search

cloudposse / terraform-aws-elasticache-redis

Terraform module to provision an ElastiCache Redis Cluster
https://cloudposse.com/accelerate
Apache License 2.0
141 stars 244 forks source link

Security group replacement fix #116

Closed wszychta closed 3 years ago

wszychta commented 3 years ago

what

why

I made upgrade from tag 0.25.0 to 0.37.0. In one of the versions you have changed default description from Managed by Terraform to Security group for Elasticache Redis. This change is forcing replacement as you can see below.

  # module.redis.aws_security_group.default[0] must be replaced
-/+ resource "aws_security_group" "default" {
      ~ arn                    = "arn:aws:ec2:eu-west-1:XXXXXXXXXX:security-group/WWWWWWWWWW" -> (known after apply)
      ~ description            = "Managed by Terraform" -> "Security group for Elasticache Redis" # forces replacement
      ~ egress                 = [
          - {
              - cidr_blocks      = [
                  - "0.0.0.0/0",
                ]
              - description      = "Allow all egress traffic"
              - from_port        = 0
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "-1"
              - security_groups  = []
              - self             = false
              - to_port          = 0
            },
        ] -> (known after apply)
      ~ id                     = "WWWWWWWWWW" -> (known after apply)
      ~ ingress                = [
          - {
              - cidr_blocks      = []
              - description      = "Allow inbound traffic from existing Security Groups"
              - from_port        = 6379
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = [
                  - "ZZZZZZZZZZ",
                ]
              - self             = false
              - to_port          = 6379
            },
        ] -> (known after apply)
        name                   = "YYYYYYYYY"
      + name_prefix            = (known after apply)
      ~ owner_id               = "XXXXXXXXXX" -> (known after apply)
        tags                   = {}
        # (2 unchanged attributes hidden)
    }

After apply terraform is not able to remove old security group because redis cluster is still using it.

module.redis.aws_security_group.default[0]: Still destroying... [id=WWWWWWWWWW, 50s elapsed]
...
module.redis.aws_security_group.default[0]: Still destroying... [id=WWWWWWWWWW, 10m0s elapsed]

Error: Error deleting security group: DependencyViolation: resource WWWWWWWWWW has a dependent object
    status code: 400, request id: 018d6816-daed-425c-a59e-a9d0a5f69f6b

This PR is fixing this issue. create_before_destroy rule will always create new security group before removing old one. With name_prefix we will be sure that new security group will not have duplicated name which could also cause errors.

references

mergify[bot] commented 3 years ago

This pull request is now in conflict. Could you fix it @wszychta? 🙏

wszychta commented 3 years ago

I will close this PR because newest 0.40.0 have the same functionality.