-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: TF often tries to create duplicate security group rules #29797
Comments
Community NoteVoting for Prioritization
Volunteering to Work on This Issue
|
Hey @speller 👋 I left a comment over on #29393 that I believe will also apply here, in that I believe this comes down to the way data sources behave when they're dependent on another resource or module. If the answer I left on the other issue doesn't help, let me know and I'd be happy to help look around some more. |
@justinretzolk I understand what you say. But the data object is configured by the vpc_id. And this id is not changed between runs. It comes from an external variable and then propagated to many modules without changes. So the vpc_id of the data resource should be known in the planning stage. data "aws_vpc" "vpc" {
id = var.aws.vpc_id
} |
@justinretzolk One more thing. I have other security groups in different modules which are defined in the same way as the problematic ones. They also use the VPC CIDR block. They're also marked as to be recreated but no issues during the apply stage. Only there three rules in this specific security group are often failing in different deployments. Only these three. |
@justinretzolk Here is the failing state and plan. After manual deletion of the rules, it is applied with no issues. And later can be applied ok many times. This state is from the second run after creating the deployment from scratch. |
Here are more details. Dir 1 - failing plan. Dir 2 - manually deleted duplicate rules and succeeded the apply. But, again, this doesn't prevent the issue from occurring next time. I also added the configuration. |
@justinretzolk |
Why not naming these security groups? |
I am facing the same issue on repeated applys with My temporary fix was to expand each rule to only define 1 cidrblock per rule. This allows terraform to succeed but now plan returns 2 different results:
This is also 2 steps back, 1 forward, since I first remove duplicate cidrblocks and now need to expand it back out per cidrblock. This also slowed down terraform a bit and clutters the plan, however, I prefer this over needing to manually remove resources with ** Update: With a larger configuration, around ~500+ rules, this failed as well with a duplicate error for some rules, but others succeeded. I see that there are 2 new resources listed as a note for the
The issue with the 2 new resources is that it does not accept a list of cidrs, which I would prefer. It also shows it is creating duplicates so it does not solve this issue. |
…re are no changes. This started after adding the http data source but the bug is inconsistent as it shows the hardcoded value being re-created and not the dynamically set ip address. Ref: hashicorp/terraform-provider-aws#29797 FIX: AWS security groups module - create a rule per cidrblock. This still shows that a duplicate rule will be created but terraform does not fail as aws overwrites the old rule. On a third apply, terraform shows no changes in the plan.
…re are no changes. This started after adding the http data source but the bug is inconsistent as it shows the hardcoded value being re-created and not the dynamically set ip address. Ref: hashicorp/terraform-provider-aws#29797 FIX: AWS security groups module - create a rule per cidrblock. This still shows that a duplicate rule will be created but terraform does not fail as aws overwrites the old rule. On a third apply, terraform shows no changes in the plan.
Terraform Core Version
1.3.7
AWS Provider Version
4.57.0
Affected Resource(s)
In my infra, TF often tried to create duplicate security group resources. On the same security group. When I delete them manually, it creates them again and succeeds. But on the next run it may fail again. But may not. It also happens on the deployments created from scratch earlier by the same configuration.
Expected Behavior
Successful apply
Actual Behavior
Relevant Error/Panic Output Snippet
No response
Terraform Configuration Files
Let me know how can I share my state and failing plan with you securely.
The problematic resources are here:
Only the three rules referring to the vpc cidr block are affected. Rules next to them referring to another security group are always fine. There are no duplicate definitions in the configuration (otherwise it will fail always).
In the plan, TF can not get the VPC data and can not determine the VPC cidr block and wants to update it. It eventually updates to the same value and fails:
In the plan, it reads a lot of data but can not read the data object to determine its values before apply? Why is it going to recreate rules which already exist?
There are other modules in my configuration built in the same way but all is fine with them.
Steps to Reproduce
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
#29393
Would you like to implement a fix?
None
The text was updated successfully, but these errors were encountered: