aws_security_group changes on every apply

[bodgit]

Terraform Version

0.10.2

Affected Resource(s)

• aws_security_group

Terraform Configuration Files

Given an example security group:

resource "aws_security_group" "test" {
  name   = "Test"
  vpc_id = "${aws_vpc.vpc.vpc_id}"

  ingress {
    from_port = 8
    to_port   = 0
    protocol  = "icmp"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }

  ingress {
    from_port = 3655
    to_port   = 3655
    protocol  = "tcp"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }

  ingress {
    from_port = 22
    to_port   = 22
    protocol  = "tcp"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }

  ingress {
    from_port = 0
    to_port   = 0
    protocol  = "-1"
    self      = true
  }

  egress {
    from_port = 0
    to_port   = 0
    protocol  = "-1"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }
}

Expected Behavior

Once this security group is created on the first apply it shouldn't change on subsequent applies.

Actual Behavior

The security group changes on every apply, I get diffs like this:

  ~ aws_security_group.test
      ingress.1242392819.cidr_blocks.#:      "0" => "3"
      ingress.1242392819.cidr_blocks.0:      "" => "10.0.0.0/8"
      ingress.1242392819.cidr_blocks.1:      "" => "172.16.0.0/12"
      ingress.1242392819.cidr_blocks.2:      "" => "192.168.0.0/18"
      ingress.1242392819.from_port:          "" => "8"
      ingress.1242392819.ipv6_cidr_blocks.#: "0" => "0"
      ingress.1242392819.protocol:           "" => "icmp"
      ingress.1242392819.security_groups.#:  "0" => "0"
      ingress.1242392819.self:               "" => "false"
      ingress.1242392819.to_port:            "" => "0"
      ingress.3651061505.cidr_blocks.#:      "3" => "3"
      ingress.3651061505.cidr_blocks.0:      "10.0.0.0/8" => "10.0.0.0/8"
      ingress.3651061505.cidr_blocks.1:      "172.16.0.0/12" => "172.16.0.0/12"
      ingress.3651061505.cidr_blocks.2:      "192.168.0.0/18" => "192.168.0.0/18"
      ingress.3651061505.from_port:          "3655" => "3655"
      ingress.3651061505.ipv6_cidr_blocks.#: "0" => "0"
      ingress.3651061505.protocol:           "tcp" => "tcp"
      ingress.3651061505.security_groups.#:  "0" => "0"
      ingress.3651061505.self:               "false" => "false"
      ingress.3651061505.to_port:            "3655" => "3655"
      ingress.4216006850.cidr_blocks.#:      "3" => "0"
      ingress.4216006850.cidr_blocks.0:      "10.0.0.0/8" => ""
      ingress.4216006850.cidr_blocks.1:      "172.16.0.0/12" => ""
      ingress.4216006850.cidr_blocks.2:      "192.168.0.0/18" => ""
      ingress.4216006850.from_port:          "8" => "0"
      ingress.4216006850.ipv6_cidr_blocks.#: "0" => "0"
      ingress.4216006850.protocol:           "icmp" => ""
      ingress.4216006850.security_groups.#:  "0" => "0"
      ingress.4216006850.self:               "false" => "false"
      ingress.4216006850.to_port:            "-1" => "0"
      ingress.717457828.cidr_blocks.#:       "3" => "3"
      ingress.717457828.cidr_blocks.0:       "10.0.0.0/8" => "10.0.0.0/8"
      ingress.717457828.cidr_blocks.1:       "172.16.0.0/12" => "172.16.0.0/12"
      ingress.717457828.cidr_blocks.2:       "192.168.0.0/18" => "192.168.0.0/18"
      ingress.717457828.from_port:           "22" => "22"
      ingress.717457828.ipv6_cidr_blocks.#:  "0" => "0"
      ingress.717457828.protocol:            "tcp" => "tcp"
      ingress.717457828.security_groups.#:   "0" => "0"
      ingress.717457828.self:                "false" => "false"
      ingress.717457828.to_port:             "22" => "22"
      ingress.753360330.cidr_blocks.#:       "0" => "0"
      ingress.753360330.from_port:           "0" => "0"
      ingress.753360330.ipv6_cidr_blocks.#:  "0" => "0"
      ingress.753360330.protocol:            "-1" => "-1"
      ingress.753360330.security_groups.#:   "0" => "0"
      ingress.753360330.self:                "true" => "true"
      ingress.753360330.to_port:             "0" => "0"

I can see that it's literally just reordering the same rules, you can even see that with ingress.3651061505 and ingress.717457828 above none of the values are actually different. On the next run it will change them again.

Steps to Reproduce

1. terraform apply

References

There are numerous other bug reports about constantly changing aws_security_groups whereby the problem is usually a CIDR block that has unnecessary host bits set that are cleared by the mask or that the same ingress rule is specified multiple times for separate CIDR blocks rather than one rule with multiple CIDR blocks. I don't believe I've made either of those mistakes, but then I can't believe someone else hasn't run into this, it's not a terribly complicated resource.

[catsby]

Hey there @bodgit – unfortunately I can't reproduce this. I'm using this configuration:

provider "aws" {
  #region = "us-east-1"

  region = "us-west-2"
}

resource "aws_vpc" "fishyvpc" {
  cidr_block = "10.0.0.0/16"

  tags {
    Name = "fishyports"
  }
}

resource "aws_security_group" "onefish" {
  vpc_id = "${aws_vpc.fishyvpc.id}"

  name        = "bluefish"
  description = "This reproduces a bug in terraform."

  ingress {
    from_port = 8
    to_port   = 0
    protocol  = "icmp"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }

  ingress {
    from_port = 3655
    to_port   = 3655
    protocol  = "tcp"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }

  ingress {
    from_port = 22
    to_port   = 22
    protocol  = "tcp"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }

  ingress {
    from_port = 0
    to_port   = 0
    protocol  = "-1"
    self      = true
  }

  egress {
    from_port = 0
    to_port   = 0
    protocol  = "-1"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }

  tags {
    Name = "fishy-test"
  }
}

I use a VPC here because when copying your example directly and attempting in EC2 Classic, I got errors about using -1 for a protocol type and it would not even create.

Here's my apply:

[terraform-provider-aws][master](4)$ terraform apply 
aws_vpc.fishyvpc: Creating...
  assign_generated_ipv6_cidr_block: "" => "false"
  cidr_block:                       "" => "10.0.0.0/16"
  default_network_acl_id:           "" => "<computed>"
  default_route_table_id:           "" => "<computed>"
  default_security_group_id:        "" => "<computed>"
  dhcp_options_id:                  "" => "<computed>"
  enable_classiclink:               "" => "<computed>"
  enable_classiclink_dns_support:   "" => "<computed>"
  enable_dns_hostnames:             "" => "<computed>"
  enable_dns_support:               "" => "true"
  instance_tenancy:                 "" => "<computed>"
  ipv6_association_id:              "" => "<computed>"
  ipv6_cidr_block:                  "" => "<computed>"
  main_route_table_id:              "" => "<computed>"
  tags.%:                           "" => "1"
  tags.Name:                        "" => "fishyports"
aws_vpc.fishyvpc: Creation complete (ID: vpc-1837b27e)
aws_security_group.onefish: Creating...
  description:                           "" => "This reproduces a bug in terraform."
  egress.#:                              "" => "1"
  egress.3170488835.cidr_blocks.#:       "" => "3"
  egress.3170488835.cidr_blocks.0:       "" => "10.0.0.0/8"
  egress.3170488835.cidr_blocks.1:       "" => "172.16.0.0/12"
  egress.3170488835.cidr_blocks.2:       "" => "192.168.0.0/18"
  egress.3170488835.from_port:           "" => "0"
  egress.3170488835.ipv6_cidr_blocks.#:  "" => "0"
  egress.3170488835.prefix_list_ids.#:   "" => "0"
  egress.3170488835.protocol:            "" => "-1"
  egress.3170488835.security_groups.#:   "" => "0"
  egress.3170488835.self:                "" => "false"
  egress.3170488835.to_port:             "" => "0"
  ingress.#:                             "" => "4"
  ingress.1242392819.cidr_blocks.#:      "" => "3"
  ingress.1242392819.cidr_blocks.0:      "" => "10.0.0.0/8"
  ingress.1242392819.cidr_blocks.1:      "" => "172.16.0.0/12"
  ingress.1242392819.cidr_blocks.2:      "" => "192.168.0.0/18"
  ingress.1242392819.from_port:          "" => "8"
  ingress.1242392819.ipv6_cidr_blocks.#: "" => "0"
  ingress.1242392819.protocol:           "" => "icmp"
  ingress.1242392819.security_groups.#:  "" => "0"
  ingress.1242392819.self:               "" => "false"
  ingress.1242392819.to_port:            "" => "0"
  ingress.3651061505.cidr_blocks.#:      "" => "3"
  ingress.3651061505.cidr_blocks.0:      "" => "10.0.0.0/8"
  ingress.3651061505.cidr_blocks.1:      "" => "172.16.0.0/12"
  ingress.3651061505.cidr_blocks.2:      "" => "192.168.0.0/18"
  ingress.3651061505.from_port:          "" => "3655"
  ingress.3651061505.ipv6_cidr_blocks.#: "" => "0"
  ingress.3651061505.protocol:           "" => "tcp"
  ingress.3651061505.security_groups.#:  "" => "0"
  ingress.3651061505.self:               "" => "false"
  ingress.3651061505.to_port:            "" => "3655"
  ingress.717457828.cidr_blocks.#:       "" => "3"
  ingress.717457828.cidr_blocks.0:       "" => "10.0.0.0/8"
  ingress.717457828.cidr_blocks.1:       "" => "172.16.0.0/12"
  ingress.717457828.cidr_blocks.2:       "" => "192.168.0.0/18"
  ingress.717457828.from_port:           "" => "22"
  ingress.717457828.ipv6_cidr_blocks.#:  "" => "0"
  ingress.717457828.protocol:            "" => "tcp"
  ingress.717457828.security_groups.#:   "" => "0"
  ingress.717457828.self:                "" => "false"
  ingress.717457828.to_port:             "" => "22"
  ingress.753360330.cidr_blocks.#:       "" => "0"
  ingress.753360330.from_port:           "" => "0"
  ingress.753360330.ipv6_cidr_blocks.#:  "" => "0"
  ingress.753360330.protocol:            "" => "-1"
  ingress.753360330.security_groups.#:   "" => "0"
  ingress.753360330.self:                "" => "true"
  ingress.753360330.to_port:             "" => "0"
  name:                                  "" => "bluefish"
  owner_id:                              "" => "<computed>"
  tags.%:                                "" => "1"
  tags.Name:                             "" => "fishy-test"
  vpc_id:                                "" => "vpc-1837b27e"
aws_security_group.onefish: Creation complete (ID: sg-93fca6e9)

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

And follow up plan:

[terraform-provider-aws][master](4)$ terraform plan 
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

aws_vpc.fishyvpc: Refreshing state... (ID: vpc-1837b27e)
aws_security_group.onefish: Refreshing state... (ID: sg-93fca6e9)
No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, Terraform
doesn't need to do anything.

[terraform-provider-aws][master](4)$

I noticed in your output that with ingress.3651061505 and ingress.717457828 nothing is different, but the output shows ingress.1242392819 is being created (by things like cidr_blocks.#: "0" => "3") and ingress.4216006850 is being destroyed (cidr_blocks.#: "3" => "0"). Examining the difference there and you see the to_port:

ingress.1242392819.to_port:            "" => "0"

vs.

ingress.4216006850.to_port:            "-1" => "0"

Unfortunately I can't say why that's happening, as I can't reproduce it with (nearly) the same configuration. Are there any other details you might have? Can you reproduce with my example that includes the VPC?

[bodgit]

On a hunch from your observation, I tried removing the ICMP rule from each of the problem security groups, (there's about 4 in the account that all exhibit this annoying problem) and then I don't get any changes reported on further runs.

As soon as I restore the ICMP rule in each security group then I get changes on every run again. Looking at the diff, it always shows the ICMP rule is effectively removed and re-added again whilst the other rules don't change even though they're shown in the diff.

[catsby]

other rules don't change even though they're shown in the diff.

Unfortunately that's how diffs in sets are shown 😦
Do you have any security_group_rule resources that are also managing rules for this Security Group? There could be a conflict there. Do the rules look correct when you apply, then check in the console?

[bodgit]

No aws_security_group_rule resources anywhere, so far I've managed to do everything with just aws_security_group resources. The rules always look correct when I check in the console too.

The .to_port: "-1" => "0" transition looked suspicious as that should be a 0 along with the type 8 in the from_port field to indicate ICMP echo request only, so I tried changing the security group rule for ICMP to this:

  ingress {
    from_port = 8
    to_port   = -1
    protocol  = "icmp"

    cidr_blocks = [
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/18",
    ]
  }

and now the security group doesn't change on each apply. Looking at the ICMP codes shows even though type 8 code 0 is specifically ICMP echo request, there are no other codes assigned for that type so it's safe to specify -1 here. I tried removing the rule and adding it again and it doesn't seem to matter if I specify 0 or -1 for to_port. The AWS console shows ICMP echo request in both cases.

What's strange is that I'm setting to_port to 0 and AWS is changing it to -1, yet you're not seeing that behaviour when you try and reproduce this. I'm using the eu-west-1 region, do you see the same behaviour in that region?

[tprobinson]

Hello,

This appears to be the same issue I'm having. If I should open a separate issue please let me know and I will do so, but this appears to exhibit the same behavior. (Terraform v0.10.8)

resource "aws_security_group" "IPWhitelist" {
  name        = "TestTerraformBug"
  description = "Allow traffic from certain trusted external points."
  vpc_id      = "vpc-deadbeef"

  ingress {
    description = "IP1"
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["1.2.3.4/32"]
  }

  ingress {
    description = "IP2"
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["5.6.7.8/32"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "Test-sg"
  }
}

~/t/test-security-group (master|✚1…) $ terraform apply
aws_security_group.IPWhitelist: Refreshing state... (ID: sg-f0ccc78d)
aws_security_group.IPWhitelist: Creating...
  description:                           "" => "Allow traffic from certain trusted external points."
  egress.#:                              "" => "1"
  egress.482069346.cidr_blocks.#:        "" => "1"
  egress.482069346.cidr_blocks.0:        "" => "0.0.0.0/0"
  egress.482069346.description:          "" => ""
  egress.482069346.from_port:            "" => "0"
  egress.482069346.ipv6_cidr_blocks.#:   "" => "0"
  egress.482069346.prefix_list_ids.#:    "" => "0"
  egress.482069346.protocol:             "" => "-1"
  egress.482069346.security_groups.#:    "" => "0"
  egress.482069346.self:                 "" => "false"
  egress.482069346.to_port:              "" => "0"
  ingress.#:                             "" => "2"
  ingress.1163037843.cidr_blocks.#:      "" => "1"
  ingress.1163037843.cidr_blocks.0:      "" => "1.2.3.4/32"
  ingress.1163037843.description:        "" => "IP1"
  ingress.1163037843.from_port:          "" => "0"
  ingress.1163037843.ipv6_cidr_blocks.#: "" => "0"
  ingress.1163037843.protocol:           "" => "-1"
  ingress.1163037843.security_groups.#:  "" => "0"
  ingress.1163037843.self:               "" => "false"
  ingress.1163037843.to_port:            "" => "0"
  ingress.1918324787.cidr_blocks.#:      "" => "1"
  ingress.1918324787.cidr_blocks.0:      "" => "5.6.7.8/32"
  ingress.1918324787.description:        "" => "IP2"
  ingress.1918324787.from_port:          "" => "0"
  ingress.1918324787.ipv6_cidr_blocks.#: "" => "0"
  ingress.1918324787.protocol:           "" => "-1"
  ingress.1918324787.security_groups.#:  "" => "0"
  ingress.1918324787.self:               "" => "false"
  ingress.1918324787.to_port:            "" => "0"
  name:                                  "" => "TestTerraformBug"
  owner_id:                              "" => "<computed>"
  revoke_rules_on_delete:                "" => "false"
  tags.%:                                "" => "1"
  tags.Name:                             "" => "Test-sg"
  vpc_id:                                "" => "vpc-deadbeef"
aws_security_group.IPWhitelist: Creation complete after 1s (ID: sg-dac6cda7)

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
~/t/test-security-group (master|✚1…) $ terraform apply
aws_security_group.IPWhitelist: Refreshing state... (ID: sg-dac6cda7)
aws_security_group.IPWhitelist: Modifying... (ID: sg-dac6cda7)
  ingress.1163037843.cidr_blocks.#:      "0" => "1"
  ingress.1163037843.cidr_blocks.0:      "" => "1.2.3.4/32"
  ingress.1163037843.description:        "" => "IP1"
  ingress.1163037843.from_port:          "" => "0"
  ingress.1163037843.ipv6_cidr_blocks.#: "0" => "0"
  ingress.1163037843.protocol:           "" => "-1"
  ingress.1163037843.security_groups.#:  "0" => "0"
  ingress.1163037843.self:               "" => "false"
  ingress.1163037843.to_port:            "" => "0"
  ingress.1853874000.cidr_blocks.#:      "1" => "0"
  ingress.1853874000.cidr_blocks.0:      "1.2.3.4/32" => ""
  ingress.1853874000.description:        "IP2" => ""
  ingress.1853874000.from_port:          "0" => "0"
  ingress.1853874000.ipv6_cidr_blocks.#: "0" => "0"
  ingress.1853874000.protocol:           "-1" => ""
  ingress.1853874000.security_groups.#:  "0" => "0"
  ingress.1853874000.self:               "false" => "false"
  ingress.1853874000.to_port:            "0" => "0"
  ingress.1918324787.cidr_blocks.#:      "1" => "1"
  ingress.1918324787.cidr_blocks.0:      "5.6.7.8/32" => "5.6.7.8/32"
  ingress.1918324787.description:        "IP2" => "IP2"
  ingress.1918324787.from_port:          "0" => "0"
  ingress.1918324787.ipv6_cidr_blocks.#: "0" => "0"
  ingress.1918324787.protocol:           "-1" => "-1"
  ingress.1918324787.security_groups.#:  "0" => "0"
  ingress.1918324787.self:               "false" => "false"
  ingress.1918324787.to_port:            "0" => "0"

Error: Error applying plan:

1 error(s) occurred:

* aws_security_group.IPWhitelist: 1 error(s) occurred:

* aws_security_group.IPWhitelist: Error revoking security group ingress rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
	status code: 400, request id: 5e565fbd-e68c-47b7-b9c2-63c2c2b36cda

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

[catsby]

@tprobinson hey there, you're 2 ingress rules are the same rule, try this instead:

  ingress {
    description = "IP1"
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["1.2.3.4/32", "5.6.7.8/32"]
  }

AWS uses the combination of to_port, from_port, and protocol to make "rules". In your case you made 2 rules but AWS combined them into one. In the web console it shows as 2 rules as you would expect them unfortunately, which adds to the confusion, but they are really 1. The API returns them in their true form:

$ aws ec2 describe-security-groups --group-ids=sg-<my-sg-id> --output=json
{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [
                {
                    "IpProtocol": "-1",
                    "PrefixListIds": [],
                    "IpRanges": [
                        {
                            "CidrIp": "0.0.0.0/0"
                        }
                    ],
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                }
            ],
            "Description": "Allow traffic from certain trusted external points.",
            "Tags": [
                {
                    "Value": "Test-sg",
                    "Key": "Name"
                }
            ],
            "IpPermissions": [
                {
                    "IpProtocol": "-1",
                    "PrefixListIds": [],
                    "IpRanges": [
                        {
                            "Description": "IP1",
                            "CidrIp": "1.2.3.4/32"
                        },
                        {
                            "Description": "IP2",
                            "CidrIp": "5.6.7.8/32"
                        }
                    ],
                    "UserIdGroupPairs": [],
                    "Ipv6Ranges": []
                }
            ],
            "GroupName": "TestTerraformBug",
            "VpcId": "vpc-<my-vpc-id>",
            "OwnerId": "<my-owner-id>",
            "GroupId": "sg-<my-sg-id>"
        }
    ]
}

[catsby]

Hey @bodgit sorry to say that I get the same results in several regions , including eu-west-1. I'm going to close this for now. Please let me know if you have any additional information. Thanks!

[bodgit]

@catsby That's fine. I figure it only warrants a small documentation update, if anything, now I've worked out the cause.

[ghost]

@catsby That's great info, thank you.

What if I have different ingress blocks with the same ports/protocols but different CIDR and different description? For example I want an external vendor to access 443 from the internet by using their CIDR block, and also allow 443 from the local network. I want a different description for each.

Is this not possible without it recreating the rule set on each apply?

[ebekker]

Any update on this? I'm especially interested to know how to combine the similar rules into one rule with multiple CIDR blocks, but still support different descriptions per each CIDR block? This is supported by the AWS API, but is not possible with the TF configuration format for inline rules.

[HailKingBear]

I'm currently having this exact same issue, with the exception that the Security Group always wants to modify if I have a self-rule in my rules list, like this:

ingress {
from_port = -0
to_port = -0
protocol = "-1"
self = "true"
}

If I comment out the above rule, I get "No changes", but if the rule is in, I constantly have an SG that wants to modify itself. I tried adding the rule with security_groups = ["sg-xxxxxxxx"] and I get the same behavior.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!