search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.81k stars 9.16k forks source link

DB_Instance security groups being removed when they shouldn't be upon apply #3492

Closed ghost closed 6 years ago

ghost commented 6 years ago

This issue was originally opened by @camerontesterman as hashicorp/terraform#17416. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.11.2

Terraform Configuration Files

resource "aws_security_group" "db_sg" {
  name        = "${var.app_group}-${var.app}-${var.env}-rds"
  description = "${var.app} ${var.env} database security group"
  vpc_id      = "${var.vpc_id}"

  ingress {
    from_port       = 5432
    to_port         = 5432
    protocol        = "tcp"
    security_groups = ["${var.app_sg}", "${var.db_sg_ingress_sgs}"]
  }

  lifecycle {
    create_before_destroy = true
  }

  tags {
    Name = "${var.app_group}-${var.app}-rds-${var.env}"
  }
}

locals {
  db_sg      = ["${aws_security_group.db_sg.id}"]
  db_sg_list = ["${concat(local.db_sg, var.additional_sgs)}"]
} 
resource "aws_db_instance" "primary_db" {
  engine                     = "postgres"
  identifier                 = "${var.app_group}-${var.app}-${var.env}"
  allocated_storage          = "${var.db_allocated_storage}"
  storage_type               = "${var.db_storage_type}"
  engine_version             = "${var.db_engine_version}"
  instance_class             = "${var.db_instance_class}"
  name                       = "${var.db_name}"
  username                   = "${var.db_user}"
  password                   = "${data.credstash_secret.db_pass.value}"
  db_subnet_group_name       = "${aws_db_subnet_group.db_subnet_group.name}"
  parameter_group_name       = "${var.db_param_group}"
  snapshot_identifier        = "${var.db_snapshot_identifier}"
  monitoring_interval        = "${var.db_monitoring_interval}"
  auto_minor_version_upgrade = "${var.auto_minor_version_upgrade}"
  maintenance_window         = "${var.db_maintenance_window}"
  vpc_security_group_ids     = ["${local.db_sg_list}"]
  #vpc_security_group_ids     = ["${aws_security_group.db_sg.id}", "${var.additional_sgs}"]
  storage_encrypted          = false
  skip_final_snapshot        = false

  lifecycle {
    ignore_changes = [
      "snapshot_identifier", 
      "password", 
      "id", 
      "storage_encrypted"
    ]
    prevent_destroy = true
  }

  tags {
    env     = "${var.env}"
    service = "${var.app}"
  }
}

Expected Behavior

The vpc_security_group_ids set on the db_instance should be comprised of a database security group (shown above), plus any other additional security groups that you want to specify.

Actual Behavior

Instead what is happening is a flapping behavior with these two sets of security groups, where one set is added and another is removed.

Terraform will attach the db_sg, but if you add additional security groups to the additional security groups list, upon apply it will remove the db_sg and add the additional security groups. If you run apply again, it will remove the additional security groups and reattach the db_sg. It recognizes it is not in the correct state, but cannot seem to fix itself by adding both the db_sg and the additional_sgs.

Steps to Reproduce

  1. Do not set any additional security groups to begin with.
  2. terraform init
  3. terraform apply
  4. Now set an additional security group you would like to add to the RDS instance
  5. terraform apply
  6. The original security group is removed, and the additional security groups are set.
c-nichols commented 6 years ago

This could be related to #3103

bflad commented 6 years ago

As noted in #3103, this behavior was caused by a regression upstream in Terraform 0.11.2 and subsequently fixed in Terraform 0.11.3.

Tracing this back I found this issue upstream which affected only Terraform 0.11.2 and seemingly configurations with ignore_changes defined in some manner: https://github.com/hashicorp/terraform/issues/17117

So, hopefully mystery solved here as well. Please ping me if this needs to be reopened but Terraform core versions not equal to 0.11.2 should work fine.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!