Open prowlaiii opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
I wanted to share the way the "official" module does it in case that helps: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/main.tf#L1210
I just had default rules and then removed them and it worked properly, fwiw.
Just tested and experiencing the issue as OP.
Terraform Core Version
1.2.8
AWS Provider Version
4.34.0
Affected Resource(s)
Documentation (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group, version 4.34.0) states:
And gives an example where removing the egress rule from the Terraform resource deletes it and only leaves the ingres rule:
If I do that and do "terraform plan" it says "No changes".
So, simply omitting the "egress" block does nothing.
However, doing a change to it (eg. changing the protocol) does cause a change.
(My use-case is to remove both ingress and egress rules, but I limited the examples here to just the egress rule, to tally with what's in the documentation.)
Expected Behavior
Expected a change to the Security Group egress rule to delete the item.
Actual Behavior
No changes
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Using the sample from the documentaiton to re-create the AWS initial default SG config. Comment out the egress block to remove the egress rule:
terraform plan gives:
Steps to Reproduce
Initial definition with ingress and egress rules:
terraform plan gives:
Remove the egress rule:
terraform plan gives:
Make a deliberate change to the protocol to force a change:
terraform plan gives:
Debug Output
No response
Panic Output
No response
Important Factoids
My use-case is to remove both ingress and egress rules, but I limited the examples here to just the egress rule, to tally with what's in the documentation.
References
No response
Would you like to implement a fix?
As a workaround, setting the cider_block to [] (egress) and self to false (ingress) seems to kick the vending machine in the right place... Terraform plan then offers the changes as they seemingly would be, but on apply the ingress and egress rules are gone in the AWS Console.
Code:
terraform plan
UPDATE: That doesn't work; Terraform then thinks it needs to create the rule(s) every iteration thereafter. I've also tried creating separate SG rules to apply to the default SG and putting an ignore_changes clause against them in the SG, but that doesn't work, as the rules creation insists on values being set. My latest workaround is to amend the rules to just allow ICMP to self for both ingress and egress, which is about as near to a NOP as I can get.