Error when adding multiple Security Group rules at once with OpenStack provider.

[Foo Bar]

Hello All,

We just found Terraform and it's been great!  I find the syntax to be much more enjoyable than the YAML in HEAT.  We've written a few HEAT templates, so I thought I'd have a go at converting them to Terraform.  (WOW Terraform is so much easier to write!  And it doesn't complain when my whitespace is a little bit off)

Anyway, one of the simplest HEAT templates I wrote was to basically open up the firewall to all traffic.  The Terraform template was super simple to create, but when I run `terraform apply` terraform creates one rule, then errors out.  Running it again, creates another rule, then errors out.  So to create my four rules I have to run `terraform apply` four times.

This is my Terraform template:

## =====  OpenStack Auth Boilerplate...

# Note to self:
# Really like to abstract this since it'll be used everywhere

#

# Set attributes in .tfvars file or terraform will prompt when

# you run `terraform plan`

variable "user_name" {

  type = "string"

  description = "OpenStack username"

}

variable "password" {

  type = "string"

  description = "OpenStack password"

}

variable "tenant_name" {

  type = "string"

  description = "OpenStack Tenant Name"

}

variable "auth_url" {

  type = "string"

  description = "OpenStack API Endpoint, see openrc file"

  default = "https://openstack.myexample.com:5000/v2.0"

}

variable "insecure" {

  type = "string"

  description = "Accept self signed SSL certificates?"

  default = "true"

}

# Configure the OpenStack Provider

provider "openstack" {

  user_name = "${var.user_name}"

  password = "${var.password}"

  tenant_name = "${var.tenant_name}"

  auth_url = "${var.auth_url}"

  insecure = "${var.insecure}"

}

## ===== End Boilerplate ===========  ##

variable "secgroup_name" {

  type = "string"

  description = "Unique name of the security group"

}

variable "secgroup_description" {

  type = "string"

  description = "Short description of sec group"

}

resource "openstack_networking_secgroup_v2" "secgroup" {

  name = "${var.secgroup_name}"

  description = "${var.secgroup_description}"

}

resource "openstack_networking_secgroup_rule_v2" "rule_ingress_all-v4-tcp" {

  direction = "ingress"

  ethertype = "IPv4"

  protocol = "tcp"

  port_range_min = "1"

  port_range_max = "65535"

  remote_ip_prefix = "0.0.0.0/0"

  security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}"

}

resource "openstack_networking_secgroup_rule_v2" "rule_egress_all-v4-tcp" {

  direction = "egress"

  ethertype = "IPv4"

  protocol = "tcp"

  port_range_min = "1"

  port_range_max = "65535"

  remote_ip_prefix = "0.0.0.0/0"

  security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}"

}

resource "openstack_networking_secgroup_rule_v2" "rule_ingress_all-v6-tcp" {

  direction = "ingress"

  ethertype = "IPv6"

  protocol = "tcp"

  port_range_min = "1"

  port_range_max = "65535"

  remote_ip_prefix = "::/0"

  security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}"

}

resource "openstack_networking_secgroup_rule_v2" "rule_egress_all-v6-tcp" {

  direction = "egress"

  ethertype = "IPv6"

  protocol = "tcp"

  port_range_min = "1"

  port_range_max = "65535"

  remote_ip_prefix = "::/0"

  security_group_id = "${openstack_networking_secgroup_v2.secgroup.id}"

And here's what happens when I run it four times:

========= Run 1: =========

qubitrenegade@terraform-wks:~/openstack-tf$ terraform apply -var-file=test.tfvars

openstack_networking_secgroup_v2.secgroup: Creating...

  description: "" => "This is a quick test\nNew Line?"

  name:        "" => "terraform-test"

  tenant_id:   "" => "<computed>"

openstack_networking_secgroup_v2.secgroup: Creation complete

openstack_networking_secgroup_rule_v2.rule_egress_all-v4: Creating...

  direction:         "" => "egress"

  ethertype:         "" => "IPv4"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "0.0.0.0/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_ingress_all-v4: Creating...

  direction:         "" => "ingress"

  ethertype:         "" => "IPv4"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "0.0.0.0/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_egress_all-v6: Creating...

  direction:         "" => "egress"

  ethertype:         "" => "IPv6"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "::/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_ingress_all-v6: Creating...

  direction:         "" => "ingress"

  ethertype:         "" => "IPv6"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "::/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_ingress_all-v6: Creation complete

Error applying plan:

3 error(s) occurred:

* openstack_networking_secgroup_rule_v2.rule_egress_all-v4: Expected HTTP response code [201 202] when accessing [POST https://openstack.myexample.com:9696/v2.0/security-group-rules], but got 500 instead

{"NeutronError": {"message": "Request https://nsx-controller.local/api/4.0/firewall/globalroot-0/config/layer3sections/1098?autoSaveDraft=false is Bad, response <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error><details>Precondition failed.Please update the current configuration.</details><errorCode>100030</errorCode><moduleName>vShield App</moduleName></error>", "type": "RequestBad", "detail": ""}}

* openstack_networking_secgroup_rule_v2.rule_egress_all-v6: Expected HTTP response code [201 202] when accessing [POST https://openstack.myexample.com:9696/v2.0/security-group-rules], but got 500 instead

{"NeutronError": {"message": "Request https://nsx-controller.local/api/4.0/firewall/globalroot-0/config/layer3sections/1098?autoSaveDraft=false is Bad, response <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error><details>Precondition failed.Please update the current configuration.</details><errorCode>100030</errorCode><moduleName>vShield App</moduleName></error>", "type": "RequestBad", "detail": ""}}

* openstack_networking_secgroup_rule_v2.rule_ingress_all-v4: Expected HTTP response code [201 202] when accessing [POST https://openstack.myexample.com:9696/v2.0/security-group-rules], but got 500 instead

{"NeutronError": {"message": "Request https://nsx-controller.local/api/4.0/firewall/globalroot-0/config/layer3sections/1098?autoSaveDraft=false is Bad, response <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error><details>Precondition failed.Please update the current configuration.</details><errorCode>100030</errorCode><moduleName>vShield App</moduleName></error>", "type": "RequestBad", "detail": ""}}

Terraform does not automatically rollback in the face of errors.

Instead, your Terraform state file has been partially updated with

any resources that successfully completed. Please address the error

above and apply again to incrementally change your infrastructure.

========= Run 2: =========

qubitrenegade@terraform-wks:~/openstack-tf$ terraform apply -var-file=test.tfvars

openstack_networking_secgroup_v2.secgroup: Refreshing state... (ID: 1977d37f-7a63-4fac-8bb6-876c948c85c8)

openstack_networking_secgroup_rule_v2.rule_ingress_all-v6: Refreshing state... (ID: 3c6e504f-129c-4bb6-8920-540375ed2630)

openstack_networking_secgroup_rule_v2.rule_ingress_all-v4: Creating...

  direction:         "" => "ingress"

  ethertype:         "" => "IPv4"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "0.0.0.0/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_egress_all-v6: Creating...

  direction:         "" => "egress"

  ethertype:         "" => "IPv6"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "::/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_egress_all-v4: Creating...

  direction:         "" => "egress"

  ethertype:         "" => "IPv4"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "0.0.0.0/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_ingress_all-v4: Creation complete

Error applying plan:

2 error(s) occurred:

* openstack_networking_secgroup_rule_v2.rule_egress_all-v6: Expected HTTP response code [201 202] when accessing [POST https://openstack.myexample.com:9696/v2.0/security-group-rules], but got 500 instead

{"NeutronError": {"message": "Request https://nsx-controller.local/api/4.0/firewall/globalroot-0/config/layer3sections/1098?autoSaveDraft=false is Bad, response <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error><details>Precondition failed.Please update the current configuration.</details><errorCode>100030</errorCode><moduleName>vShield App</moduleName></error>", "type": "RequestBad", "detail": ""}}

* openstack_networking_secgroup_rule_v2.rule_egress_all-v4: Expected HTTP response code [201 202] when accessing [POST https://openstack.myexample.com:9696/v2.0/security-group-rules], but got 500 instead

{"NeutronError": {"message": "Request https://nsx-controller.local/api/4.0/firewall/globalroot-0/config/layer3sections/1098?autoSaveDraft=false is Bad, response <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error><details>Precondition failed.Please update the current configuration.</details><errorCode>100030</errorCode><moduleName>vShield App</moduleName></error>", "type": "RequestBad", "detail": ""}}

Terraform does not automatically rollback in the face of errors.

Instead, your Terraform state file has been partially updated with

any resources that successfully completed. Please address the error

above and apply again to incrementally change your infrastructure.

========= Run 3: =========

qubitrenegade@terraform-wks:~/openstack-tf$ terraform apply -var-file=test.tfvars

openstack_networking_secgroup_v2.secgroup: Refreshing state... (ID: 1977d37f-7a63-4fac-8bb6-876c948c85c8)

openstack_networking_secgroup_rule_v2.rule_ingress_all-v4: Refreshing state... (ID: d9edc366-2515-4135-a27a-1fa79a5d8592)

openstack_networking_secgroup_rule_v2.rule_ingress_all-v6: Refreshing state... (ID: 3c6e504f-129c-4bb6-8920-540375ed2630)

openstack_networking_secgroup_rule_v2.rule_egress_all-v4: Creating...

  direction:         "" => "egress"

  ethertype:         "" => "IPv4"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "0.0.0.0/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_egress_all-v6: Creating...

  direction:         "" => "egress"

  ethertype:         "" => "IPv6"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "::/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_egress_all-v6: Creation complete

Error applying plan:

1 error(s) occurred:

* openstack_networking_secgroup_rule_v2.rule_egress_all-v4: Expected HTTP response code [201 202] when accessing [POST https://openstack.myexample.com:9696/v2.0/security-group-rules], but got 500 instead

{"NeutronError": {"message": "Request https://nsx-controller.local/api/4.0/firewall/globalroot-0/config/layer3sections/1098?autoSaveDraft=false is Bad, response <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<error><details>Precondition failed.Please update the current configuration.</details><errorCode>100030</errorCode><moduleName>vShield App</moduleName></error>", "type": "RequestBad", "detail": ""}}

Terraform does not automatically rollback in the face of errors.

Instead, your Terraform state file has been partially updated with

any resources that successfully completed. Please address the error

above and apply again to incrementally change your infrastructure.

========= Run 4: =========

qubitrenegade@terraform-wks:~/openstack-tf$ terraform apply -var-file=test.tfvars

openstack_networking_secgroup_v2.secgroup: Refreshing state... (ID: 1977d37f-7a63-4fac-8bb6-876c948c85c8)

openstack_networking_secgroup_rule_v2.rule_ingress_all-v6: Refreshing state... (ID: 3c6e504f-129c-4bb6-8920-540375ed2630)

openstack_networking_secgroup_rule_v2.rule_egress_all-v6: Refreshing state... (ID: e3008f85-3994-4741-90d8-4e6e8820a90c)

openstack_networking_secgroup_rule_v2.rule_ingress_all-v4: Refreshing state... (ID: d9edc366-2515-4135-a27a-1fa79a5d8592)

openstack_networking_secgroup_rule_v2.rule_egress_all-v4: Creating...

  direction:         "" => "egress"

  ethertype:         "" => "IPv4"

  port_range_max:    "" => "65535"

  port_range_min:    "" => "1"

  protocol:          "" => "tcp"

  remote_group_id:   "" => "<computed>"

  remote_ip_prefix:  "" => "0.0.0.0/0"

  security_group_id: "" => "1977d37f-7a63-4fac-8bb6-876c948c85c8"

  tenant_id:         "" => "<computed>"

openstack_networking_secgroup_rule_v2.rule_egress_all-v4: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

The state of your infrastructure has been saved to the path

below. This state is required to modify and destroy your

infrastructure, so keep it safe. To inspect the complete state

use the `terraform show` command.

State path: terraform.tfstate

Is this standard behavior?  I'm assuming it's not, but maybe there's something that only allows Terraform to create one rule at a time?  If not, how do I resolve this error?

Thanks,

- Q

[Joe Topjian]

This is indeed not standard behavior =)

This looks like a bug. Can you open an issue for this on the Terraform Github page?

Thanks,

Joe

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/terraform/issues
IRC: #terraform-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Terraform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to terraform-too...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/terraform-tool/c910efbe-1bab-436e-b125-4e7d4637318a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Foo Bar]

Hi Joe,

Done, I have opened https://github.com/hashicorp/terraform/issues/7519

Thanks for your quick reply!

Best Regards,

- Q