search

DataBiosphere / azul

Metadata indexer and query service used for AnVIL, HCA, LungMAP, and CGP
Apache License 2.0
6 stars 2 forks source link

Terraform fails to apply security group egress rule #6222

Closed dsotirho-ucsc closed 1 month ago

dsotirho-ucsc commented 4 months ago

The azul-gitlab-alb security group should have two egress rules as defined by the Terraform config (gitlab.tf.json), however deploying this configuration fails to apply the change, despite TF reporting a successful modification of the resource.

(.venv) daniel@Crispin ~/repo/azul3 $ make -C terraform/gitlab/

…

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_security_group.gitlab_alb will be updated in-place
  ~ resource "aws_security_group" "gitlab_alb" {
      ~ egress                 = [
          + {
              + cidr_blocks      = []
              + description      = "ICMP for PMTUD"
              + from_port        = 3
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "icmp"
              + security_groups  = []
              + self             = false
              + to_port          = 4
            },
            # (1 unchanged element hidden)
        ]
        id                     = "sg-0919cfd4671d09935"
        name                   = "azul-gitlab-alb"
        tags                   = {
            "Name"                = "azul-gitlab_alb"
            "billing"             = "hca"
            "component"           = "azul-gitlab_alb"
            "deployment"          = "dev"
            "owner"               = "hannes@ucsc.edu"
            "service"             = "azul"
            "terraform_component" = "gitlab"
        }
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_security_group.gitlab_alb: Modifying... [id=sg-0919cfd4671d09935]
aws_security_group.gitlab_alb: Modifications complete after 1s [id=sg-0919cfd4671d09935]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Screenshot 2024-05-01 at 11 15 46 AM

dsotirho-ucsc commented 4 months ago

Proposed fix

Index: terraform/gitlab/gitlab.tf.json.template.py
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
diff --git a/terraform/gitlab/gitlab.tf.json.template.py b/terraform/gitlab/gitlab.tf.json.template.py
--- a/terraform/gitlab/gitlab.tf.json.template.py   (revision fe8cec390f8d7ef81a63e38a580d4a98b72309f4)
+++ b/terraform/gitlab/gitlab.tf.json.template.py   (date 1714586652595)
@@ -1126,7 +1126,7 @@
                                       from_port=0,
                                       to_port=0),
                     vpc.security_rule(description='ICMP for PMTUD',
-                                      idr_blocks=[all_ipv4],
+                                      cidr_blocks=[all_ipv4],
                                       protocol='icmp',
                                       from_port=3,  # Destination Unreachable
                                       to_port=4)  # Fragmentation required DF-flag set
hannes-ucsc commented 4 months ago

For demo, show the rule that was missing. Deploy the gitlab component of any main deployment twice in succession and show that the plan is empty for both.