Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_security_group_rule resource ERROR after trying to create the rule on each apply #5396

Closed
kristjanelias opened this issue Mar 1, 2016 · 9 comments · Fixed by #7377
Closed

Comments

@kristjanelias
Copy link

Terraform version:
terraform --version Terraform v0.6.13-dev (1448b84b37524eb2f22826dc90ffed65df68e27d)

When creating aws_security_group_rule resource and running more than 1 apply i get an error:

  • aws_security_group_rule.ingress_ssh: [WARN] A duplicate Security Group rule was found. This may be a side effect of a now-fixed Terraform issue causing two security groups with identical attributes but different source_security_group_ids to overwrite each other in the state. See Consider security groups with source security groups when hashing #2376 for more information and instructions for recovery. Error message: the specified rule "peer: 10.1.0.0/16, TCP, from port: 22, to port: 22, ALLOW" already exists

Each time terraform apply is executed the rule is created again.
Rules are not recorded in terraform.tfstate

Code to reproduce (main.tf):
main.txt

Terraform apply output:
terraform_apply.txt

tfstate file after apply:
terraform_tfstate.txt

@kristjanelias
Copy link
Author

This error does not appear when specified protocol is "-1"(all).
In that case rule is saved in tfstate file.

However it is saved uncorrectly causing the rule to be recreated at each apply.

@jen20
Copy link
Contributor

jen20 commented Mar 3, 2016

Hi @kristjanelias! Thanks for opening this issue. Did you take a look at the steps in #2376 for resolving this class of issue? If that did not work this is likely something we need to dig deeper into.

@kristjanelias
Copy link
Author

Hi @jen20
I see #2376 is merged to master so i should have these fixes on my latest version.
They obviously did not help.
You should be able reproduce this issue very easily with the few lines of code i have attached in the "main.txt" file.

@kristjanelias
Copy link
Author

@jen20
The problem i am facing is caused by 2 separate issues:

  1. Terraform fail on second apply when creating AWS SG rules - SG rule IpProtocol case sensitivity - When terraform resource (aws security group) is described with capital letters the resource is created successfully but terraform is unable to find it after creation. This is because aws returns a lower case protocol name when listing rules. Terraform is unable to compare these different case values and thinks it needs to create a new rule every time.
  • Workaround: Use lower case protocol names when defining security group rules
  • Fix: All protocol values should be casted to lower case before comparison.
  1. Some AWS SG rules are regenerated each terraform execution - Nature of "-1"(all) port rules returned by go-aws-sdk - Every time a SG rule is defined in Terraform with source or destination ports set to all (-1) the rule is successfully created but the return value set does not include values for said ports. Therefore terraform replaces these non-extsitent values with 0. Source and destination ports change force a new resource. Therefore each time terraform is executed a "0=<-1" is encountered and these rules are regenerated.
  • Workaround: haven't found one yet
  • Fix: Terraform should be able to manage this case and substitute the missing value with -1 not 0.

@rdark
Copy link
Contributor

rdark commented Mar 14, 2016

I'm being affected by this issue too. Running v0.6.12.

If I create an aws_security_group_rule along the lines of:

resource "aws_security_group_rule" "allow_all_outbound" {
  type = "egress"
  from_port = 0
  to_port = 0
  protocol = "-1"
  cidr_blocks = ["0.0.0.0/0"]
  security_group_id = "${aws_security_group.app_name.id}"
}

..And apply it to a group, it applies successfully for the first run.
Subsequent runs bomb with "duplicate Security Group rule was found" > https://gist.github.com/rdark/c19165c7e3b60a98a89b

If I manually delete that egress rule from the group, then first terraform run following that adds it back in, and then all subsequent runs work as expected.

@c4urself
Copy link

c4urself commented May 9, 2016

I've now run into this as well -- it seems that you can reproduce this by creating a aws_security_group_rule, applying it (runs fine), and then adding an item to the cidr_blocks. Applying after this will result in the exact same error @rdark gets.

@ajlanghorn
Copy link
Contributor

ajlanghorn commented May 18, 2016

I concur with @c4urself and @rdark. Seeing this behaviour here, too, using 0.6.16.

@dtolnay
Copy link
Contributor

dtolnay commented Jun 27, 2016

I have a fix in #7377. The bug was a poorly handled error case where any error (including spurious network issues) would result in a duplicate security group rule being created.

I suspect that the people who commented saying they were able to reproduce the issue reliably were running Terraform with the AuthorizeSecurityGroupIngress and/or AuthorizeSecurityGroupEgress permissions but not the DescribeSecurityGroups permission. That results in the first apply succeeding and the second apply failing.

@ghost
Copy link

ghost commented Apr 24, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants