Open ns-vpanfilov opened 1 year ago
Voting for Prioritization
Volunteering to Work on This Issue
Hey @ns-vpanfilov 👋 Thank you for taking the time to raise this! This is caused by attempting to use the aws_vpc_security_group_ingress_rule
and aws_vpc_security_group_egress_rule
resources in conjunction with a aws_security_group
resource with rules defined in-line. In this configuration, the aws_security_group
expects that it is entirely responsible for managing the security group's rules, causing a drift in configuration when the aws_vpc_security_group_ingress_rule
and aws_vpc_security_group_egress_rule
resources add additional rules. This is called out in each of these resources' documentation with the following note (edited for brevity):
You should not use the
aws_vpc_security_group_egress_rule
andaws_vpc_security_group_ingress_rule
resources in conjunction with anaws_security_group
resource with in-line rules or withaws_security_group_rule
resources defined for the same Security Group, as rule conflicts may occur and rules will be overwritten.
Since the aws_vpc_security_group_egress_rule
and aws_vpc_security_group_ingress_rule
resources have been added, it is now recommended to use these distinct resources to manage a Security Group's rules, rather than defining them in-line in the aws_security_group
resource.
@justinretzolk, thanks for the feedback.
Should aws provider be updated to throw an error when users use incompatible settings?
There does not appear to be any way to detect and correct drift (e.g. manually added rules) when using the recommended aws_vpc_security_group_ingress_rule
and aws_vpc_security_group_egress_rule
resources (see also #32743). Unless I'm missing something, if you want to ensure that an SG contains only the rules defined in Terraform, then you have to use ingress
and egress
inline blocks (which seem analogous to managed_policy_arns
and inline_policy
for aws_iam_role
), so I'm confused about the recommendation not to use them.
Terraform Core Version
v1.5.0
AWS Provider Version
5.6.2
Affected Resource(s)
Expected Behavior
One of the following options:
Option 1: Security group should not lose rules that were added by
aws_vpc_security_group_ingress_rule
after subsequentterraform apply
are executed.Option 2: Per comment below, this is caused by attempting to use the
aws_vpc_security_group_ingress_rule
andaws_vpc_security_group_egress_rule
resources in conjunction with aaws_security_group
resource with rules defined in-line. Terraform should throw an error when anaws_security_group
resource with rules defined in-line is used in conjunction withaws_vpc_security_group_ingress_rule
and/oraws_vpc_security_group_egress_rule
Actual Behavior
terraform apply
, all rules are createdterraform apply
, rules added viaaws_vpc_security_group_ingress_rule
are removed from security groupterraform apply
, rules are added backRelevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
terraform apply
; observe TCP 443 rules added to security groupterraform apply
again; notice that 443 rules are removed from security groupDebug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
None