Security groups for allow all and all ports keeps reloading

[mzupan]

I'm running a pretty current master

Terraform v0.5.0-dev (fa85e6b7692b816df0c784f8339e0446bb3a4dc9+CHANGES)

I have the following

resource "aws_security_group" "internal-default" {
    name = "WEB-internal-defaults"
    description = "Allow set traffic from internal"
    vpc_id = "${aws_vpc.main.id}"

    ingress {
        from_port = -1
        to_port = -1
        protocol = "icmp"
        cidr_blocks = ["10.0.0.0/8"]
    }
    ingress {
        from_port = 22
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["10.0.0.0/8"]
    }

    tags {
        Name = "Web - Default Internal"
        CostCenter = "Web"
    }
}

It keeps trying to alter the security group each apply

aws_security_group.internal-nat: Modifying...
  ingress.2767533351.cidr_blocks.#:     "0" => "1"
  ingress.2767533351.cidr_blocks.0:     "" => "10.0.0.0/8"
  ingress.2767533351.from_port:         "" => "0"
  ingress.2767533351.protocol:          "" => "-1"
  ingress.2767533351.security_groups.#: "0" => "0"
  ingress.2767533351.self:              "" => "0"
  ingress.2767533351.to_port:           "" => "65535"
aws_security_group.internal-nat: Modifications complete
aws_instance.nat: Modifying...
  vpc_security_group_ids.#:          "1" => "2"
  vpc_security_group_ids.2847372475: "" => "sg-45297821"
  vpc_security_group_ids.3329033720: "sg-f6347892" => "sg-f6347892"
aws_instance.nat: Modifications complete

[c4milo]

I'm running into this issue as well (master branch)

[catsby]

hey @mzupan and @c4milo , can you give me some more information?

I used the config file you specified, applied it, and then ran plan expecting to see a change but didn't. terraform refresh doesn't change the state file either. What am I missing, in the steps to reproduce this?

I'm on Terraform v0.5.0-dev (15c75c501f97de2205e2779ac2f432d615a92fed+CHANGES)

[c4milo]

@catsby, try this one:

resource "aws_security_group" "foo" {
    ingress {
        protocol = "-1"
        from_port = 8300
        to_port = 8300
        cidr_blocks = ["10.0.1.0/24"]
    }

    // Allows ingress traffic to all ports from subnet A.
    ingress {
        protocol = "-1"
        from_port = 0
        to_port = 65535
        cidr_blocks = ["10.0.0.0/24"]
    }
}

[catsby]

I'd like to close this as a duplicate of #1177 if you don't mind. Essentially, from what I'm reading, a protocol of -1 translates to to_port: 0 and from_port: 0 on AWS's side, so any config that has different will constantly want to change.

• http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#vpc-security-groups

Of course, I could be wrong, so let me know what you think.

[catsby]

To clarify:

I can't reproduce the first case given. I note that the example config has resource "aws_security_group" "internal-default" , with no port 65535 mentioned in the config, but the output has aws_security_group.internal-nat: Modifying... mentioned, and does include port 65535. Is that a typo then?

The second example from @c4milo is a duplicate of #1177 , I believe.

[mzupan]

@catsby thanks.. switching the to/from ports from -1 to 0 cleared it up

[c4milo]

@catsby, thanks for looking into this.

[catsby]

Is this OK to close then?

[mzupan]

ok to close on my end

[c4milo]

I think so.

[GNK-Cloud]

resource "aws_security_group" "foo" {
    ingress {
        protocol = "tcp"
        from_port = 8300
        to_port = 8300
        cidr_blocks = ["10.0.1.0/24"]
    }

    // Allows ingress traffic to all ports from subnet A.
    ingress {
        protocol = "-1"
        from_port = 0
        to_port = 65535
        cidr_blocks = ["10.0.0.0/24"]
    }

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.