provider/openstack: "external"/existing security groups only apply one at a time?

[carlpett]

I'm trying to introduce Terraform into an existing Openstack environment. Currently, I'm setting up all the new instances using Terraform, but using existing security groups. We're using neutron security groups. When starting a new instance, only one security group is applied before erroring out with this message:

* openstack_compute_instance_v2.my-instance: Error adding security group to OpenStack server (1f3c51b9-3608-48b9-9b82-406965447c8f): EOF

If I run terraform apply again, it will add yet another security group, and then fail. So currently I have to run six applies before my instances are actually finished.

Terraform Version

v0.6.16

Affected Resource(s)

• openstack_compute_instance_v2

Terraform Configuration Files

resource "openstack_compute_instance_v2" "my-instance" {
  name = "my-instance"
  image_name = "my-image"
  flavor_name = "m1.small"
  security_groups = ["SG1", "SG2", "SG3", "SG4", "SG5", "SG6"]
}

Where SG1..6 are the names of neutron security group existing outside of Terraform's control

Expected Behavior

All SGs are applied without error

Actual Behavior

openstack_compute_instance_v2.my-instance: Error adding security group to OpenStack server (1f3c51b9-3608-48b9-9b82-406965447c8f): EOF

Steps to Reproduce

1. terraform apply
2. terraform apply
3. terraform apply
4. terraform apply
5. terraform apply
6. terraform apply

;)

[jtopjian]

How bizarre... Thank you for the report!

[carlpett]

@jtopjian Indeed!
Just checked, it occurs even if I use the GUIDs instead of names.

[carlpett]

Workaround for now is to add the guids to the port security_group_ids instead.

[jtopjian]

@carlpett I'm unable to reproduce this issue... would you be able to test 0.7-rc1 and see if you're still seeing this problem?

https://releases.hashicorp.com/terraform/0.7.0-rc1/

[carlpett]

@jtopjian Sure! We have national holidays though, so I won't be in office until tuesday. Will add a reminder to my calendar so that I actually remember.. :)

[carlpett]

Sorry, didn't have time yesterday. Anyway, did a runthough now, and it still happens. Here is a repro-tf file. It assumes there are three "outside" security groups, default, terraform-test and terraform-test2.
The behaviour I'm seeing now (and also with 0.6.16, even though it differs from what I reported, not sure if my testcase is subtly different or if I misreported initially) is that the apply succeeds initially, but if I then do a plan, it says 0 security groups are applied, doing an apply adds the first SG and then fails.

[jtopjian]

@carlpett I just ran the configuration you gave and am seeing similar behavior.

My guess is because the instance is being attached to a specific port, Nova / Neutron will ignore the security groups on the instance and defer to the Port for security groups. This is only a hunch and I'll have to dig into the code to verify, but I think this is a safe assumption. I think the best that can be done here is a note in the documentation.

[jtopjian]

@carlpett I created a patch that would disallow security_groups to be used when all networks were configured with Ports, but something wasn't sitting right.

I found this bug and, although it says Fixed Released, this is still very much an issue. When booting an instance (using any tool) where all networks are configured with Ports, security groups will not attach to the instance.

Since this is still an issue with OpenStack, I did not want to modify Terraform to outright Error out when security groups and ports are mixed. Instead, I dug into the original error you were seeing and found that it's a false error being triggered somewhere. Simply ignoring the EOF error causes the security groups to be applied (and removed). #7468 implements this fix.

So, tl;dr: It's highly recommended to apply the security groups to the ports, but if you still apply them to the instance and if the instance's network(s) are only configured via ports, the security groups will not be applied upon creation, but they will now be successfully applied upon a second terraform apply.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.