search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.59k stars 9.54k forks source link

Elasticache security group change forces new resource #17907

Closed agentreno closed 6 years ago

agentreno commented 6 years ago

When adding new EC2 security groups to an Elasticache security group, a new resource is forced. However, destroying the existing elasticache security group is not permitted because it remains associated with the cache:

Terraform will perform the following actions:

-/+ aws_elasticache_security_group.test_cache (new resource required)
      id:                              "test_cache" => <computed> (forces new resource)
      description:                     "Managed by Terraform" => "Managed by Terraform"
      name:                            "test_cache" => "test_cache"
      security_group_names.#:          "1" => "2" (forces new resource)
      security_group_names.2701447893: "" => "group two" (forces new resource)
      security_group_names.3399671362: "group one" => "group one"
Error: Error applying plan:

1 error(s) occurred:

* aws_elasticache_security_group.test_cache (destroy): 1 error(s) occurred:

* aws_elasticache_security_group.test_cache: InvalidCacheSecurityGroupState: Cannot delete the security group because at least one cache cluster is still a member: test-cache.
        status code: 400, request id: e184b482-44b5-11e8-8b36-73b27fe25d20

I don't believe a new resource should be forced, since it is possible without a new resource in the AWS dashboard and potentially via the API using ModifyCacheCluster (not entirely sure if that is just Cache -> SG associations though rather than modifying existing SG). https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_ModifyCacheCluster.html

Something similar was raised in this solved ticket - it's possibly a regression? https://github.com/hashicorp/terraform/issues/2303

Reproduce using config below, or by cloning https://github.com/agentreno/terraform-elasticache-modify-issue and applying the config, then uncomment line 29, and run a plan and apply. Don't forget to destroy :)

resource "aws_security_group" "group_one" {
    name = "group one"
    description = "Testing SG for terraform issue"

    ingress {
        from_port = 0
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_security_group" "group_two" {
    name = "group two"
    description = "Testing SG for terraform issue"

    ingress {
        from_port = 0
        to_port = 80
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_elasticache_security_group" "test_cache" {
    name =  "test_cache"
    security_group_names = [
        "${aws_security_group.group_one.name}",
        # "${aws_security_group.group_two.name}"
    ]
}

resource "aws_elasticache_cluster" "test_cache" {
    cluster_id = "test-cache"
    engine = "redis"
    node_type = "cache.t1.micro"
    port = 6379
    num_cache_nodes = 1
    parameter_group_name = "default.redis3.2"
    security_group_names = ["${aws_elasticache_security_group.test_cache.name}"]
}
ghost commented 6 years ago

This issue has been automatically migrated to terraform-providers/terraform-provider-aws#4295 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to terraform-providers/terraform-provider-aws#4295.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.