-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manual AWS console additions to security groups are not detected by plan/apply. #220
Comments
I am experience the same problem with Terraform v0.9.11 not detecting manual AWS console updates. Here are two cases I ran into this. The second case is "terraform import". If I do a Terraform import of aws_security_group.whatever then it would create in the state file an "aws_security_group_rule" for each port rule instead of inside "aws_security_group.whatever" . I would have to massage the state file manually and put the rules back into the "aws_security_group.whatever". |
This is still the case in current release. The expected behaviour would be to remove any rule not specified in the graph. I do understand that this would be a breaking change, but it is definitely a bug and not a feature. Would it be possible to add a We could leave Thoughts @radeksimko ? |
Hi folks, |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
This issue was originally opened by @dmikalova as hashicorp/terraform#8119. It was migrated here as part of the provider split. The original body of the issue is below.
Terraform v0.7.0
Affected Resource(s)
aws_security_group
aws_security_group_rule
Actual Behavior
I have an aws security group with no in-line rules in a vpc, and a set of aws security group rules attached to it. Each sg rule can declare multiple IPs per port.
If I go into the AWS console and manually remove or edit a line (ie remove the 1.1.1.1/32:22 line, or change it to 4.4.4.4/32:80), tf will detect this and attempt to add the line back in. However, because the other lines still exist (ie 2.2.2.2/32:22), it crashes because of duplicates.
If I have an aws_security_group_rule with only 1 IP, then removals and changes work fine.
If I add in a completely new rule, such as allow all ports and all IPs in, tf does not detect this at all.
Expected Behavior
I expect tf to detect any changes to a security group - removed rules, changed rules, and added rules. I expect it to then successfully change them to what is declared in the tf config. I believe this is consistent with how tf deals with manual changes that it detects elsewhere.
The text was updated successfully, but these errors were encountered: