search

hashicorp / terraform-provider-aws

The AWS Provider enables Terraform to manage AWS resources.
https://registry.terraform.io/providers/hashicorp/aws
Mozilla Public License 2.0
9.61k stars 9k forks source link

Security Group tries to be destroyed before detaching from RDS Cluster #9692

Open lfventura opened 4 years ago

lfventura commented 4 years ago

Community Note

Terraform Version

Terraform v0.12.6

Affected Resource(s)

Terraform Configuration Files

Debug Output

Panic Output

No Panic Output, just keeps trying to delete the SG indefinetely

Expected Behavior

The SG should be deleted after updating the RDS Cluster SGs

Actual Behavior

It tries to delete the SG before removing the SG from RDS Cluster

Steps to Reproduce

  1. First run a code that will create the SG and add it to the RDS Cluster 
    
resource "aws_rds_cluster" "this" {
... 
vpc_security_group_ids              = var.allowed_security_groups_count > 0 ? concat([aws_security_group.this[0].id], var.vpc_security_group_ids) : var.vpc_security_group_ids
...
}

resource "aws_security_group" "this" { count = var.allowed_security_groups_count > 0 ? 1 : 0 name_prefix = "${var.name}-" vpc_id = var.vpc_id tags = var.tags }

variable "allowed_security_groups_count" { default = 1 }

variable "vpc_security_group_ids" { default = ["sg-aaaaaaaa"] }


2. Then update the code for something that will destroy the SG, Example:

resource "aws_rds_cluster" "this" { ... vpc_security_group_ids = var.allowed_security_groups_count > 0 ? concat([aws_security_group.this[0].id], var.vpc_security_group_ids) : var.vpc_security_group_ids ... }

resource "aws_security_group" "this" { count = var.allowed_security_groups_count > 0 ? 1 : 0 name_prefix = "${var.name}-" vpc_id = var.vpc_id tags = var.tags }

variable "allowed_security_groups_count" { default = 0 }

variable "vpc_security_group_ids" { default = ["sg-aaaaaaaa"] }



Terraform will recognize that the SG needs to be destroyed and removed from RDS Cluster, but it keeps trying to remove the SG before detaching it from the RDS Cluster.

### Important Factoids
Nothing

### References

* https://github.com/hashicorp/terraform/issues/8617
brucedvgw commented 4 years ago

Just encountered this issue in v0.12.17.

I had to manually remove the security group from the RDS instances and then run the terraform apply again for it to destroy/replace them. However it didn't re-attach them to the RDS instances. I had to run it again for it t pick up that this also needed updating.

rehevkor5 commented 4 years ago

This occurs with security groups attached to aws_vpc_endpoint resources, too.

janosmiko commented 4 years ago

This issue still exist with:

emmm-dee commented 3 years ago

Confirming this is still a problem in versions. In my case I have EC2 instances attached to the SG and it does not try to detach before destroying the SG. 

Terraform v0.12.29
+ provider.aws v3.9.0
klolik commented 2 years ago

Same for load balancer attached security groups.

Renaming TF resource resource "aws_security_group" "this" to resource "aws_security_group" "that" makes TF stuck trying to destroy this security group when it still is applied to application load balancer.

c4milo commented 2 years ago

It happens as well to SGs attached through ASGs.

pspot2 commented 2 years ago

Also applies to VPC endpoint implicitly created by aws_transfer_server resource.

cfernhout commented 1 year ago

I have the same issue with RDS and VPC SG. Running TF v1.1.9 & AWS v4.8.0

demisx commented 9 months ago

Similar issue with EC2 instance https://github.com/hashicorp/terraform/issues/8617. Does anyone have any workaround for disassociating security group first?

emmaLP commented 5 days ago

Getting this issue when leveraged the AWS provider RDS tf module.

I've tried the create_before_destroy option on the security group, you can see the RDS security_group_rule get updated but this doesn't not get applied to the rds cluster.

I am having to manually updated the attached security groups to a RDS instance for the new security group to be added

Please can we get an update on this please or has anyone found a non manual workaround for this please