provider/openstack: Remove default egress rule from Security Group on creation

[gpaggi]

Hi there,

Terraform Version

Terraform v0.7.8

Affected Resource(s)

openstack_networking_secgroup_v2
openstack_networking_secgroup_rule_v2

Terraform Configuration Files

resource "openstack_networking_secgroup_v2" "_def_secgroup" {
  region = "${var.region}"
  name = "_def_secgroup"
  description = "Default security group"
}

resource "openstack_networking_secgroup_rule_v2" "_def_secgroup_rule_1" {
  direction = "egress"
  ethertype = "IPv4"
  protocol = "tcp"
  security_group_id = "${openstack_networking_secgroup_v2._def_secgroup.id}"
  remote_ip_prefix = "10.0.0.0/8"
}

Expected Behavior

Terraform should create a security group with one egress rule limiting TCP traffic to only 10.0.0.0/8.

Actual Behavior

On security group creation, a default egress ANY:ANY is added by Neutron next to the one managed by TF.
This makes it impossible to manage egress rules from TF, since they are overridden by the default egress rule.

➜  terraform-dev neutron security-group-show _def_secgroup                                                                                                                                     
+----------------------+--------------------------------------------------------------------+
| Field                | Value                                                              |
+----------------------+--------------------------------------------------------------------+
| description          | Default security group                                             |
| id                   | 1b9a92a6-2972-4717-8a03-a14b2acdb197                               |
| name                 | _def_secgroup                                                      |
| security_group_rules | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": "0.0.0.0/0",                              |
|                      |      "protocol": "any",                                            |
|                      |      "ethertype": "IPv4",                                          |
|                      |      "port_range_max": 65535,                                      |
|                      |      "security_group_id": "1b9a92a6-2972-4717-8a03-a14b2acdb197",  |
|                      |      "port_range_min": 0,                                          |
|                      |      "tenant_id": "f35f2d7d893d431b8a105242da8de971",              |
|                      |      "id": "37659e18-eb70-4504-b140-096fe4b72de1"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": "10.0.0.0/8",                             |
|                      |      "protocol": "tcp",                                            |
|                      |      "ethertype": "IPv4",                                          |
|                      |      "port_range_max": 65535,                                      |
|                      |      "security_group_id": "1b9a92a6-2972-4717-8a03-a14b2acdb197",  |
|                      |      "port_range_min": 0,                                          |
|                      |      "tenant_id": "f35f2d7d893d431b8a105242da8de971",              |
|                      |      "id": "44d4fbcb-b40f-48a1-bb3b-724f025cc39d"                  |
|                      | }                                                                  |
| tenant_id            | f35f2d7d893d431b8a105242da8de971                                   |
+----------------------+--------------------------------------------------------------------+
➜  terraform-dev

Steps to Reproduce

Apply the TF code above.

References

This was fixed for the AWS provider in #1765
Is it possible to have the same fix implemented for the Openstack provider?

Thanks!

[jtopjian]

Thanks for the report.

I do see some default security group rules being created, but not specifically for a 10.0.0.0/8 subnet -- which makes sense because that subnet isn't hard-coded in neutron.

Here's the output that I see:

+----------------------+--------------------------------------------------------------------+
| Field                | Value                                                              |
+----------------------+--------------------------------------------------------------------+
| description          |                                                                    |
| id                   | 8fedc451-cf35-40cb-b52e-8ce4b4b74bf4                               |
| name                 | foo                                                                |
| security_group_rules | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": null,                                             |
|                      |      "tenant_id": "9aa5f9f66b4b417d84d778a23acdf45b",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "8fedc451-cf35-40cb-b52e-8ce4b4b74bf4",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv4",                                          |
|                      |      "id": "3061039d-1bd1-4dbf-a5f8-fcbdb7183868"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": null,                                             |
|                      |      "tenant_id": "9aa5f9f66b4b417d84d778a23acdf45b",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "8fedc451-cf35-40cb-b52e-8ce4b4b74bf4",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv6",                                          |
|                      |      "id": "9a1c0546-e6b0-4372-944c-26368698cc6a"                  |
|                      | }                                                                  |
| tenant_id            | 9aa5f9f66b4b417d84d778a23acdf45b                                   |
+----------------------+--------------------------------------------------------------------+

I'll dig into this a bit more and see if I can find a resolution.

[gpaggi]

Hi @jtopjian,

The default security group I mean is the ANY:ANY for egress below. The rule for 10.0.0.0/8 is the one I'm trying to add.

"remote_group_id": null,                                    
"direction": "egress",                                      
"remote_ip_prefix": "0.0.0.0/0",                            
"protocol": "any",                                          
"ethertype": "IPv4",                                        
"port_range_max": 65535,                                    
"security_group_id": "1b9a92a6-2972-4717-8a03-a14b2acdb197",
"port_range_min": 0,                                        
"tenant_id": "f35f2d7d893d431b8a105242da8de971",            
"id": "37659e18-eb70-4504-b140-096fe4b72de1"                

I'm wondering why the content of the default security group rule you see is different than mine but I don't have another Openstack installation to test this further.

According to the documentation what I'm seeing, which mimics AWS behavior, is to be expected:
https://wiki.openstack.org/wiki/Neutron/SecurityGroups

For egress traffic (from an instance)
Only traffic matched with security group rules are allowed.
When there is no rule defined, all egress traffic are dropped.
When a new security group is created, rules to allow all egress traffic are automatically added.

[jtopjian]

@gpaggi Ah, understood. Thanks for the notes.

Do you know what version of Neutron your cloud is using? As well, do you know what plugins it's using?

[gpaggi]

Yes, we are using Liberty with Contrail plugin but I understood from my colleague that it shouldn't be relevant.

[jtopjian]

Right, it shouldn't, but I was asking just incase + collecting as much info as I can.

[ChiefAlexander]

We would also be interested in getting this patched in. I was taking a look at what the aws provider did and it appears that they remove the default rules on group creation letting terraform handle all rules.

[michalmedvecky]

+1

[jtopjian]

Hi all,

Sorry for the delay. #11466 should fix this.

[alexbozhenko]

For the record, here is the place in the code where those rules are created:
https://github.com/openstack/neutron/blob/2ec36dc812710c284b75498e695a44585484c6a1/neutron/db/securitygroups_db.py#L100-L116
openstack/neutron@7e26074

# openstack security group create test_that_those_rules_are_hardcoded
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                            |
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2017-09-05T22:27:21Z                                                                                                                             |
| description     | test_that_those_rules_are_hardcoded                                                                                                              |
| id              | cce44424-0850-4b33-9741-dd6a506d6715                                                                                                             |
| name            | test_that_those_rules_are_hardcoded                                                                                                              |
| project_id      | 6e1abfa9691b4f3f8c5252260e00afac                                                                                                                 |
| revision_number | 1                                                                                                                                                |
| rules           | created_at='2017-09-05T22:27:21Z', direction='egress', ethertype='IPv4', id='66a34ab0-4f09-48d4-98b3-734cc0ba0d3d', revision_number='1',         |
|                 | updated_at='2017-09-05T22:27:21Z'                                                                                                                |
|                 | created_at='2017-09-05T22:27:21Z', direction='egress', ethertype='IPv6', id='41bc4e85-71bd-430c-9980-17a9e29efb38', revision_number='1',         |
|                 | updated_at='2017-09-05T22:27:21Z'                                                                                                                |
| updated_at      | 2017-09-05T22:27:21Z                                                                                                                             |
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------+

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.