Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow import of aws_security_groups with more than one source_security_group_id rule #9477

Merged
merged 2 commits into from
Dec 9, 2016
Merged

Allow import of aws_security_groups with more than one source_security_group_id rule #9477

merged 2 commits into from
Dec 9, 2016

Conversation

tomwilkie
Copy link
Contributor

Fixes #9459

Example:

$ aws ec2 describe-security-groups --group-id sg-83bcaaf9
{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1", 
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ], 
                    "UserIdGroupPairs": [], 
                    "PrefixListIds": []
                }
            ], 
            "Description": "Kubernetes security group applied to master nodes", 
            "Tags": [
                {
                    "Value": "kubernetes_tom", 
                    "Key": "KubernetesCluster"
                }
            ], 
            "IpPermissions": [
                {
                    "IpProtocol": "-1", 
                    "IpRanges": [], 
                    "UserIdGroupPairs": [
                        {
                            "UserId": "376248598259", 
                            "GroupId": "sg-80bcaafa"
                        }, 
                        {
                            "UserId": "376248598259", 
                            "GroupId": "sg-83bcaaf9"
                        }
                    ], 
                    "PrefixListIds": []
                }, 
                {
                    "PrefixListIds": [], 
                    "FromPort": 22, 
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ], 
                    "ToPort": 22, 
                    "IpProtocol": "tcp", 
                    "UserIdGroupPairs": []
                }, 
                {
                    "PrefixListIds": [], 
                    "FromPort": 443, 
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ], 
                    "ToPort": 443, 
                    "IpProtocol": "tcp", 
                    "UserIdGroupPairs": []
                }
            ], 
            "GroupName": "kubernetes-master-kubernetes_tom", 
            "VpcId": "vpc-dc0e0cbb", 
            "OwnerId": "376248598259", 
            "GroupId": "sg-83bcaaf9"
        }
    ]
}

$ ./bin/terraform import aws_security_group.test sg-83bcaaf9
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: 

aws_security_group.test: Importing from ID "sg-83bcaaf9"...
aws_security_group.test: Import complete!
  Imported aws_security_group (ID: sg-83bcaaf9)
  Imported aws_security_group_rule (ID: sgrule-1277326544)
  Imported aws_security_group_rule (ID: sgrule-385890077)
  Imported aws_security_group_rule (ID: sgrule-114861958)
  Imported aws_security_group_rule (ID: sgrule-253799570)
  Imported aws_security_group_rule (ID: sgrule-3072042539)
aws_security_group_rule.test-3: Refreshing state... (ID: sgrule-253799570)
aws_security_group_rule.test-4: Refreshing state... (ID: sgrule-3072042539)
aws_security_group_rule.test-2: Refreshing state... (ID: sgrule-114861958)
aws_security_group.test: Refreshing state... (ID: sg-83bcaaf9)
aws_security_group_rule.test-1: Refreshing state... (ID: sgrule-385890077)
aws_security_group_rule.test: Refreshing state... (ID: sgrule-1277326544)

Import success! The resources imported are shown above. These are
now in your Terraform state. Import does not currently generate
configuration, so you must do this next. If you do not create configuration
for the above resources, then the next `terraform plan` will mark
them for destruction.

$ cat terraform.tfstate 
{
    "version": 3,
    "terraform_version": "0.7.8",
    "serial": 0,
    "lineage": "a21423a4-13a2-4a99-8456-701f875f6a12",
    "modules": [
        {
            "path": [
                "root"
            ],
            "outputs": {},
            "resources": {
                "aws_security_group.test": {
                    "type": "aws_security_group",
                    "depends_on": [],
                    "primary": {
                        "id": "sg-83bcaaf9",
                        "attributes": {
                            "description": "Kubernetes security group applied to master nodes",
                            "egress.#": "1",
                            "egress.482069346.cidr_blocks.#": "1",
                            "egress.482069346.cidr_blocks.0": "0.0.0.0/0",
                            "egress.482069346.from_port": "0",
                            "egress.482069346.prefix_list_ids.#": "0",
                            "egress.482069346.protocol": "-1",
                            "egress.482069346.security_groups.#": "0",
                            "egress.482069346.self": "false",
                            "egress.482069346.to_port": "0",
                            "id": "sg-83bcaaf9",
                            "ingress.#": "3",
                            "ingress.2211002184.cidr_blocks.#": "0",
                            "ingress.2211002184.from_port": "0",
                            "ingress.2211002184.protocol": "-1",
                            "ingress.2211002184.security_groups.#": "1",
                            "ingress.2211002184.security_groups.3938065707": "sg-80bcaafa",
                            "ingress.2211002184.self": "true",
                            "ingress.2211002184.to_port": "0",
                            "ingress.2541437006.cidr_blocks.#": "1",
                            "ingress.2541437006.cidr_blocks.0": "0.0.0.0/0",
                            "ingress.2541437006.from_port": "22",
                            "ingress.2541437006.protocol": "tcp",
                            "ingress.2541437006.security_groups.#": "0",
                            "ingress.2541437006.self": "false",
                            "ingress.2541437006.to_port": "22",
                            "ingress.2617001939.cidr_blocks.#": "1",
                            "ingress.2617001939.cidr_blocks.0": "0.0.0.0/0",
                            "ingress.2617001939.from_port": "443",
                            "ingress.2617001939.protocol": "tcp",
                            "ingress.2617001939.security_groups.#": "0",
                            "ingress.2617001939.self": "false",
                            "ingress.2617001939.to_port": "443",
                            "name": "kubernetes-master-kubernetes_tom",
                            "owner_id": "376248598259",
                            "tags.%": "1",
                            "tags.KubernetesCluster": "kubernetes_tom",
                            "vpc_id": "vpc-dc0e0cbb"
                        },
                        "meta": {},
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-1277326544",
                        "attributes": {
                            "cidr_blocks.#": "0",
                            "from_port": "0",
                            "id": "sgrule-1277326544",
                            "prefix_list_ids.#": "0",
                            "protocol": "-1",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "false",
                            "source_security_group_id": "sg-80bcaafa",
                            "to_port": "0",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test-1": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-385890077",
                        "attributes": {
                            "cidr_blocks.#": "0",
                            "from_port": "0",
                            "id": "sgrule-385890077",
                            "prefix_list_ids.#": "0",
                            "protocol": "-1",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "true",
                            "source_security_group_id": "sg-83bcaaf9",
                            "to_port": "0",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test-2": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-114861958",
                        "attributes": {
                            "cidr_blocks.#": "1",
                            "cidr_blocks.0": "0.0.0.0/0",
                            "from_port": "22",
                            "id": "sgrule-114861958",
                            "prefix_list_ids.#": "0",
                            "protocol": "tcp",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "false",
                            "to_port": "22",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test-3": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-253799570",
                        "attributes": {
                            "cidr_blocks.#": "1",
                            "cidr_blocks.0": "0.0.0.0/0",
                            "from_port": "443",
                            "id": "sgrule-253799570",
                            "prefix_list_ids.#": "0",
                            "protocol": "tcp",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "false",
                            "to_port": "443",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                },
                "aws_security_group_rule.test-4": {
                    "type": "aws_security_group_rule",
                    "depends_on": [],
                    "primary": {
                        "id": "sgrule-3072042539",
                        "attributes": {
                            "cidr_blocks.#": "1",
                            "cidr_blocks.0": "0.0.0.0/0",
                            "from_port": "0",
                            "id": "sgrule-3072042539",
                            "prefix_list_ids.#": "0",
                            "protocol": "-1",
                            "security_group_id": "sg-83bcaaf9",
                            "self": "false",
                            "to_port": "0",
                            "type": "egress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "aws"
                }
            },
            "depends_on": []
        }
    ]
}

$ cat test.tf 
resource "aws_security_group" "test" {
    description = "Kubernetes security group applied to master nodes"
    name = "kubernetes-master-kubernetes_tom"
    tags {
        KubernetesCluster = "kubernetes_tom"
    }
    vpc_id = "vpc-dc0e0cbb"
}

resource "aws_security_group_rule" "test" {
    security_group_id = "${aws_security_group.test.id}"
    type = "ingress"

    from_port = 0
    to_port = 0
    protocol = "-1"
    source_security_group_id = "sg-80bcaafa"
}

resource "aws_security_group_rule" "test-1" {
    security_group_id = "${aws_security_group.test.id}"
    type = "ingress"

    from_port = 0
    to_port = 0
    protocol = "-1"
    self = "true"
}

resource "aws_security_group_rule" "test-2" {
    security_group_id = "${aws_security_group.test.id}"
    type = "ingress"

    from_port = 22
    to_port = 22
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "test-3" {
    security_group_id = "${aws_security_group.test.id}"
    type = "ingress"

    from_port = 443
    to_port = 443
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "test-4" {
    security_group_id = "${aws_security_group.test.id}"
    type = "egress"

    from_port = 0
    to_port = 0
    protocol = -1
    cidr_blocks = ["0.0.0.0/0"]
}

$ ./bin/terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

aws_security_group.test: Refreshing state... (ID: sg-83bcaaf9)
aws_security_group_rule.test: Refreshing state... (ID: sgrule-1277326544)
aws_security_group_rule.test-4: Refreshing state... (ID: sgrule-3072042539)
aws_security_group_rule.test-2: Refreshing state... (ID: sgrule-114861958)
aws_security_group_rule.test-1: Refreshing state... (ID: sgrule-385890077)
aws_security_group_rule.test-3: Refreshing state... (ID: sgrule-253799570)

No changes. Infrastructure is up-to-date. This means that Terraform
could not detect any differences between your configuration and
the real physical resources that exist. As a result, Terraform
doesn't need to do anything.

See #9459 for previous (broken) walk through.

@tomwilkie
Copy link
Contributor Author

ping?

@tomwilkie
Copy link
Contributor Author

@stack72 could you take a look at this one too?

@rata
Copy link

rata commented Nov 22, 2016

@tomwilkie @stack72 this is very helpful for us too. Can we help to get this merged?

tomwilkie added a commit to weaveworks/terraform-kubernetes that referenced this pull request Dec 1, 2016
@tomwilkie
More security group work
261b07d 
* Fix up some of the infra terraform around security groups
* Some more security shenanigans
* Get the security groups represented in terraform correctly (see hashicorp/terraform#9477)
* Review feedback
@stack72
Copy link
Contributor

stack72 commented Dec 1, 2016

Hi @tomwilkie

Thanks for the work here! Please can you add another import test so that we can capture that this works as expected?

Thanks

Paul

@stack72 stack72 added bug provider/aws waiting-response An issue/pull request is waiting for a response from the community labels Dec 1, 2016
@tomwilkie
Copy link
Contributor Author

tomwilkie commented Dec 1, 2016 via email

@tomwilkie tomwilkie force-pushed the 9459-import-aws-security-groups branch from ee741c7 to 8431be7 Compare December 9, 2016 15:07
@tomwilkie
Copy link
Contributor Author

@stack72 added import test for you.

@stack72
Copy link
Contributor

stack72 commented Dec 9, 2016

LGTM! Thanks for this work :)

% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSSecurityGroup_'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2016/12/09 15:30:28 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSSecurityGroup_ -timeout 120m
=== RUN   TestAccAWSSecurityGroup_importBasic
--- PASS: TestAccAWSSecurityGroup_importBasic (48.58s)
=== RUN   TestAccAWSSecurityGroup_importSelf
--- PASS: TestAccAWSSecurityGroup_importSelf (57.97s)
=== RUN   TestAccAWSSecurityGroup_importSourceSecurityGroup
--- PASS: TestAccAWSSecurityGroup_importSourceSecurityGroup (55.56s)
=== RUN   TestAccAWSSecurityGroup_basic
--- PASS: TestAccAWSSecurityGroup_basic (49.19s)
=== RUN   TestAccAWSSecurityGroup_tagsCreatedFirst
--- PASS: TestAccAWSSecurityGroup_tagsCreatedFirst (33.53s)
=== RUN   TestAccAWSSecurityGroup_namePrefix
--- PASS: TestAccAWSSecurityGroup_namePrefix (17.61s)
=== RUN   TestAccAWSSecurityGroup_self
--- PASS: TestAccAWSSecurityGroup_self (47.47s)
=== RUN   TestAccAWSSecurityGroup_vpc
--- PASS: TestAccAWSSecurityGroup_vpc (46.92s)
=== RUN   TestAccAWSSecurityGroup_vpcNegOneIngress
--- PASS: TestAccAWSSecurityGroup_vpcNegOneIngress (68.61s)
=== RUN   TestAccAWSSecurityGroup_vpcProtoNumIngress
--- PASS: TestAccAWSSecurityGroup_vpcProtoNumIngress (46.25s)
=== RUN   TestAccAWSSecurityGroup_MultiIngress
--- PASS: TestAccAWSSecurityGroup_MultiIngress (59.04s)
=== RUN   TestAccAWSSecurityGroup_Change
--- PASS: TestAccAWSSecurityGroup_Change (76.69s)
=== RUN   TestAccAWSSecurityGroup_generatedName
--- PASS: TestAccAWSSecurityGroup_generatedName (51.11s)
=== RUN   TestAccAWSSecurityGroup_DefaultEgress_VPC
--- PASS: TestAccAWSSecurityGroup_DefaultEgress_VPC (47.18s)
=== RUN   TestAccAWSSecurityGroup_DefaultEgress_Classic
--- PASS: TestAccAWSSecurityGroup_DefaultEgress_Classic (16.24s)
=== RUN   TestAccAWSSecurityGroup_drift
--- PASS: TestAccAWSSecurityGroup_drift (22.78s)
=== RUN   TestAccAWSSecurityGroup_drift_complex
--- PASS: TestAccAWSSecurityGroup_drift_complex (57.99s)
=== RUN   TestAccAWSSecurityGroup_tags
--- PASS: TestAccAWSSecurityGroup_tags (75.56s)
=== RUN   TestAccAWSSecurityGroup_CIDRandGroups
--- PASS: TestAccAWSSecurityGroup_CIDRandGroups (57.80s)
=== RUN   TestAccAWSSecurityGroup_ingressWithCidrAndSGs
--- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs (56.73s)
=== RUN   TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic
--- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic (23.38s)
=== RUN   TestAccAWSSecurityGroup_egressWithPrefixList
--- PASS: TestAccAWSSecurityGroup_egressWithPrefixList (59.37s)
=== RUN   TestAccAWSSecurityGroup_failWithDiffMismatch
--- PASS: TestAccAWSSecurityGroup_failWithDiffMismatch (58.39s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	1133.986s

@stack72 stack72 merged commit dd39296 into hashicorp:master Dec 9, 2016
@ghost
Copy link

ghost commented Apr 19, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug provider/aws waiting-response An issue/pull request is waiting for a response from the community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cannot import aws_security_group with multiple rules specifying source groups
3 participants
@tomwilkie @rata @stack72