Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When modifying a VPC to add IPv6 terraform exits with an error that ::/0 egress entry in the default security group already exists #15202

Open
takeda opened this issue Sep 17, 2020 · 4 comments
Open

When modifying a VPC to add IPv6 terraform exits with an error that ::/0 egress entry in the default security group already exists #15202

takeda opened this issue Sep 17, 2020 · 4 comments
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.

Comments

@takeda
Copy link

takeda commented Sep 17, 2020
edited
Loading

I reported it at hashicorp/terraform#26275, but looks like this is the correct place.

When you have an existing VPC that is configured IPv4 only, and then you add assign_generated_ipv6_cidr_block = true to the VPC and also adding an entry like this to the default security group:

  egress {
    protocol   = -1
    rule_no    = 101
    action     = "allow"
    ipv6_cidr_block = "::/0"
    from_port  = 0
    to_port    = 0
  }

The terraform (tested on 0.13.2) will error out with the following message:
Error: Error authorizing security group egress rules: InvalidPermission.Duplicate: the specified rule "peer: ::/0, ALL, ALLOW" already exists

What I believe is happening, is when I allocate IPv6 CIDR for the VPC, AWS most likely automatically is adding ::/0 to the default security group. Terraform then tries to add that entry and fails. I don't know a good workaround for this, besides rerunning TF twice, because this entry is required to be listed when stack is created from scratch (it correctly won't be there if not specified), but it will throw an error about duplicate when updating existing VPC that's set up to be IPv4 only.

I did the same thing with CloudFormation and it works as expected, both when creating from scratch and updating the stack.
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Sep 17, 2020
@gdavison gdavison added service/ec2 Issues and PRs that pertain to the ec2 service. bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 21, 2020
@Nuru Nuru mentioned this issue Jun 4, 2022
Closed
@github-actions
Copy link

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Sep 12, 2022
@takeda
Copy link
Author

takeda commented Sep 12, 2022

It's still a bug.

@github-actions github-actions bot removed the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Sep 12, 2022
@github-actions GitHub Actions
Copy link

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Sep 15, 2024
@takeda
Copy link
Author

takeda commented Sep 15, 2024

Was it actually resolved?

@github-actions github-actions bot removed the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Sep 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@takeda @gdavison