search

hashicorp / terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure. It is a source-available tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
https://www.terraform.io/
Other
42.32k stars 9.49k forks source link

Rollback when using rule resource w/ AWS default network ACL #9757

Closed tylerFowler closed 7 years ago

tylerFowler commented 7 years ago

I've found that when using the aws_default_network_acl resource alongside the aws_network_acl_rule there is a bug that causes the plan to succeed and then roll itself back on the next subsequent plan.

Since that's super confusing here's a step by step of what happens:

  1. Write rules, link with a default network ACL resource (as opposed to inline rules), run plan & apply and all the rules are correctly written to the default ACL.
  2. Run plan again and this time you will get a plan that reverses all the rules you just applied like so: 
    
~ module.vpc.aws_default_network_acl.default
egress.#:                     "1" => "0"
egress.247735553.action:      "deny" => ""
egress.247735553.cidr_block:  "0.0.0.0/0" => ""
egress.247735553.from_port:   "2375" => "0"
egress.247735553.icmp_code:   "0" => "0"
egress.247735553.icmp_type:   "0" => "0"
egress.247735553.protocol:    "6" => ""
egress.247735553.rule_no:     "100" => "0"
egress.247735553.to_port:     "2376" => "0"
ingress.#:                    "1" => "0"
ingress.247735553.action:     "deny" => ""
ingress.247735553.cidr_block: "0.0.0.0/0" => ""
ingress.247735553.from_port:  "2375" => "0"
ingress.247735553.icmp_code:  "0" => "0"
ingress.247735553.icmp_type:  "0" => "0"
ingress.247735553.protocol:   "6" => ""
ingress.247735553.rule_no:    "100" => "0"
ingress.247735553.to_port:    "2376" => "0"

Plan: 0 to add, 1 to change, 0 to destroy.

3. Apply this plan, which succeeds and effectively resets the default ACL to its initial state
4. Run a refresh, now because your tfstate file *does have* those rules but they are *not* applied in AWS you will receive this error:
```bash
Error refreshing state: 2 error(s) occurred:

* aws_network_acl_rule.test_ingress: Expected to find one Network ACL, got: []*ec2.NetworkAcl(nil)
* aws_network_acl_rule.test_egress: Expected to find one Network ACL, got: []*ec2.NetworkAcl(nil)

I am able to repeat this behavior reliably, and am assuming that it's not the desired behavior. Also, using inline ingress & egress blocks fixes this problem.

Terraform Version: v0.7.7

catsby commented 7 years ago

Hey @tylerFowler – sorry to have lead you astray. The aws_default_network_acl resource is incompatible with the aws_network_acl_rule resource. I've updated the documentation in #9839 to reflect this. I failed to mention that in the documentation when I added this resource, and I'm sorry for the trouble it's caused you.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.