search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.83k stars 9.17k forks source link

[Bug]: A difference occurs every time even though there is no change in aws_lightsail_instance_public_ports #30286

Open hirosakaki opened 1 year ago

hirosakaki commented 1 year ago

Terraform Core Version

1.4.2

AWS Provider Version

4.60.0

Affected Resource(s)

aws_lightsail_instance_public_ports

Expected Behavior

No changes. Your infrastructure matches the configuration.

Actual Behavior

  - port_info { # forces replacement
      - cidr_list_aliases = [] -> null
      - cidrs             = [
          - "0.0.0.0/0",
        ] -> null
      - from_port         = 0 -> null
      - ipv6_cidrs        = [
          - "::/0",
        ] -> null
      - protocol          = "-1" -> null
      - to_port           = 65535 -> null
    }
  + port_info { # forces replacement
      + cidr_list_aliases = (known after apply)
      + cidrs             = [
          + "0.0.0.0/0",
        ]
      + from_port         = 0
      + ipv6_cidrs        = [
          + "::/0",
        ]
      + protocol          = "all"
      + to_port           = 65535
    }
}

Plan: 1 to add, 0 to change, 1 to destroy.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

resource "aws_lightsail_instance_public_ports" "example" {
  instance_name = aws_lightsail_instance.example.name
  port_info {
    protocol   = "all"
    from_port  = 0
    to_port    = 65535
    cidrs      = ["0.0.0.0/0"]
    ipv6_cidrs = ["::/0"]
  }
}

Steps to Reproduce

Execute the following command

terraform apply -auto-approve

Then execute the following command

terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

github-actions[bot] commented 1 year ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

danielcotton commented 1 year ago

I've done some initial investigation and I think I've tracked down the cause of this:

The properties cidrs, ipv6_cidrs, and cidr_list_aliases are all set to Optional-Computed, however expandPortInfo() reads them directly to get the desired state:

https://github.com/hashicorp/terraform-provider-aws/blob/a13a04f72ec61be611145b079c1017c1d4f0d119/internal/service/lightsail/instance_public_ports.go#L199-L209

If they're not set, they'll evaluate to an empty slice, which doesn't necessarily match the AWS state or defaults (e.g. cidrs and ipv6_cidrs default to ["0.0.0.0/0"] and ["::/0"] respectively).

As such, they are considered by Terraform to be changing when they really aren't.

So, as a workaround, you can explicitly set those two properties on the resource e.g. 

cidrs = ["0.0.0.0/0"]
ipv6_cidrs = ["::/0"]
cidr_list_aliases = []
hirosakaki commented 1 year ago

I made the following settings but it didn't work.

resource "aws_lightsail_instance_public_ports" "example" {
  instance_name = aws_lightsail_instance.example.name
  port_info {
    protocol          = "all"
    from_port         = 0
    to_port           = 65535
    cidrs             = ["0.0.0.0/0"]
    ipv6_cidrs        = ["::/0"]
    cidr_list_aliases = []
  }
}

Isn't this problem caused by "-1" being returned even though the protocol setting is "all"?

acwwat commented 5 months ago

This issue is causing many acceptance tests to fail when I was working on #37703.

One viable fix is to set these arguments to required and force users to provide a valid value, but it would break backward compatibility (not that it worked anyway).

For reference, the default value is dynamic based on the protocol:

protocol cidrs default value ipv6_cidrs default value
all ["0.0.0.0/0"] ["::/0"]
icmp ["0.0.0.0/0"] []
icmpv6 [] ["::/0"]
tcp ["0.0.0.0/0"] ["::/0"]
udp ["0.0.0.0/0"] ["::/0"]