Ad

Terraform Apply Always Modifies A Security Group In Place

- 1 answer

my Terraform project always seems to modify this aws_security_group.jacobs_rds_security_group_tf resource in-place when I run terraform apply. Everything still works it just makes debugging weird when I always have an extra resource getting modified even though nothing about it is changing.

I have 2 security groups; 1 is for my RDS DB which whitelists incoming traffic, and the other is for tasks and it attaches to my ECS & Lambda tasks so they can access this RDS DB. The Task Security Group is whitelisted in the RDS Security Group.

The RDS Security group (aws_security_group.jacobs_rds_security_group_tf) is the one that is always getting modified in-place. Below is the code.

resource "aws_vpc" "jacobs_vpc_tf" {
  cidr_block = "10.0.0.0/16"
  enable_dns_hostnames = true

}

resource "aws_security_group" "jacobs_task_security_group_tf"{
    name = "jacobs_security_group for tasks"
    description = "Connect Tasks to RDS"
    vpc_id = aws_vpc.jacobs_vpc_tf.id

    ingress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

    egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }
}

resource "aws_security_group" "jacobs_rds_security_group_tf" {
  name        = "jacobs_security_group for rds"
  description = "Allow Jacobs Traffic to RDS"
  vpc_id      = aws_vpc.jacobs_vpc_tf.id

  ingress {
    description      = "Custom IP Addresses"
    from_port        = 5432
    to_port          = 5432
    protocol         = "tcp"
    cidr_blocks      = var.jacobs_cidr_block

  }

  ingress {
    description      = "Other Security Groups"
    from_port        = -1
    to_port          = -1
    protocol         = "all"
    security_groups  = [aws_security_group.jacobs_task_security_group_tf.id] # this should be changed to vpc_security_group_ids ?
  }


  # outbound
  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

}

enter image description here

I research this problem about once a month and screw around with the Terraform to try & fix it and have had no success. The github issues I come across don't seem to apply to my setup, but maybe I'm missing something obvious? Any help would be appreciated!

Ad

Answer

I think your problem is that you have this ingress rule:

ingress {
    description      = "Other Security Groups"
    from_port        = -1
    to_port          = -1
    protocol         = "all"
    security_groups  = [aws_security_group.jacobs_task_security_group_tf.id]
  }

You have the from_port and to_port set to -1. You should set them to 0. From the docs:

If you select a protocol of -1 (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0.

What is happening in this case is that Terraform (or the AWS API used by Terraform) will set them to 0, without erroring out. Since there was a change after the apply, Terraform will try will detect it when you do a plan again.

Moreover, I think the docs are not accurate here, setting all to protocol is allowed here (at least with the Terraform version I've tried, v1.0.11, AWS provider version 3.70.0).

Ad
source: stackoverflow.com
Ad