Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

resource/security_group: fix rule gathering with description included #4416

Merged
merged 2 commits into from
May 10, 2018
Merged

resource/security_group: fix rule gathering with description included #4416

merged 2 commits into from
May 10, 2018

Conversation

loivis
Copy link
Contributor

@loivis loivis commented May 1, 2018
edited
Loading

fix #2018
fix #2069
fix #2379
fix #2879
fix #3139
fix #3202
fix #3204
fix #3261
fix #3346
fix #4346
fix #4410

There have been a few issues regarding rules with the same protocol, from_port and to_port but different description. The last description will eventually override previous ones and next plan shows changes to apply.

One simple example could be:

resource "aws_vpc" "test" {
  cidr_block = "10.0.0.0/16"

  tags {
    Name = "tf-test"
  }
}

resource "aws_security_group" "test" {
  name        = "tf-test"
  vpc_id      = "${aws_vpc.test.id}"

  ingress {
    protocol         = "tcp"
    from_port        = 80
    to_port          = 80
    ipv6_cidr_blocks = ["0.0.0.0/0"]
    description      = "ingress from all ipv4"
  }

  ingress {
    protocol         = "tcp"
    from_port        = 80
    to_port          = 80
    ipv6_cidr_blocks = ["::/0"]
    description      = "ingress from all ipv6"
  }
}

@ghost ghost added the size/L Managed by automation to categorize the size of a PR. label May 1, 2018
@loivis
Copy link
Contributor Author

loivis commented May 1, 2018
edited
Loading

before:

=== RUN   TestAccAWSSecurityGroup_ruleGathering
--- FAIL: TestAccAWSSecurityGroup_ruleGathering (46.70s)
	testing.go:518: Step 0 error: After applying this step, the plan was not empty:

		DIFF:

		UPDATE: aws_security_group.test
		  egress.2760422146.cidr_blocks.#:               "0" => "0"
		  egress.2760422146.description:                 "" => "egress for all ipv6"
		  egress.2760422146.from_port:                   "" => "0"
		  egress.2760422146.ipv6_cidr_blocks.#:          "0" => "1"
		  egress.2760422146.ipv6_cidr_blocks.0:          "" => "::/0"
		  egress.2760422146.prefix_list_ids.#:           "0" => "0"
		  egress.2760422146.protocol:                    "" => "-1"
		  egress.2760422146.security_groups.#:           "0" => "0"
		  egress.2760422146.self:                        "" => "false"
		  egress.2760422146.to_port:                     "" => "0"
		  egress.2821619876.cidr_blocks.#:               "1" => "0"
		  egress.2821619876.cidr_blocks.0:               "0.0.0.0/0" => ""
		  egress.2821619876.description:                 "egress for vpc endpoints" => ""
		  egress.2821619876.from_port:                   "0" => "0"
		  egress.2821619876.ipv6_cidr_blocks.#:          "0" => "0"
		  egress.2821619876.prefix_list_ids.#:           "0" => "0"
		  egress.2821619876.protocol:                    "-1" => ""
		  egress.2821619876.security_groups.#:           "0" => "0"
		  egress.2821619876.self:                        "false" => "false"
		  egress.2821619876.to_port:                     "0" => "0"
		  egress.2973493247.cidr_blocks.#:               "0" => "0"
		  egress.2973493247.description:                 "egress for vpc endpoints" => ""
		  egress.2973493247.from_port:                   "0" => "0"
		  egress.2973493247.ipv6_cidr_blocks.#:          "1" => "0"
		  egress.2973493247.ipv6_cidr_blocks.0:          "::/0" => ""
		  egress.2973493247.prefix_list_ids.#:           "0" => "0"
		  egress.2973493247.protocol:                    "-1" => ""
		  egress.2973493247.security_groups.#:           "0" => "0"
		  egress.2973493247.self:                        "false" => "false"
		  egress.2973493247.to_port:                     "0" => "0"
		  egress.2981002505.cidr_blocks.#:               "0" => "0"
		  egress.2981002505.description:                 "egress for vpc endpoints" => "egress for vpc endpoints"
		  egress.2981002505.from_port:                   "0" => "0"
		  egress.2981002505.ipv6_cidr_blocks.#:          "0" => "0"
		  egress.2981002505.prefix_list_ids.#:           "1" => "1"
		  egress.2981002505.prefix_list_ids.0:           "pl-6da54004" => "pl-6da54004"
		  egress.2981002505.protocol:                    "-1" => "-1"
		  egress.2981002505.security_groups.#:           "0" => "0"
		  egress.2981002505.self:                        "false" => "false"
		  egress.2981002505.to_port:                     "0" => "0"
		  egress.3161496341.cidr_blocks.#:               "0" => "1"
		  egress.3161496341.cidr_blocks.0:               "" => "0.0.0.0/0"
		  egress.3161496341.description:                 "" => "egress for all ipv4"
		  egress.3161496341.from_port:                   "" => "0"
		  egress.3161496341.ipv6_cidr_blocks.#:          "0" => "0"
		  egress.3161496341.prefix_list_ids.#:           "0" => "0"
		  egress.3161496341.protocol:                    "" => "-1"
		  egress.3161496341.security_groups.#:           "0" => "0"
		  egress.3161496341.self:                        "" => "false"
		  egress.3161496341.to_port:                     "" => "0"
		  ingress.#:                                     "3" => "5"
		  ingress.1274017860.cidr_blocks.#:              "0" => "1"
		  ingress.1274017860.cidr_blocks.0:              "" => "192.168.0.0/16"
		  ingress.1274017860.description:                "" => "ingress from 192.168.0.0/16"
		  ingress.1274017860.from_port:                  "" => "80"
		  ingress.1274017860.ipv6_cidr_blocks.#:         "0" => "0"
		  ingress.1274017860.protocol:                   "" => "tcp"
		  ingress.1274017860.security_groups.#:          "0" => "0"
		  ingress.1274017860.self:                       "" => "false"
		  ingress.1274017860.to_port:                    "" => "80"
		  ingress.1396402051.cidr_blocks.#:              "0" => "0"
		  ingress.1396402051.description:                "" => "ingress from all ipv6"
		  ingress.1396402051.from_port:                  "" => "80"
		  ingress.1396402051.ipv6_cidr_blocks.#:         "0" => "1"
		  ingress.1396402051.ipv6_cidr_blocks.0:         "" => "::/0"
		  ingress.1396402051.protocol:                   "" => "tcp"
		  ingress.1396402051.security_groups.#:          "0" => "0"
		  ingress.1396402051.self:                       "" => "false"
		  ingress.1396402051.to_port:                    "" => "80"
		  ingress.1687249332.cidr_blocks.#:              "2" => "0"
		  ingress.1687249332.cidr_blocks.0:              "10.0.0.0/24" => ""
		  ingress.1687249332.cidr_blocks.1:              "10.0.1.0/24" => ""
		  ingress.1687249332.description:                "ingress from other security groups" => ""
		  ingress.1687249332.from_port:                  "80" => "0"
		  ingress.1687249332.ipv6_cidr_blocks.#:         "0" => "0"
		  ingress.1687249332.protocol:                   "tcp" => ""
		  ingress.1687249332.security_groups.#:          "0" => "0"
		  ingress.1687249332.self:                       "true" => "false"
		  ingress.1687249332.to_port:                    "80" => "0"
		  ingress.1889111182.cidr_blocks.#:              "0" => "2"
		  ingress.1889111182.cidr_blocks.0:              "" => "10.0.2.0/24"
		  ingress.1889111182.cidr_blocks.1:              "" => "10.0.3.0/24"
		  ingress.1889111182.description:                "" => "ingress from 10.0.0.0/16"
		  ingress.1889111182.from_port:                  "" => "80"
		  ingress.1889111182.ipv6_cidr_blocks.#:         "0" => "0"
		  ingress.1889111182.protocol:                   "" => "tcp"
		  ingress.1889111182.security_groups.#:          "0" => "0"
		  ingress.1889111182.self:                       "" => "false"
		  ingress.1889111182.to_port:                    "" => "80"
		  ingress.2038285407.cidr_blocks.#:              "0" => "2"
		  ingress.2038285407.cidr_blocks.0:              "" => "10.0.0.0/24"
		  ingress.2038285407.cidr_blocks.1:              "" => "10.0.1.0/24"
		  ingress.2038285407.description:                "" => ""
		  ingress.2038285407.from_port:                  "" => "80"
		  ingress.2038285407.ipv6_cidr_blocks.#:         "0" => "0"
		  ingress.2038285407.protocol:                   "" => "tcp"
		  ingress.2038285407.security_groups.#:          "0" => "0"
		  ingress.2038285407.self:                       "" => "true"
		  ingress.2038285407.to_port:                    "" => "80"
		  ingress.2768612695.cidr_blocks.#:              "0" => "0"
		  ingress.2768612695.description:                "ingress from other security groups" => "ingress from other security groups"
		  ingress.2768612695.from_port:                  "80" => "80"
		  ingress.2768612695.ipv6_cidr_blocks.#:         "0" => "0"
		  ingress.2768612695.protocol:                   "tcp" => "tcp"
		  ingress.2768612695.security_groups.#:          "2" => "2"
		  ingress.2768612695.security_groups.1695808062: "sg-08ad8693d0c90a1de" => "sg-08ad8693d0c90a1de"
		  ingress.2768612695.security_groups.2580594009: "sg-00633325aa9519f24" => "sg-00633325aa9519f24"
		  ingress.2768612695.self:                       "false" => "false"
		  ingress.2768612695.to_port:                    "80" => "80"
		  ingress.4193023394.cidr_blocks.#:              "3" => "0"
		  ingress.4193023394.cidr_blocks.0:              "10.0.3.0/24" => ""
		  ingress.4193023394.cidr_blocks.1:              "10.0.2.0/24" => ""
		  ingress.4193023394.cidr_blocks.2:              "192.168.0.0/16" => ""
		  ingress.4193023394.description:                "ingress from other security groups" => ""
		  ingress.4193023394.from_port:                  "80" => "0"
		  ingress.4193023394.ipv6_cidr_blocks.#:         "1" => "0"
		  ingress.4193023394.ipv6_cidr_blocks.0:         "::/0" => ""
		  ingress.4193023394.protocol:                   "tcp" => ""
		  ingress.4193023394.security_groups.#:          "0" => "0"
		  ingress.4193023394.self:                       "false" => "false"
		  ingress.4193023394.to_port:                    "80" => "0"

after:

TF_ACC=1 go test ./aws -v -run=TestAccAWSSecurityGroup_uniqueRule -timeout 120m
=== RUN   TestAccAWSSecurityGroup_ruleGathering
--- PASS: TestAccAWSSecurityGroup_ruleGathering (54.67s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	54.713s

@loivis loivis force-pushed the r-security-group-rule-description branch from 1a51d53 to cbd920c Compare May 1, 2018 20:35
@ghost ghost added the size/L Managed by automation to categorize the size of a PR. label May 1, 2018
@loivis
Copy link
Contributor Author

loivis commented May 1, 2018

It really takes some time to run all tests 😓 . Some unrelated errors remain.

⎇  make fmt; and echo > aws/debug.log ; and make testacc TEST=./aws TESTARGS='-run=TestAccAWSSecurityGroup_'
gofmt -w $(find . -name '*.go' |grep -v vendor)
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -run=TestAccAWSSecurityGroup_ -timeout 120m
=== RUN   TestAccAWSSecurityGroup_importBasic
--- PASS: TestAccAWSSecurityGroup_importBasic (37.67s)
=== RUN   TestAccAWSSecurityGroup_importIpv6
--- PASS: TestAccAWSSecurityGroup_importIpv6 (29.66s)
=== RUN   TestAccAWSSecurityGroup_importSelf
--- PASS: TestAccAWSSecurityGroup_importSelf (34.46s)
=== RUN   TestAccAWSSecurityGroup_importSourceSecurityGroup
--- PASS: TestAccAWSSecurityGroup_importSourceSecurityGroup (40.55s)
=== RUN   TestAccAWSSecurityGroup_importIPRangeAndSecurityGroupWithSameRules
--- PASS: TestAccAWSSecurityGroup_importIPRangeAndSecurityGroupWithSameRules (36.30s)
=== RUN   TestAccAWSSecurityGroup_importIPRangesWithSameRules
--- PASS: TestAccAWSSecurityGroup_importIPRangesWithSameRules (38.69s)
=== RUN   TestAccAWSSecurityGroup_importPrefixList
--- FAIL: TestAccAWSSecurityGroup_importPrefixList (14.10s)
	testing.go:518: Step 0 error: Error applying: 1 error(s) occurred:

		* aws_vpc_endpoint.s3-us-west-2: 1 error(s) occurred:

		* aws_vpc_endpoint.s3-us-west-2: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.us-west-2.s3' does not exist
			status code: 400, request id: 75996839-4665-4276-a6d9-c6c43ee06860
=== RUN   TestAccAWSSecurityGroup_basic
--- PASS: TestAccAWSSecurityGroup_basic (34.93s)
=== RUN   TestAccAWSSecurityGroup_ruleGathering
--- PASS: TestAccAWSSecurityGroup_ruleGathering (56.94s)
=== RUN   TestAccAWSSecurityGroup_forceRevokeRules_true

--- PASS: TestAccAWSSecurityGroup_forceRevokeRules_true (721.61s)
=== RUN   TestAccAWSSecurityGroup_forceRevokeRules_false
--- PASS: TestAccAWSSecurityGroup_forceRevokeRules_false (680.14s)
=== RUN   TestAccAWSSecurityGroup_basicRuleDescription
--- PASS: TestAccAWSSecurityGroup_basicRuleDescription (31.57s)
=== RUN   TestAccAWSSecurityGroup_ipv6
--- PASS: TestAccAWSSecurityGroup_ipv6 (30.55s)
=== RUN   TestAccAWSSecurityGroup_tagsCreatedFirst
--- PASS: TestAccAWSSecurityGroup_tagsCreatedFirst (25.44s)
=== RUN   TestAccAWSSecurityGroup_namePrefix
--- PASS: TestAccAWSSecurityGroup_namePrefix (24.91s)
=== RUN   TestAccAWSSecurityGroup_self
--- PASS: TestAccAWSSecurityGroup_self (31.27s)
=== RUN   TestAccAWSSecurityGroup_vpc
--- PASS: TestAccAWSSecurityGroup_vpc (33.94s)
=== RUN   TestAccAWSSecurityGroup_vpcNegOneIngress
--- PASS: TestAccAWSSecurityGroup_vpcNegOneIngress (30.42s)
=== RUN   TestAccAWSSecurityGroup_vpcProtoNumIngress
--- PASS: TestAccAWSSecurityGroup_vpcProtoNumIngress (30.79s)
=== RUN   TestAccAWSSecurityGroup_MultiIngress
--- PASS: TestAccAWSSecurityGroup_MultiIngress (37.59s)
=== RUN   TestAccAWSSecurityGroup_Change
--- PASS: TestAccAWSSecurityGroup_Change (56.22s)
=== RUN   TestAccAWSSecurityGroup_ChangeRuleDescription
--- PASS: TestAccAWSSecurityGroup_ChangeRuleDescription (77.33s)
=== RUN   TestAccAWSSecurityGroup_generatedName
--- PASS: TestAccAWSSecurityGroup_generatedName (34.31s)
=== RUN   TestAccAWSSecurityGroup_DefaultEgress_VPC
--- PASS: TestAccAWSSecurityGroup_DefaultEgress_VPC (29.85s)
=== RUN   TestAccAWSSecurityGroup_DefaultEgress_Classic
--- PASS: TestAccAWSSecurityGroup_DefaultEgress_Classic (28.48s)
=== RUN   TestAccAWSSecurityGroup_drift
--- FAIL: TestAccAWSSecurityGroup_drift (4.70s)
	testing.go:518: Step 0 error: Error applying: 1 error(s) occurred:

		* aws_security_group.web: 1 error(s) occurred:

		* aws_security_group.web: Error creating Security Group: VPCIdNotSpecified: No default VPC for this user
			status code: 400, request id: 4fc65c80-2a26-4162-8050-aa8922e066b4
=== RUN   TestAccAWSSecurityGroup_drift_complex
--- PASS: TestAccAWSSecurityGroup_drift_complex (38.48s)
=== RUN   TestAccAWSSecurityGroup_invalidCIDRBlock
--- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (1.64s)
=== RUN   TestAccAWSSecurityGroup_tags
--- PASS: TestAccAWSSecurityGroup_tags (52.42s)
=== RUN   TestAccAWSSecurityGroup_CIDRandGroups
--- PASS: TestAccAWSSecurityGroup_CIDRandGroups (38.03s)
=== RUN   TestAccAWSSecurityGroup_ingressWithCidrAndSGs
--- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs (35.97s)
=== RUN   TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic
--- FAIL: TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic (28.64s)
	testing.go:518: Step 0 error: Error applying: 1 error(s) occurred:

		* aws_security_group.web: 1 error(s) occurred:

		* aws_security_group.web: Error authorizing security group ingress rules: InvalidGroupId.Malformed: Invalid id: "tf_other_acc_tests" (expecting "sg-...")
			status code: 400, request id: 8c1edee0-80ae-4143-ba1b-23d6aa945ab6
=== RUN   TestAccAWSSecurityGroup_egressWithPrefixList
--- FAIL: TestAccAWSSecurityGroup_egressWithPrefixList (19.03s)
	testing.go:518: Step 0 error: Error applying: 1 error(s) occurred:

		* aws_vpc_endpoint.s3-us-west-2: 1 error(s) occurred:

		* aws_vpc_endpoint.s3-us-west-2: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.us-west-2.s3' does not exist
			status code: 400, request id: d3a27287-e81b-4ff4-a93b-e6b774a3dc8c
=== RUN   TestAccAWSSecurityGroup_emptyRuleDescription
--- PASS: TestAccAWSSecurityGroup_emptyRuleDescription (33.43s)
=== RUN   TestAccAWSSecurityGroup_ipv4andipv6Egress
--- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (32.28s)
=== RUN   TestAccAWSSecurityGroup_failWithDiffMismatch
--- PASS: TestAccAWSSecurityGroup_failWithDiffMismatch (39.12s)
FAIL
FAIL	github.com/terraform-providers/terraform-provider-aws/aws	2551.544s

TF_ACC=1 go test ./aws -v -run=TestAccAWSSecurityGroup_importPrefixList -timeout 120m
=== RUN   TestAccAWSSecurityGroup_importPrefixList
--- PASS: TestAccAWSSecurityGroup_importPrefixList (50.96s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	51.009s

TF_ACC=1 go test ./aws -v -run=TestAccAWSSecurityGroup_egressWithPrefixList -timeout 120m
=== RUN   TestAccAWSSecurityGroup_egressWithPrefixList
--- PASS: TestAccAWSSecurityGroup_egressWithPrefixList (51.42s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	51.468s

@loivis loivis changed the title resource/security_group: fix rule description override resource/security_group: fix rule gathering with description included May 1, 2018
@bflad bflad added bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. labels May 4, 2018
bflad
bflad reviewed May 9, 2018
View reviewed changes
aws/resource_aws_security_group.go
if v := perm.ToPort; v != nil {
toPort = *v
}
k := fmt.Sprintf("%s-%d-%d-%s", *perm.IpProtocol, fromPort, toPort, desc)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was previously: k := fmt.Sprintf("%s-%d-%d", *perm.IpProtocol, fromPort, toPort)

Doesn't the addition of -%s need to be based on desc != "" to prevent differences when upgrading?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this map key doesn't appear to be used in the downstream code, so I think its actually okay. 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, k is more of an intermediate variable

@bflad bflad added this to the v1.19.0 milestone May 10, 2018
bflad
bflad approved these changes May 10, 2018
View reviewed changes
Copy link
Contributor

@bflad bflad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've run the acceptance testing a few times now with passing results. Let's get this in. I believe it will be okay for provider upgrades. Thanks so much @loivis 🚀

56 tests passed (all tests)
=== RUN   TestAccAWSSecurityGroupRule_ExpectInvalidCIDR
--- PASS: TestAccAWSSecurityGroupRule_ExpectInvalidCIDR (2.66s)
=== RUN   TestAccAWSSecurityGroupRule_ExpectInvalidTypeError
--- PASS: TestAccAWSSecurityGroupRule_ExpectInvalidTypeError (2.70s)
=== RUN   TestAccAWSSecurityGroupRule_Issue5310
--- PASS: TestAccAWSSecurityGroupRule_Issue5310 (16.96s)
=== RUN   TestAccAWSSecurityGroupRule_Ingress_Classic
--- PASS: TestAccAWSSecurityGroupRule_Ingress_Classic (17.07s)
=== RUN   TestAccAWSSecurityGroupRule_Egress
--- PASS: TestAccAWSSecurityGroupRule_Egress (42.76s)
=== RUN   TestAccAWSSecurityGroupRule_EgressDescription
--- PASS: TestAccAWSSecurityGroupRule_EgressDescription (49.40s)
=== RUN   TestAccAWSSecurityGroupRule_IngressDescription
--- PASS: TestAccAWSSecurityGroupRule_IngressDescription (60.88s)
=== RUN   TestAccAWSSecurityGroupRule_Ingress_VPC
--- PASS: TestAccAWSSecurityGroupRule_Ingress_VPC (105.04s)
=== RUN   TestAccAWSSecurityGroupRule_Ingress_Ipv6
--- PASS: TestAccAWSSecurityGroupRule_Ingress_Ipv6 (108.12s)
=== RUN   TestAccAWSSecurityGroupRule_EgressDescription_updates
--- PASS: TestAccAWSSecurityGroupRule_EgressDescription_updates (55.02s)
=== RUN   TestAccAWSSecurityGroupRule_IngressDescription_updates
--- PASS: TestAccAWSSecurityGroupRule_IngressDescription_updates (79.24s)
=== RUN   TestAccAWSSecurityGroupRule_MultiIngress
--- PASS: TestAccAWSSecurityGroupRule_MultiIngress (124.69s)
=== RUN   TestAccAWSSecurityGroup_importIPRangesWithSameRules
--- PASS: TestAccAWSSecurityGroup_importIPRangesWithSameRules (147.76s)
=== RUN   TestAccAWSSecurityGroup_basic
--- PASS: TestAccAWSSecurityGroup_basic (65.18s)
=== RUN   TestAccAWSSecurityGroup_importIPRangeAndSecurityGroupWithSameRules
--- PASS: TestAccAWSSecurityGroup_importIPRangeAndSecurityGroupWithSameRules (194.56s)
=== RUN   TestAccAWSSecurityGroup_namePrefix
--- PASS: TestAccAWSSecurityGroup_namePrefix (12.45s)
=== RUN   TestAccAWSSecurityGroup_importPrefixList
--- PASS: TestAccAWSSecurityGroup_importPrefixList (275.26s)
=== RUN   TestAccAWSSecurityGroup_vpc
--- PASS: TestAccAWSSecurityGroup_vpc (65.73s)
=== RUN   TestAccAWSSecurityGroup_ipv6
--- PASS: TestAccAWSSecurityGroup_ipv6 (193.64s)
=== RUN   TestAccAWSSecurityGroupRule_Ingress_Protocol
--- PASS: TestAccAWSSecurityGroupRule_Ingress_Protocol (347.22s)
=== RUN   TestAccAWSSecurityGroupRule_PrefixListEgress
--- PASS: TestAccAWSSecurityGroupRule_PrefixListEgress (352.82s)
=== RUN   TestAccAWSSecurityGroup_self
--- PASS: TestAccAWSSecurityGroup_self (163.93s)
=== RUN   TestAccAWSSecurityGroup_vpcNegOneIngress
--- PASS: TestAccAWSSecurityGroup_vpcNegOneIngress (34.86s)
=== RUN   TestAccAWSSecurityGroupRule_MultiDescription
--- PASS: TestAccAWSSecurityGroupRule_MultiDescription (300.43s)
=== RUN   TestAccAWSSecurityGroup_MultiIngress
--- PASS: TestAccAWSSecurityGroup_MultiIngress (33.55s)
=== RUN   TestAccAWSSecurityGroupRule_SelfSource
--- PASS: TestAccAWSSecurityGroupRule_SelfSource (389.76s)
=== RUN   TestAccAWSSecurityGroup_tagsCreatedFirst
--- PASS: TestAccAWSSecurityGroup_tagsCreatedFirst (224.03s)
=== RUN   TestAccAWSSecurityGroup_DefaultEgress_Classic
--- PASS: TestAccAWSSecurityGroup_DefaultEgress_Classic (14.58s)
=== RUN   TestAccAWSSecurityGroup_invalidCIDRBlock
--- PASS: TestAccAWSSecurityGroup_invalidCIDRBlock (0.93s)
=== RUN   TestAccAWSSecurityGroup_vpcProtoNumIngress
--- PASS: TestAccAWSSecurityGroup_vpcProtoNumIngress (62.97s)
=== RUN   TestAccAWSSecurityGroup_drift
--- PASS: TestAccAWSSecurityGroup_drift (19.53s)
=== RUN   TestAccAWSSecurityGroup_generatedName
--- PASS: TestAccAWSSecurityGroup_generatedName (57.91s)
=== RUN   TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic
--- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs_classic (18.30s)
=== RUN   TestAccAWSSecurityGroup_DefaultEgress_VPC
--- PASS: TestAccAWSSecurityGroup_DefaultEgress_VPC (131.30s)
=== RUN   TestAccAWSSecurityGroupRule_PartialMatching_Source
--- PASS: TestAccAWSSecurityGroupRule_PartialMatching_Source (534.96s)
=== RUN   TestAccAWSSecurityGroup_Change
--- PASS: TestAccAWSSecurityGroup_Change (203.09s)
=== RUN   TestAccAWSSecurityGroup_emptyRuleDescription
--- PASS: TestAccAWSSecurityGroup_emptyRuleDescription (61.21s)
=== RUN   TestAccAWSSecurityGroup_importBasic
--- PASS: TestAccAWSSecurityGroup_importBasic (581.05s)
=== RUN   TestAccAWSSecurityGroup_CIDRandGroups
--- PASS: TestAccAWSSecurityGroup_CIDRandGroups (180.83s)
=== RUN   TestAccAWSSecurityGroup_ipv4andipv6Egress
--- PASS: TestAccAWSSecurityGroup_ipv4andipv6Egress (50.31s)
=== RUN   TestAccAWSSecurityGroup_tags
--- PASS: TestAccAWSSecurityGroup_tags (198.53s)
=== RUN   TestAccAWSSecurityGroup_failWithDiffMismatch
--- PASS: TestAccAWSSecurityGroup_failWithDiffMismatch (41.48s)
=== RUN   TestAccAWSSecurityGroup_ingressWithCidrAndSGs
--- PASS: TestAccAWSSecurityGroup_ingressWithCidrAndSGs (195.00s)
=== RUN   TestAccAWSSecurityGroup_drift_complex
--- PASS: TestAccAWSSecurityGroup_drift_complex (216.36s)
=== RUN   TestAccAWSSecurityGroupRule_SelfReference
--- PASS: TestAccAWSSecurityGroupRule_SelfReference (617.02s)
=== RUN   TestAccAWSSecurityGroupRule_PartialMatching_basic
--- PASS: TestAccAWSSecurityGroupRule_PartialMatching_basic (633.79s)
=== RUN   TestAccAWSSecurityGroup_importIpv6
--- PASS: TestAccAWSSecurityGroup_importIpv6 (638.11s)
=== RUN   TestAccAWSSecurityGroup_ruleGathering
--- PASS: TestAccAWSSecurityGroup_ruleGathering (591.87s)
=== RUN   TestAccAWSSecurityGroup_basicRuleDescription
--- PASS: TestAccAWSSecurityGroup_basicRuleDescription (576.28s)
=== RUN   TestAccAWSSecurityGroup_ChangeRuleDescription
--- PASS: TestAccAWSSecurityGroup_ChangeRuleDescription (406.80s)
=== RUN   TestAccAWSSecurityGroup_importSourceSecurityGroup
--- PASS: TestAccAWSSecurityGroup_importSourceSecurityGroup (788.29s)
=== RUN   TestAccAWSSecurityGroup_importSelf
--- PASS: TestAccAWSSecurityGroup_importSelf (816.38s)
=== RUN   TestAccAWSSecurityGroup_egressWithPrefixList
--- PASS: TestAccAWSSecurityGroup_egressWithPrefixList (418.46s)
=== RUN   TestAccAWSSecurityGroup_forceRevokeRules_true
--- PASS: TestAccAWSSecurityGroup_forceRevokeRules_true (875.54s)
=== RUN   TestAccAWSSecurityGroup_forceRevokeRules_false
--- PASS: TestAccAWSSecurityGroup_forceRevokeRules_false (924.98s)
=== RUN   TestAccAWSSecurityGroupRule_Race
--- PASS: TestAccAWSSecurityGroupRule_Race (1052.94s)

@bflad bflad merged commit 1b4249c into hashicorp:master May 10, 2018
bflad added a commit that referenced this pull request May 10, 2018
@bflad
Update CHANGELOG for #4416
b56b195
This was referenced May 10, 2018
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
@loivis loivis deleted the r-security-group-rule-description branch May 11, 2018 07:24
@bflad
Copy link
Contributor

bflad commented May 17, 2018

This has been released in version 1.19.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@zioalex
Copy link

zioalex commented May 29, 2018

@bflad the issue #2879 doesn't seem to be fix by this.
Here the error

aws_security_group.private: Modifying... (ID: sg-e3327a99)
  ingress.#:                             "4" => "3"
  ingress.1004056048.cidr_blocks.#:      "1" => "1"
  ingress.1004056048.cidr_blocks.0:      "10.123.248.0/22" => "10.123.248.0/22"
  ingress.1004056048.description:        "" => ""
  ingress.1004056048.from_port:          "0" => "0"
  ingress.1004056048.ipv6_cidr_blocks.#: "0" => "0"
  ingress.1004056048.protocol:           "-1" => "-1"
  ingress.1004056048.security_groups.#:  "0" => "0"
  ingress.1004056048.self:               "false" => "false"
  ingress.1004056048.to_port:            "0" => "0"
  ingress.1098541575.cidr_blocks.#:      "1" => "0"
  ingress.1098541575.cidr_blocks.0:      "10.0.0.0/8" => ""
  ingress.1098541575.description:        "" => ""
  ingress.1098541575.from_port:          "3306" => "0"
  ingress.1098541575.ipv6_cidr_blocks.#: "0" => "0"
  ingress.1098541575.protocol:           "tcp" => ""
  ingress.1098541575.security_groups.#:  "0" => "0"
  ingress.1098541575.self:               "false" => "false"
  ingress.1098541575.to_port:            "3306" => "0"
  ingress.179083333.cidr_blocks.#:       "1" => "1"
  ingress.179083333.cidr_blocks.0:       "10.0.0.0/8" => "10.0.0.0/8"
  ingress.179083333.description:         "" => ""
  ingress.179083333.from_port:           "22" => "22"
  ingress.179083333.ipv6_cidr_blocks.#:  "0" => "0"
  ingress.179083333.protocol:            "TCP" => "tcp"
  ingress.179083333.security_groups.#:   "0" => "0"
  ingress.179083333.self:                "false" => "false"
  ingress.179083333.to_port:             "22" => "22"
  ingress.2030155270.cidr_blocks.#:      "1" => "1"
  ingress.2030155270.cidr_blocks.0:      "10.117.240.0/20" => "10.117.240.0/20"
  ingress.2030155270.description:        "" => ""
  ingress.2030155270.from_port:          "0" => "0"
  ingress.2030155270.ipv6_cidr_blocks.#: "0" => "0"
  ingress.2030155270.protocol:           "TCP" => "tcp"
  ingress.2030155270.security_groups.#:  "0" => "0"
  ingress.2030155270.self:               "false" => "false"
  ingress.2030155270.to_port:            "65535" => "65535"
module.db_password_setup.aws_security_group_rule.db_internal_allow_mariadb_net: Destruction complete after 0s

Error: Error applying plan:

1 error(s) occurred:

* aws_security_group.private: 1 error(s) occurred:

* aws_security_group.private: Error revoking security group ingress rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
	status code: 400, request id: 2c781f0c-5e3f-40fa-be0a-e0892520ecde

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

But the resource has been deleted and the next plan is clear.
There are the actual versions:

terraform -version
Using AWS_* Environment variables.Terraform v0.11.7
+ provider.aws v1.19.0
+ provider.null v1.0.0

@bflad
Copy link
Contributor

bflad commented May 29, 2018

@zioalex does it work if you capitalize the protocol of the rule you're trying to remove? e.g. protocol = "TCP" I would suggest opening a new issue rather than commenting on a closed one.

@zioalex
Copy link

zioalex commented May 30, 2018

@bflad I recreated all the resources with lower case "tcp" but it didn't help.
But I found the trick here. I was using a SG defined with ingress and egress rules defined inline.
I switched to a SG Rule Resource and not it is ok. Thanks

@bflad bflad mentioned this pull request Jun 4, 2018
Closed
@metral metral mentioned this pull request Apr 22, 2019
Closed
@ghost
Copy link

ghost commented Apr 5, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 5, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bflad bflad bflad approved these changes

Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. size/L Managed by automation to categorize the size of a PR.
Projects
None yet
Milestone
v1.19.0
3 participants
@loivis @bflad @zioalex