Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Moving all security group rules to separate resources #63

Merged
merged 2 commits into from
Aug 2, 2021
Merged

Moving all security group rules to separate resources #63

merged 2 commits into from
Aug 2, 2021

Conversation

binlab
Copy link
Owner

@binlab binlab commented Aug 1, 2021
edited
Loading

IMPORTANT NOTE:

after this PR for updating the version of the module need some tricks, due to some Terraform bugs and AWS limitation

Terraform output

...
module.vault.aws_security_group.node: Still destroying... [id=sg-0b29f7b5fd2babdf0, 9m0s elapsed]
module.vault.aws_security_group.node: Still destroying... [id=sg-0b29f7b5fd2babdf0, 9m10s elapsed]
module.vault.aws_security_group.node: Still destroying... [id=sg-0b29f7b5fd2babdf0, 9m20s elapsed]
module.vault.aws_security_group.node: Still destroying... [id=sg-0b29f7b5fd2babdf0, 9m30s elapsed]
module.vault.aws_security_group.node: Still destroying... [id=sg-0b29f7b5fd2babdf0, 9m40s elapsed]
module.vault.aws_security_group.node: Still destroying... [id=sg-0b29f7b5fd2babdf0, 9m50s elapsed]
module.vault.aws_security_group.node: Still destroying... [id=sg-0b29f7b5fd2babdf0, 10m0s elapsed]

Error: Error deleting security group: DependencyViolation: resource sg-0b29f7b5fd2babdf0 has a dependent object
	status code: 400, request id: b6cd4391-8972-498c-8f3e-d70cf189eaed

Terraform bugs

Terraform has a knows bug it can't remove inline ingress or egress from the aws_security_group resource, more about this issue:

So all separate rules will conflict with existing inline rules, the only way to fix it currently is to change the Name of Description on Security Group which trigger recreating and truncate inline rules, but is connected to another problem - AWS limitation

AWS limitation

AWS has a couple of resources that are available to the user in view mode but managed by AWS and there is no way to control it by Terraform. In this case, this is a Network Interface that is assigned to Subnets. Each Network Interface has connectivity with a Security Group as dependencies, more about this issue:

Solution

A possible way to solve it and update an existing cluster is re-creating a VPC. This will trigger a replacing ALL network resources but leave untouched other module resources. One of the ways to achieve this, temporary change the CIDR of the network which is assigned to the Vault cluster (after that you can return back after the next apply)

@binlab binlab added enhancement New feature or request refactoring Common refactoring of codebase labels Aug 1, 2021
@binlab binlab requested a review from binlabbot August 1, 2021 20:12
@binlab binlab removed the enhancement New feature or request label Aug 1, 2021
@binlabbot binlabbot merged commit f5d4c14 into master Aug 2, 2021
@binlabbot binlabbot deleted the issue-29 branch August 2, 2021 08:58
This was referenced Aug 9, 2021
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@binlabbot binlabbot binlabbot approved these changes

Assignees

@binlab binlab

@binlabbot binlabbot

Labels
refactoring Common refactoring of codebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Move all security groups' rules to external resources
2 participants
@binlab @binlabbot