terraform-provider-openstack / terraform-provider-openstack

Terraform OpenStack provider
https://registry.terraform.io/providers/terraform-provider-openstack/openstack/latest/docs
Mozilla Public License 2.0
384 stars 362 forks source link

Replacement of Security Group of Networking Port not possible #1599

Open Mazorius opened 1 year ago

Mazorius commented 1 year ago

Hi,

When I add delete_default_rules = true to openstack_networking_secgroup_v2 and run Terraform it try to replace the security group and update the networking port in-place.

Terraform Version

Terraform v1.5.4
on darwin_arm64

Affected Resource(s)

Please list the resources as a list, for example:

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "openstack_networking_port_v2" "networking_port" {
  count              = var.node_count
  name               = "${var.prefix}-${var.dc}-${var.stage}-${var.instance_name}-${count.index + 1}"
  dns_name           = "${var.prefix}-${var.dc}-${var.stage}-${replace(var.instance_name, "_", "-")}-${count.index + 1}"
  network_id         = var.network_id
  admin_state_up     = true
  security_group_ids = var.secgroup_ids

  fixed_ip {
    subnet_id  = var.subnet_id
    ip_address = cidrhost(var.subnet_cidr, count.index + var.hostnum)
  }
}

resource "openstack_networking_secgroup_v2" "gitlab_rails" {
  name                 = "gitlab-rails"
  description          = "Ingress and Egress configuration for the GitLab Rails servers"
  delete_default_rules = true
}

Expected Behavior

The security group will be replaced successfully.

Actual Behavior

The security group runs in a 10 minute timeout.

Steps to Reproduce

  1. Create a networking port with a security group attached without delete_default_rules = true.
  2. Add delete_default_rules = true to the security group
  3. Run TF plan and see that the security group will be replaced and the networking port will be updated in-place.
  4. Run TF apply and wait for the timeout
  5. detach the security group from the port with for example the cli openstack port set $PORT_ID --no-security-group
  6. Run TF apply again and it should work now.

Conclusion:

It seems that in this specific case the security_group needs to be detached from the networking_port in the first place and afterwards it can be replaced.

Important Factoids

References

nothing

x4e-jonas commented 1 year ago

Same for openstack_compute_secgroup_v2: #383

1045 has the same issue for the relation between subnets and ports. And #1356 for port assigned to a router (openstack_networking_router_interface_v2).