Error while trying to change security group connected to alb #8728

jezhumble · 2016-09-08T07:53:23Z

Error applying plan:

1 error(s) occurred:

aws_alb.dora_alb: diffs didn't match during apply. This is a bug with Terraform and should be reported as a GitHub Issue.

Please include the following information in your report:

Terraform Version: 0.7.3
Resource ID: aws_alb.dora_alb
Mismatch reason: diff: Destroy; old: false, new: true
Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"security_groups.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyTainted:false}
Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"security_groups.#":*terraform.ResourceAttrDiff{Old:"1", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "subnets.#":*terraform.ResourceAttrDiff{Old:"2", New:"2", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "internal":*terraform.ResourceAttrDiff{Old:"false", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "name":*terraform.ResourceAttrDiff{Old:"terraform-dora-alb", New:"terraform-dora-alb", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "enable_deletion_protection":*terraform.ResourceAttrDiff{Old:"false", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "security_groups.738430072":*terraform.ResourceAttrDiff{Old:"sg-6d24f717", New:"", NewComputed:false, NewRemoved:true, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_id":*terraform.ResourceAttrDiff{Old:"vpc-3c710d5b", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"arn:aws:elasticloadbalancing:us-east-1:346417737908:loadbalancer/app/terraform-dora-alb/404cd0716b25bf58", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "subnets.807857994":*terraform.ResourceAttrDiff{Old:"subnet-3714f56c", New:"subnet-3714f56c", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "security_groups.1243217035":*terraform.ResourceAttrDiff{Old:"", New:"sg-758b1b0f", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "subnets.701492291":*terraform.ResourceAttrDiff{Old:"subnet-9ae407b7", New:"subnet-9ae407b7", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.%":*terraform.ResourceAttrDiff{Old:"1", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "dns_name":*terraform.ResourceAttrDiff{Old:"terraform-dora-alb-765013520.us-east-1.elb.amazonaws.com", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "zone_id":*terraform.ResourceAttrDiff{Old:"Z35SXDOTRQ7X7K", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.owner":*terraform.ResourceAttrDiff{Old:"dora", New:"dora", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "idle_timeout":*terraform.ResourceAttrDiff{Old:"60", New:"60", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:true, DestroyTainted:false}

Also include as much context as you can about your config, state, and the steps you performed to trigger this error.

The text was updated successfully, but these errors were encountered:

jezhumble · 2016-09-08T08:01:34Z

NB I got this working again by running the plan again - I was trying to change a security group connected to an alb, and the only way I could get it to work was to change the lifecycle to "create-before-destroy", delete the name, and then run terraform twice (the first time gave the error reported above)

stack72 · 2016-09-08T08:05:24Z

Hey @jezhumble

Thanks for reporting this - any chance you could drop us a small config that we can try and reproduce your conditions here?

Paul

jezhumble · 2016-09-08T08:10:07Z

Sure, try this subset:

resource "aws_security_group" "load_balancer" {
  name = "load_balancer"
  description = "Allow inbound http and https"
  vpc_id = "${aws_vpc.dora_vpc.id}"

  ingress {
    from_port = 443
    to_port = 443
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  ingress {
    from_port = 80
    to_port = 80
    protocol = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port = 80
    to_port = 80
    protocol = "tcp"
    cidr_blocks = ["10.0.0.0/24"]
  }

  tags {
    owner = "dora"
  }
}

resource "aws_alb" "dora_alb" {
  name = "terraform-dora-alb"
  internal = false
  subnets = ["${aws_subnet.public_subnet_1.id}", "${aws_subnet.public_subnet_2.id}"]
  security_groups = ["${aws_security_group.load_balancer.id}"]

  tags {
     owner = "dora"
  }
}

resource "aws_subnet" "public_subnet_1" {
    vpc_id = "${aws_vpc.dora_vpc.id}"
    availability_zone = "us-east-1a"
    cidr_block = "10.0.0.0/26"
    map_public_ip_on_launch = false
    tags {
        owner = "dora"
    }
}

resource "aws_subnet" "public_subnet_2" {
    vpc_id = "${aws_vpc.dora_vpc.id}"
    availability_zone = "us-east-1c"
    cidr_block = "10.0.0.64/26"
    map_public_ip_on_launch = false
    tags {
        owner = "dora"
    }
}

resource "aws_vpc" "dora_vpc" {
    cidr_block = "10.0.0.0/24"
    tags {
        owner = "dora"
    }
}

jezhumble · 2016-09-08T08:19:16Z

PS what caused the initial problem was adding the ingress block for port 80 - so to reproduce, try without that block, and then try adding it.

stack72 · 2016-11-02T12:25:07Z

Hi @jezhumble

Sorry for the delay here (huge number of issues!) but finally got around to fixing this. PR just about to hit

Paul

Fixes #9658 Fixes #8728 Originally, this would ForceNew as follows: ``` -/+ aws_alb.alb_test arn: "arn:aws:elasticloadbalancing:us-west-2:187416307283:loadbalancer/app/test-alb-9658/3459cd2446b76901" => "<computed>" arn_suffix: "app/test-alb-9658/3459cd2446b76901" => "<computed>" dns_name: "test-alb-9658-1463108301.us-west-2.elb.amazonaws.com" => "<computed>" enable_deletion_protection: "false" => "false" idle_timeout: "30" => "30" internal: "false" => "false" name: "test-alb-9658" => "test-alb-9658" security_groups.#: "2" => "1" (forces new resource) security_groups.1631253634: "sg-3256274b" => "" (forces new resource) security_groups.3505955000: "sg-1e572667" => "sg-1e572667" (forces new resource) subnets.#: "2" => "2" subnets.2407170741: "subnet-ee536498" => "subnet-ee536498" subnets.2414619308: "subnet-f1a7b595" => "subnet-f1a7b595" tags.%: "1" => "1" tags.TestName: "TestAccAWSALB_basic" => "TestAccAWSALB_basic" vpc_id: "vpc-dd0ff9ba" => "<computed>" zone_id: "Z1H1FL5HABSF5" => "<computed>" Plan: 1 to add, 0 to change, 1 to destroy. ``` When the ALB was ForceNew, the ARN changed. The test has been updated to include a check to make sure that the ARNs are the same after the update After this change, it looks as follows: ``` ~ aws_alb.alb_test security_groups.#: "1" => "2" security_groups.1631253634: "" => "sg-3256274b" security_groups.3505955000: "sg-1e572667" => "sg-1e572667" Plan: 0 to add, 1 to change, 0 to destroy. ``` Test Results: ``` % make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSALB_' ✹ ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2016/11/02 12:20:58 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSALB_ -timeout 120m === RUN TestAccAWSALB_basic --- PASS: TestAccAWSALB_basic (64.25s) === RUN TestAccAWSALB_generatedName --- PASS: TestAccAWSALB_generatedName (65.04s) === RUN TestAccAWSALB_namePrefix --- PASS: TestAccAWSALB_namePrefix (67.02s) === RUN TestAccAWSALB_tags --- PASS: TestAccAWSALB_tags (96.06s) === RUN TestAccAWSALB_updatedSecurityGroups --- PASS: TestAccAWSALB_updatedSecurityGroups (101.61s) === RUN TestAccAWSALB_noSecurityGroup --- PASS: TestAccAWSALB_noSecurityGroup (59.83s) === RUN TestAccAWSALB_accesslogs --- PASS: TestAccAWSALB_accesslogs (162.65s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 616.489s ```

…#9804) Fixes hashicorp#9658 Fixes hashicorp#8728 Originally, this would ForceNew as follows: ``` -/+ aws_alb.alb_test arn: "arn:aws:elasticloadbalancing:us-west-2:187416307283:loadbalancer/app/test-alb-9658/3459cd2446b76901" => "<computed>" arn_suffix: "app/test-alb-9658/3459cd2446b76901" => "<computed>" dns_name: "test-alb-9658-1463108301.us-west-2.elb.amazonaws.com" => "<computed>" enable_deletion_protection: "false" => "false" idle_timeout: "30" => "30" internal: "false" => "false" name: "test-alb-9658" => "test-alb-9658" security_groups.#: "2" => "1" (forces new resource) security_groups.1631253634: "sg-3256274b" => "" (forces new resource) security_groups.3505955000: "sg-1e572667" => "sg-1e572667" (forces new resource) subnets.#: "2" => "2" subnets.2407170741: "subnet-ee536498" => "subnet-ee536498" subnets.2414619308: "subnet-f1a7b595" => "subnet-f1a7b595" tags.%: "1" => "1" tags.TestName: "TestAccAWSALB_basic" => "TestAccAWSALB_basic" vpc_id: "vpc-dd0ff9ba" => "<computed>" zone_id: "Z1H1FL5HABSF5" => "<computed>" Plan: 1 to add, 0 to change, 1 to destroy. ``` When the ALB was ForceNew, the ARN changed. The test has been updated to include a check to make sure that the ARNs are the same after the update After this change, it looks as follows: ``` ~ aws_alb.alb_test security_groups.#: "1" => "2" security_groups.1631253634: "" => "sg-3256274b" security_groups.3505955000: "sg-1e572667" => "sg-1e572667" Plan: 0 to add, 1 to change, 0 to destroy. ``` Test Results: ``` % make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSALB_' ✹ ==> Checking that code complies with gofmt requirements... go generate $(go list ./... | grep -v /terraform/vendor/) 2016/11/02 12:20:58 Generated command/internal_plugin_list.go TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSALB_ -timeout 120m === RUN TestAccAWSALB_basic --- PASS: TestAccAWSALB_basic (64.25s) === RUN TestAccAWSALB_generatedName --- PASS: TestAccAWSALB_generatedName (65.04s) === RUN TestAccAWSALB_namePrefix --- PASS: TestAccAWSALB_namePrefix (67.02s) === RUN TestAccAWSALB_tags --- PASS: TestAccAWSALB_tags (96.06s) === RUN TestAccAWSALB_updatedSecurityGroups --- PASS: TestAccAWSALB_updatedSecurityGroups (101.61s) === RUN TestAccAWSALB_noSecurityGroup --- PASS: TestAccAWSALB_noSecurityGroup (59.83s) === RUN TestAccAWSALB_accesslogs --- PASS: TestAccAWSALB_accesslogs (162.65s) PASS ok github.com/hashicorp/terraform/builtin/providers/aws 616.489s ```

ghost · 2020-04-20T02:29:38Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

stack72 added provider/aws atlas bug and removed atlas provider/aws labels Sep 8, 2016

nbirnel mentioned this issue Oct 27, 2016

adding security group to aws_alb forces new resource. #9658

Closed

stack72 mentioned this issue Nov 2, 2016

provider/aws: Allows aws_alb security_groups to be updated #9804

Merged

stack72 closed this as completed in #9804 Nov 2, 2016

ghost locked and limited conversation to collaborators Apr 20, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error while trying to change security group connected to alb #8728

Error while trying to change security group connected to alb #8728

jezhumble commented Sep 8, 2016

jezhumble commented Sep 8, 2016

stack72 commented Sep 8, 2016

jezhumble commented Sep 8, 2016 •

edited

Loading

jezhumble commented Sep 8, 2016

stack72 commented Nov 2, 2016

ghost commented Apr 20, 2020

Error while trying to change security group connected to alb #8728

Error while trying to change security group connected to alb #8728

Comments

jezhumble commented Sep 8, 2016

jezhumble commented Sep 8, 2016

stack72 commented Sep 8, 2016

jezhumble commented Sep 8, 2016 • edited Loading

jezhumble commented Sep 8, 2016

stack72 commented Nov 2, 2016

ghost commented Apr 20, 2020

jezhumble commented Sep 8, 2016 •

edited

Loading