Terraform AWS Security Group - Issue

[Vivek Aggarwal]

Hi all - Just want to know if anyone faced an issue w.r.t AWS security Group where if someone manually add the new security rule that is not getting deducted as part of "terraform plan"..want to know what can be reason ,ideally terraform should detect & say that there is new rule added to a Security group which will get deleted . (Terrform version i m using v0.9.11)

please suggest as i m kind of stuck because of this..

i want to deduct if someone maually added a new in a AWS security Group

[Lowe Schmidt]

terraform can't plan to remove something it doesn't manage.

What happens when you run the actual apply?

--

Lowe Schmidt | +46 723 867 157

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/d32939d5-a27b-44dc-866d-fd8ef4bc4c3c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[David Adams]

Terraform can only do this if you specify all the security group rules inline in the aws_security_group resource. If you use separate aws_security_group_rule resources (which is the recommended practice), then Terraform won't notice the changes. I don't think Terraform's data structures anticipated the need for this sort of problem. There's not really anything you can do right now, but this has come up many times before, and I agree with you that it's a problem.

--

[Vivek Aggarwal]

When i run apply , i overlooks the security rules added manually basically it doesnt touch them..

On Saturday, July 15, 2017 at 12:03:09 AM UTC+5:30, Lowe Schmidt wrote:

terraform can't plan to remove something it doesn't manage.

What happens when you run the actual apply?

--

Lowe Schmidt | +46 723 867 157

On 14 July 2017 at 19:40, Vivek Aggarwal <vivek...@gmail.com> wrote:

Hi all - Just want to know if anyone faced an issue w.r.t AWS security Group where if someone manually add the new security rule that is not getting deducted as part of "terraform plan"..want to know what can be reason ,ideally terraform should detect & say that there is new rule added to a Security group which will get deleted . (Terrform version i m using v0.9.11)

please suggest as i m kind of stuck because of this..

i want to deduct if someone maually added a new in a AWS security Group

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

[Vivek Aggarwal]

Thanks "David" for letting me know this that its a "KNOWN" issue. I'm thinking if this will be covered it will immensely help us. Do you have any suggestions on how we can mitigate it.

On Saturday, July 15, 2017 at 12:38:31 AM UTC+5:30, David Adams wrote:

Terraform can only do this if you specify all the security group rules inline in the aws_security_group resource. If you use separate aws_security_group_rule resources (which is the recommended practice), then Terraform won't notice the changes. I don't think Terraform's data structures anticipated the need for this sort of problem. There's not really anything you can do right now, but this has come up many times before, and I agree with you that it's a problem.

On Fri, Jul 14, 2017 at 12:40 PM, Vivek Aggarwal <vivek...@gmail.com> wrote:

Hi all - Just want to know if anyone faced an issue w.r.t AWS security Group where if someone manually add the new security rule that is not getting deducted as part of "terraform plan"..want to know what can be reason ,ideally terraform should detect & say that there is new rule added to a Security group which will get deleted . (Terrform version i m using v0.9.11)

please suggest as i m kind of stuck because of this..

i want to deduct if someone maually added a new in a AWS security Group

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.

To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.

[Andrew Hodgson]

Hi,

 

The only way to fix this is to put all the rules for the security group inline with the aws_security_group definition, which causes you another problem as Terraform will try to re-create the security group if changes are required, which is usually blocked because the security group is being used by a resource, however, if you are prepared to work around that because this feature is very critical to your operation, it is an option you could look at.

 

In short it is what it is for the moment.

 

Andrew.

To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/593a384b-9643-474d-a3c7-b803251d2d65%40googlegroups.com.