terraform-provider-aws: Removing ingress rules from aws_security_group is not detected

This issue was originally opened by @BookOfGreg as hashicorp/terraform#17967. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.11.7
+ provider.aws v1.15.0

Terraform Configuration Files

Removing Ingress from a security group has no effect

Before:

resource "aws_security_group" "my_group" {
  vpc_id      = "${aws_vpc.my_vpc.id}"
  name        = "my_group"
  description = "App security group"

  ingress {
    from_port = 80
    to_port   = 80
    protocol  = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

After:

resource "aws_security_group" "my_group" {
  vpc_id      = "${aws_vpc.my_vpc.id}"
  name        = "my_group"
  description = "App security group"

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Expected Behavior

My security group has no ingress on it

Actual Behavior

My security group still has port 80

References

I’ve seen issues with similar symptoms for tools written in Go, such as this K8s bug I found: https://github.com/kubernetes/kubernetes/issues/59482 Not sure if relevant or not, feel free to remove the link from this post if it’s a red herring.

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 24
Comments: 15 (5 by maintainers)

Most upvoted comments

What happens if you set ingress/egress to an empty list, rather than removing it entirely?

ingress = []

+25

lorengordon on May 2, 2019

Still occurring for me as well on:

Terraform v1.1.9
on windows_386
provider registry.terraform.io/hashicorp/aws v4.11.0

Turtwiggy on May 11, 2022

What happens if you set ingress/egress to an empty list, rather than removing it entirely?
ingress = []

This one works and can also be applied as workaroud when you tried to use the dynamic block.

Bugged with dynamic:

  dynamic "ingress" {
    for_each = var.security_group_ingress_rules

    content {
      from_port       = ingress.value.from_port
      to_port         = ingress.value.to_port
      protocol        = ingress.value.protocol
      cidr_blocks     = ingress.value.cidr_blocks
      security_groups = ingress.value.security_groups
      self            = ingress.value.self
    }
  }

Workaround using a for loop:

  ingress = [for _, rule in var.security_group_ingress_rules : {
    from_port       = rule.from_port
    to_port         = rule.to_port
    protocol        = rule.protocol
    cidr_blocks     = rule.cidr_blocks
    security_groups = rule.security_groups
    self            = rule.self

    description      = null
    ipv6_cidr_blocks = null
    prefix_list_ids  = null
  }]

the downside is that you have to provide all parameters (event the ones that are not required) and set unused to null.

It’s ugly, but it works for now if you cannot use aws_security_group_rule resource.

winglot on Nov 24, 2020

I ran into this on egress rules as well. I feel like it is a pretty important bug since apply runs with no errors, but rules are not removed. This could potentially lead to security issues due to extra rules that are still there.

danieladams456 on Apr 30, 2019

Using separate aws_security_group_rule resources instead of inline rules works around this problem.

mickeytheq on Aug 10, 2018

Two years later, aws provider version 3.58.0 - issue is still here. It is disappointing that terraform can not handle crucial for security resources well.

hwn123 on Oct 25, 2021

Using separate aws_security_group_rule resources instead of inline rules works around this problem.

This does work, unless you are trying to transition from inline ingress rules to separate aws_security_group_rule resources. Then you just get errors back from AWS telling you that you have duplicate rules.

A (somewhat ugly) solution that I’m using is to add a dummy ingress rule to force it to remove the real ingress rules as I move them to aws_security_group_rule resources. Then later the dummy rule can be removed (though the actual ingress rule won’t be removed until/unless this bug is fixed at some point or someone manually fixes it).

Edit: Actually doing it this way will cause it to cycle back and forth between removing external rules and adding them back in, so there’s no good non-manual solution I have found yet.

pib on Oct 2, 2018