Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provider/openstack: Remove default egress rule from Security Group on creation #9799

Closed
gpaggi opened this issue Nov 2, 2016 · 10 comments · Fixed by #11466
Closed

provider/openstack: Remove default egress rule from Security Group on creation #9799

gpaggi opened this issue Nov 2, 2016 · 10 comments · Fixed by #11466

Comments

@gpaggi
Copy link

gpaggi commented Nov 2, 2016

Hi there,

Terraform Version

Terraform v0.7.8

Affected Resource(s)

openstack_networking_secgroup_v2
openstack_networking_secgroup_rule_v2

Terraform Configuration Files

resource "openstack_networking_secgroup_v2" "_def_secgroup" {
  region = "${var.region}"
  name = "_def_secgroup"
  description = "Default security group"
}

resource "openstack_networking_secgroup_rule_v2" "_def_secgroup_rule_1" {
  direction = "egress"
  ethertype = "IPv4"
  protocol = "tcp"
  security_group_id = "${openstack_networking_secgroup_v2._def_secgroup.id}"
  remote_ip_prefix = "10.0.0.0/8"
}

Expected Behavior

Terraform should create a security group with one egress rule limiting TCP traffic to only 10.0.0.0/8.

Actual Behavior

On security group creation, a default egress ANY:ANY is added by Neutron next to the one managed by TF.
This makes it impossible to manage egress rules from TF, since they are overridden by the default egress rule.

➜  terraform-dev neutron security-group-show _def_secgroup                                                                                                                                     
+----------------------+--------------------------------------------------------------------+
| Field                | Value                                                              |
+----------------------+--------------------------------------------------------------------+
| description          | Default security group                                             |
| id                   | 1b9a92a6-2972-4717-8a03-a14b2acdb197                               |
| name                 | _def_secgroup                                                      |
| security_group_rules | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": "0.0.0.0/0",                              |
|                      |      "protocol": "any",                                            |
|                      |      "ethertype": "IPv4",                                          |
|                      |      "port_range_max": 65535,                                      |
|                      |      "security_group_id": "1b9a92a6-2972-4717-8a03-a14b2acdb197",  |
|                      |      "port_range_min": 0,                                          |
|                      |      "tenant_id": "f35f2d7d893d431b8a105242da8de971",              |
|                      |      "id": "37659e18-eb70-4504-b140-096fe4b72de1"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": "10.0.0.0/8",                             |
|                      |      "protocol": "tcp",                                            |
|                      |      "ethertype": "IPv4",                                          |
|                      |      "port_range_max": 65535,                                      |
|                      |      "security_group_id": "1b9a92a6-2972-4717-8a03-a14b2acdb197",  |
|                      |      "port_range_min": 0,                                          |
|                      |      "tenant_id": "f35f2d7d893d431b8a105242da8de971",              |
|                      |      "id": "44d4fbcb-b40f-48a1-bb3b-724f025cc39d"                  |
|                      | }                                                                  |
| tenant_id            | f35f2d7d893d431b8a105242da8de971                                   |
+----------------------+--------------------------------------------------------------------+
➜  terraform-dev

Steps to Reproduce

Apply the TF code above.

References

This was fixed for the AWS provider in #1765
Is it possible to have the same fix implemented for the Openstack provider?

Thanks!

@jtopjian
Copy link
Contributor

jtopjian commented Nov 2, 2016

Thanks for the report.

I do see some default security group rules being created, but not specifically for a 10.0.0.0/8 subnet -- which makes sense because that subnet isn't hard-coded in neutron.

Here's the output that I see:

+----------------------+--------------------------------------------------------------------+
| Field                | Value                                                              |
+----------------------+--------------------------------------------------------------------+
| description          |                                                                    |
| id                   | 8fedc451-cf35-40cb-b52e-8ce4b4b74bf4                               |
| name                 | foo                                                                |
| security_group_rules | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": null,                                             |
|                      |      "tenant_id": "9aa5f9f66b4b417d84d778a23acdf45b",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "8fedc451-cf35-40cb-b52e-8ce4b4b74bf4",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv4",                                          |
|                      |      "id": "3061039d-1bd1-4dbf-a5f8-fcbdb7183868"                  |
|                      | }                                                                  |
|                      | {                                                                  |
|                      |      "remote_group_id": null,                                      |
|                      |      "direction": "egress",                                        |
|                      |      "remote_ip_prefix": null,                                     |
|                      |      "protocol": null,                                             |
|                      |      "tenant_id": "9aa5f9f66b4b417d84d778a23acdf45b",              |
|                      |      "port_range_max": null,                                       |
|                      |      "security_group_id": "8fedc451-cf35-40cb-b52e-8ce4b4b74bf4",  |
|                      |      "port_range_min": null,                                       |
|                      |      "ethertype": "IPv6",                                          |
|                      |      "id": "9a1c0546-e6b0-4372-944c-26368698cc6a"                  |
|                      | }                                                                  |
| tenant_id            | 9aa5f9f66b4b417d84d778a23acdf45b                                   |
+----------------------+--------------------------------------------------------------------+

I'll dig into this a bit more and see if I can find a resolution.

@gpaggi
Copy link
Author

gpaggi commented Nov 2, 2016

Hi @jtopjian,

The default security group I mean is the ANY:ANY for egress below. The rule for 10.0.0.0/8 is the one I'm trying to add.

"remote_group_id": null,                                    
"direction": "egress",                                      
"remote_ip_prefix": "0.0.0.0/0",                            
"protocol": "any",                                          
"ethertype": "IPv4",                                        
"port_range_max": 65535,                                    
"security_group_id": "1b9a92a6-2972-4717-8a03-a14b2acdb197",
"port_range_min": 0,                                        
"tenant_id": "f35f2d7d893d431b8a105242da8de971",            
"id": "37659e18-eb70-4504-b140-096fe4b72de1"                

I'm wondering why the content of the default security group rule you see is different than mine but I don't have another Openstack installation to test this further.

According to the documentation what I'm seeing, which mimics AWS behavior, is to be expected:
https://wiki.openstack.org/wiki/Neutron/SecurityGroups

For egress traffic (from an instance)
Only traffic matched with security group rules are allowed.
When there is no rule defined, all egress traffic are dropped.
When a new security group is created, rules to allow all egress traffic are automatically added.

@jtopjian
Copy link
Contributor

jtopjian commented Nov 2, 2016

@gpaggi Ah, understood. Thanks for the notes.

Do you know what version of Neutron your cloud is using? As well, do you know what plugins it's using?

@gpaggi
Copy link
Author

gpaggi commented Nov 2, 2016

Yes, we are using Liberty with Contrail plugin but I understood from my colleague that it shouldn't be relevant.

@jtopjian
Copy link
Contributor

jtopjian commented Nov 2, 2016

Right, it shouldn't, but I was asking just incase + collecting as much info as I can.

@ChiefAlexander
Copy link

We would also be interested in getting this patched in. I was taking a look at what the aws provider did and it appears that they remove the default rules on group creation letting terraform handle all rules.

@michalmedvecky
Copy link

+1

@jtopjian
Copy link
Contributor

Hi all,

Sorry for the delay. #11466 should fix this.

jtopjian added a commit to jtopjian/terraform that referenced this issue Feb 20, 2017
This commit modifies the behavior implemented in hashicorp#9799 by enabling
the user to be able to toggle the creation of the default security
group rules.
jtopjian added a commit to jtopjian/terraform that referenced this issue Feb 20, 2017
This commit modifies the behavior implemented in hashicorp#9799 by enabling
the user to be able to toggle the creation of the default security
group rules.
jtopjian added a commit to jtopjian/terraform that referenced this issue Feb 20, 2017
This commit modifies the behavior implemented in hashicorp#9799 by enabling
the user to be able to toggle the creation of the default security
group rules.
stack72 pushed a commit that referenced this issue Mar 5, 2017
…12119)

This commit modifies the behavior implemented in #9799 by enabling
the user to be able to toggle the creation of the default security
group rules.
stack72 pushed a commit that referenced this issue Mar 5, 2017
…12119)

This commit modifies the behavior implemented in #9799 by enabling
the user to be able to toggle the creation of the default security
group rules.
yanndegat pushed a commit to yanndegat/terraform that referenced this issue Mar 13, 2017
…ashicorp#12119)

This commit modifies the behavior implemented in hashicorp#9799 by enabling
the user to be able to toggle the creation of the default security
group rules.
@alexbozhenko
Copy link

For the record, here is the place in the code where those rules are created:
https://github.com/openstack/neutron/blob/2ec36dc812710c284b75498e695a44585484c6a1/neutron/db/securitygroups_db.py#L100-L116
openstack/neutron@7e26074

# openstack security group create test_that_those_rules_are_hardcoded
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| Field           | Value                                                                                                                                            |
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at      | 2017-09-05T22:27:21Z                                                                                                                             |
| description     | test_that_those_rules_are_hardcoded                                                                                                              |
| id              | cce44424-0850-4b33-9741-dd6a506d6715                                                                                                             |
| name            | test_that_those_rules_are_hardcoded                                                                                                              |
| project_id      | 6e1abfa9691b4f3f8c5252260e00afac                                                                                                                 |
| revision_number | 1                                                                                                                                                |
| rules           | created_at='2017-09-05T22:27:21Z', direction='egress', ethertype='IPv4', id='66a34ab0-4f09-48d4-98b3-734cc0ba0d3d', revision_number='1',         |
|                 | updated_at='2017-09-05T22:27:21Z'                                                                                                                |
|                 | created_at='2017-09-05T22:27:21Z', direction='egress', ethertype='IPv6', id='41bc4e85-71bd-430c-9980-17a9e29efb38', revision_number='1',         |
|                 | updated_at='2017-09-05T22:27:21Z'                                                                                                                |
| updated_at      | 2017-09-05T22:27:21Z                                                                                                                             |
+-----------------+--------------------------------------------------------------------------------------------------------------------------------------------------+

@ghost
Copy link

ghost commented Apr 7, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants