-
Notifications
You must be signed in to change notification settings - Fork 9.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security group --> vpc_security_group_ids change bug #6416
Comments
Have the same issue, forced to revert back to 0.6.14, not fixed in current master either. |
Sorry for the trouble, folks! The referenced issue #6369 has a workaround for this, which appears to allow you to get around the problem by adjusting the config to match what Terraform is reading back from AWS. It sounded like @catsby wanted to use this ticket to investigate this and either implement a fix or document the workaround, but hopefully that workaround is useful in the mean time. |
thanks @apparentlymart , that worked. |
In #6585 @radeksimko is retroactively adding a note to the changelog about this. @catsby, did you want to add something to the main |
(A potential fix for this was merged in #5193 but then reverted because it broke for EC2-Classic users.) |
I have closed several other reports of this same issue to consolidate discussion here. Let's not close this one until we're sure we've got a handle on the plan for this problem. |
hashicorp/terraform#6416 Fix: change 'security_groups' to 'vpc_security_group_ids'
Hey friends – we identified the regression that's causing this to start happening, it was introduced in v0.6.15. I have a pull request open here #6664 that will revert the regression. That said, after discussion we'll likely reestablish this behavior with an upcoming release (probably v0.7.0). The difference between EC2-VPC allows the security groups to be modified on a running Instance, without stopping/destroying it. A while back, a new config attribute was added, vpc_security_group_ids, to allow users to add/remove security groups to an instance without triggering the need to destroy and recreate the instance, while still providing backwards compatibly for users on EC2 Classic. The attributes are defined as follows:
What was happening here is Terraform allowing users to provide Security Group IDs in the With the change here, Ultimately we believe the behavior is correct now; In the near future we’ll reestablish this requirement, and possibly even deprecate I apologize for the trouble here! Thank you for your patience as we sorted it out. #6664 should be included in an upcoming maintenance release and restore the expected behavior. Please let me know if you have any questions. |
The issue is still present with v.0.7.0-rc1 |
Apply the fix documented in hashicorp/terraform#6416
* Comment out keypair definition as it doesn't need to run each time * Make terraform apply idempotent again (vpc sg fix) Apply the fix documented in hashicorp/terraform#6416
still present in 0.10.8! |
It happened with me when I used variables on cdir_blocks. |
it's happening to me with security_groups
Solution: Similar rules (to_port, from_port, protocol) should be clubbed within a single ingress block |
@idlecool are you having issues? Can you share your configuration that causes it? |
Version that didn't work:
Version that did work:
|
@catsby it happened to me before when I was trying to add multiple subnets into a single security group ingress rule using I had to use list instead. Something that always works:
Something that doesn't always work:
I think this is happening because AWS doesn't assign a ID to the ingress/egress rules. Like it does for other resources. And terraform is having a hard time identifying the rules it has previously written. |
I am able to reproduce on last version please look at: #13388 |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Terraform Version
0.6.15 ( Works in 0.6.14 )
Affected Resource(s)
Terraform Configuration Files
security_groups
vpc_security_group_ids
Info
In Terraform 0.6.14 security_groups was valid from custom VPC, in 0.6.15 it takes it as a value and works but then upon a refresh it tries to re-create the resource.
This means from upgrading to 0.6.14 to 0.6.15 the it re-creates these resources each time:
Even though the resource has these 2 security groups attached and working. This either needs documenting or some more verbose error to say that this security group is not valid.
The text was updated successfully, but these errors were encountered: