DependencyViolation on tainted AWS security group

[anero]

Hey,

We're getting the error below when applying a plan with a tainted AWS security group resource:

 DependencyViolation: resource sg-6a97610d has a dependent object
    status code: 400, request id: []

The security group is used by a launch configuration which in turn is used by an auto scaling group; but even after tainting both resources, the SG failed to be destroyed.

Here're the relevant parts of the .tf file:

variable "ha_proxy_server_green_ami" {}
variable "ha_proxy_user_data" {}

# Our default security group to access
# the instances over SSH and HTTP
resource "aws_security_group" "haproxy" {
    name = "haproxy_servers"
    ingress {
        from_port = 22
        to_port = 22
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
    ingress {
        from_port = 80
        to_port = 80
        protocol = "tcp"
        cidr_blocks = ["0.0.0.0/0"]
    }
    egress {
      from_port = 0
      to_port = 0
      protocol = "-1"
      cidr_blocks = ["0.0.0.0/0"]
    }
}

resource "aws_launch_configuration" "haproxy_green" {
    name = "haproxy_launch_config_green"
    image_id = "${var.ha_proxy_server_green_ami}"
    instance_type = "t2.micro"

    security_groups = ["${aws_security_group.haproxy.name}"]
    depends_on = ["heroku_app.default", "heroku_app.tokyo"]

    lifecycle {
      create_before_destroy = true
    }

    user_data = "${var.ha_proxy_user_data}"
}

resource "aws_autoscaling_group" "haproxy_green" {
  availability_zones = ["us-east-1b", "us-east-1c"]
  name = "haproxy_asg_green"
  max_size = 5
  min_size = 2
  health_check_grace_period = 300
  health_check_type = "ELB"
  desired_capacity = 2
  force_delete = true
  launch_configuration = "${aws_launch_configuration.haproxy_green.name}"
  load_balancers = ["${aws_elb.staging-default.name}"]

  tag {
      key = "kind"
      value = "haproxy"
      propagate_at_launch = true
  }

  tag {
      key = "environment"
      value = "${var.app_environment}"
      propagate_at_launch = true
  }
}

[packplusplus]

I think I'm also running into this. Renaming a security group that's tied to an instance. Terraform wants to delete the sg and re-created it, but can't because it's assigned to an instance.

[br0ch0n]

Yaa, I just noticed this when I tried to change the description of a SG (forces -/+...which seems kinda silly on amazon's part, but whatever). Putting a create_before_destroy in there doesn't help either because then you get a duplicate sg name error.

[catsby]

Hello –

There's a known limitation of create_before_destroy, in which all resources that it depends on must also use create_before_destroy.

Since this issue was opened, we've removed the name requirement on Security Groups, and Terraform will now auto generate a unique one if name is omitted. Unfortunately we forgot to document that 😦

I've fixed the docs in #4139 and will ship that out soon. I'm going to go ahead and close this for now; using create_before_destroy with an auto generated name is the workaround of this limitation here.

Thanks!

[scalp42]

@catsby any chance to see a name_prefix for the SGs as well?

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.