end up looking like this: [{
FromPort: 80,
IPProtocol: "tcp",
IPRanges: [{
CIDRIP: "10.0.20.1/32"
},{
CIDRIP: "10.0.21.1/32"
}],
ToPort: 80
}] This is most likely due to Terraform using the IPPermissions field there, instead of the top-level The refactoring will likely limit each security group rule to only support a single cidr block. Still digging in though, we'll see. Sorry for all the trouble here 😢 |
@timothykimball – as a stopgap, you could remove the resource "aws_security_group_rule" "rule" {
type = "ingress"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["${formatlist("%s/32", split(",",var.ips))}"]
security_group_id = "${aws_security_group.bastion.id}"
} That should create a single rule with multiple |
@catsby just wondering, I'm trying to add a rule to a security group that is managed externally. Is this going to work? I don't see terraform store anything in the state file for |
@catsby - Work around is working :D |
@catsby - Work around has stopped working :(
Is consistently appearing when using the following rules
where host_security_group_rule is:
|
Hey @timothykimball – thanks for the detailed information. Unfortunately, I'm having trouble reconstructing your example. Is there a |
I just opened #3019 to fix this, though being unable to directly reconstruct your example, I don't know for sure. If possible please check it out! |
Hey all – I'm going to close this issue for now, due to #3019 being merged and general inactivity. If you're still experience this, please let us know. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Version of terraform: v0.5.3
Steps to reproduce:
Just to highlight, the second rule I added was for port 443. For some reason terraform is re-creating the port 80 rule even through that was already created in step (1)
As always, I think this is a bug - but I understand I may have made a mistake.
Result:
main.tf
rules/main.tf
host_security_group_rule/main.tf
The text was updated successfully, but these errors were encountered: