search

yandex-cloud / terraform-provider-yandex

Terraform Yandex provider
https://www.terraform.io/docs/providers/yandex/
Mozilla Public License 2.0
208 stars 114 forks source link

yandex_vpc_security_group recreates existing rules when is needed only to add new #302

Open Windemiatrix opened 1 year ago

Windemiatrix commented 1 year ago

Версия провайдеры - 0.81.0

Код для воспроизведения:

resource "yandex_vpc_security_group" "this" {
  folder_id   = yandex_resourcemanager_folder.mysql.id
  name        = "sg-${local.cluster_this_name}"
  description = "Security group for myqsl cluster ${local.cluster_this_name}"
  network_id  = data.yandex_vpc_network.default.id

  ingress {
    protocol       = "ANY"
    description    = "Allow local subnets"
    v4_cidr_blocks = ["192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12"]
    port           = -1
  }

  //ingress {
  //  protocol       = "TCP"
  //  description    = "Allow mysql connections from all subnets"
  //  v4_cidr_blocks = ["0.0.0.0/0"]
  //  port           = 3306
  //}

  egress {
    protocol       = "ANY"
    description    = "Allow all"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port           = -1
  }

  labels = local.cluster_labels
}

При добавлении закомментированного кода, terraform будет пересоздавать первое ingress правило:

  # yandex_vpc_security_group.this will be updated in-place
  ~ resource "yandex_vpc_security_group" "this" {
        id          = "skipped_kkn1o"
        name        = "sg-this"
        # (6 unchanged attributes hidden)

      + ingress {
          + description    = "Allow mysql connections from all subnets"
          + from_port      = -1
          + id             = (known after apply)
          + labels         = (known after apply)
          + port           = 3306
          + protocol       = "TCP"
          + to_port        = -1
          + v4_cidr_blocks = [
              + "0.0.0.0/0",
            ]
          + v6_cidr_blocks = []
        }
      - ingress {
          - description    = "Allow local subnets" -> null
          - from_port      = -1 -> null
          - id             = "skipped_djn9q" -> null
          - labels         = {} -> null
          - port           = -1 -> null
          - protocol       = "ANY" -> null
          - to_port        = -1 -> null
          - v4_cidr_blocks = [
              - "192.168.0.0/16",
              - "10.0.0.0/8",
              - "172.16.0.0/12",
            ] -> null
          - v6_cidr_blocks = [] -> null
        }
      + ingress {
          + description    = "Allow local subnets"
          + from_port      = -1
          + id             = "skipped_djn9q"
          + labels         = {}
          + port           = -1
          + protocol       = "ANY"
          + to_port        = -1
          + v4_cidr_blocks = [
              + "192.168.0.0/16",
              + "10.0.0.0/8",
              + "172.16.0.0/12",
            ]
          + v6_cidr_blocks = []
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
Windemiatrix commented 1 year ago

Если после применения конфигурации убрать это правило, то также первое будет пересоздано