Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_network_acl_rule with protocol "-1" always forces resource to be recreated #13012

Closed
SergK opened this issue Mar 23, 2017 · 2 comments · Fixed by #13049
Closed

aws_network_acl_rule with protocol "-1" always forces resource to be recreated #13012

SergK opened this issue Mar 23, 2017 · 2 comments · Fixed by #13049
Labels
bug provider/aws

Comments

@SergK
Copy link

SergK commented Mar 23, 2017

Terraform Version

Terraform v0.9.1

Affected Resource(s)

  • aws_network_acl_rule

Terraform Configuration Files

resource "aws_network_acl" "network_acl" {
  vpc_id     = "${aws_vpc.CI-Infra-VPC.id}"
  subnet_ids = ["${aws_subnet.public_net.id}", "${aws_subnet.private_net.id}"]

  tags {
    terraform = "true"
    project   = "${var.project_name}"
  }
}

resource "aws_network_acl_rule" "net_acl_rule_ingress" {
  network_acl_id = "${aws_network_acl.network_acl.id}"
  cidr_block     = "0.0.0.0/0"
  protocol       = "-1"
  rule_number    = "100"
  rule_action    = "allow"
}

resource "aws_network_acl_rule" "net_acl_rule_egress" {
  network_acl_id = "${aws_network_acl.network_acl.id}"
  cidr_block     = "0.0.0.0/0"
  protocol       = "-1"
  rule_number    = "100"
  rule_action    = "allow"
  egress         = "true"
}

Debug Output

terraform plan -out=plan.out -detailed-exitcode

-/+ aws_network_acl_rule.net_acl_rule_egress
    cidr_block:     "0.0.0.0/0" => "0.0.0.0/0"
    egress:         "true" => "true"
    network_acl_id: "acl-xxxxxxx" => "acl-xxxxxxx"
    protocol:       "all" => "-1" (forces new resource)
    rule_action:    "allow" => "allow"
    rule_number:    "100" => "100"

-/+ aws_network_acl_rule.net_acl_rule_ingress
    cidr_block:     "0.0.0.0/0" => "0.0.0.0/0"
    egress:         "false" => "false"
    network_acl_id: "acl-xxxxxxx" => "acl-xxxxxxx"
    protocol:       "all" => "-1" (forces new resource)
    rule_action:    "allow" => "allow"
    rule_number:    "100" => "100"

Expected Behavior

No changes. Infrastructure is up-to-date.

Actual Behavior

We always re-create resource

$ terraform apply plan.out 

aws_network_acl_rule.net_acl_rule_ingress: Destroying... (ID: nacl-xxxxxxxxx)
aws_network_acl_rule.net_acl_rule_egress: Destroying... (ID: nacl-xxxxxxxxx)
aws_network_acl_rule.net_acl_rule_egress: Destruction complete
aws_network_acl_rule.net_acl_rule_ingress: Destruction complete
aws_network_acl_rule.net_acl_rule_egress: Creating...
  cidr_block:     "" => "0.0.0.0/0"
  egress:         "" => "true"
  network_acl_id: "" => "acl-xxxxxxxxx"
  protocol:       "" => "-1"
  rule_action:    "" => "allow"
  rule_number:    "" => "100"
aws_network_acl_rule.net_acl_rule_ingress: Creating...
  cidr_block:     "" => "0.0.0.0/0"
  egress:         "" => "false"
  network_acl_id: "" => "acl-xxxxxxxxx"
  protocol:       "" => "-1"
  rule_action:    "" => "allow"
  rule_number:    "" => "100"
aws_network_acl_rule.net_acl_rule_egress: Creation complete (ID: nacl-xxxxxxxxx)
aws_network_acl_rule.net_acl_rule_ingress: Creation complete (ID: nacl-xxxxxxxxx)

Steps to Reproduce

terraform apply plan.out

Actually the issue is solved when setting protocol to all

...
protocol       = "all"
...

This should be reflected in documentation

protocol - (Required) The protocol. A value of -1 means all protocols.
@stack72
Copy link
Contributor

stack72 commented Mar 24, 2017

Hi @SergK

I have been able to recreate this right now - I am going to get a fix in place

Paul

stack72 added a commit that referenced this issue Mar 24, 2017
@stack72
provider/aws: aws_network_acl_rule treat all and -1 for protocol the
e076c58 
same

Fixes: #13012

```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSNetworkAclRule_allProtocol'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/24 18:42:05 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSNetworkAclRule_allProtocol -timeout 120m
=== RUN   TestAccAWSNetworkAclRule_allProtocol
--- PASS: TestAccAWSNetworkAclRule_allProtocol (53.95s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	53.974s
```
@stack72 stack72 mentioned this issue Mar 24, 2017
Merged
stack72 added a commit that referenced this issue Mar 24, 2017
@stack72
provider/aws: aws_network_acl_rule treat all and -1 for protocol the
4b42eb3 
same

Fixes: #13012

```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSNetworkAclRule_allProtocol'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/24 18:42:05 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSNetworkAclRule_allProtocol -timeout 120m
=== RUN   TestAccAWSNetworkAclRule_allProtocol
--- PASS: TestAccAWSNetworkAclRule_allProtocol (53.95s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	53.974s
```
stack72 added a commit that referenced this issue Mar 24, 2017
@stack72
provider/aws: aws_network_acl_rule treat all and -1 for protocol the
2fd0c52 
same

Fixes: #13012

```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSNetworkAclRule_allProtocol'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/24 18:42:05 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSNetworkAclRule_allProtocol -timeout 120m
=== RUN   TestAccAWSNetworkAclRule_allProtocol
--- PASS: TestAccAWSNetworkAclRule_allProtocol (53.95s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	53.974s
```
stack72 added a commit that referenced this issue Mar 24, 2017
@stack72
provider/aws: aws_network_acl_rule treat all and -1 for protocol the (#…
48a4b3d 
…13049)

same

Fixes: #13012

```
% make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSNetworkAclRule_allProtocol'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/24 18:42:05 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSNetworkAclRule_allProtocol -timeout 120m
=== RUN   TestAccAWSNetworkAclRule_allProtocol
--- PASS: TestAccAWSNetworkAclRule_allProtocol (53.95s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/aws	53.974s
```
This was referenced Aug 2, 2017
Closed
Closed
Closed
Closed
@enm10k enm10k mentioned this issue Nov 28, 2017
Merged
@ghost
Copy link

ghost commented Apr 15, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug provider/aws
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

provider/aws: aws_network_acl_rule treat all and -1 for protocol the same hashicorp/terraform
3 participants
@stack72 @tombuildsstuff @SergK