terraform-provider-ibm icon indicating copy to clipboard operation
terraform-provider-ibm copied to clipboard

Published 20 hours ago verified publisher icon IBM-Cloud

race condition for destroy of ibm_is_virtual_endpoint_gateway and ibm_is_security_group

Open powellquiring opened this issue 2 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

bug-vpc-endpoint-gateway-security-group $ tf version
Terraform v1.1.9
on darwin_amd64
+ provider registry.terraform.io/hashicorp/time v0.7.2
+ provider registry.terraform.io/ibm-cloud/ibm v1.41.0

Affected Resource(s)

  • ibm_is_security_group
  • ibm_is_virtual_endpoint_gateway

Terraform Configuration Files

Plan: 0 to add, 0 to change, 4 to destroy.
ibm_is_security_group_rule.cloud_egress_cos: Destroying... [id=r006-4886bf3e-ff62-42a5-a7dc-c21837e861c1.r006-8a4a8d7d-8ce7-4c6c-9eea-50b4ecdd3269]
ibm_is_security_group_rule.cloud_ingress_cos: Destroying... [id=r006-4886bf3e-ff62-42a5-a7dc-c21837e861c1.r006-5c313df6-e708-4bf5-ac75-91caedf11111]
ibm_is_virtual_endpoint_gateway.cos: Destroying... [id=r006-492dbaf1-5f86-4519-8ad3-1628434fbc6e]
ibm_is_virtual_endpoint_gateway.cos: Destruction complete after 0s
ibm_is_security_group_rule.cloud_egress_cos: Destruction complete after 1s
ibm_is_security_group_rule.cloud_ingress_cos: Destruction complete after 1s
ibm_is_security_group.cos: Destroying... [id=r006-4886bf3e-ff62-42a5-a7dc-c21837e861c1]
╷
│ Error: [ERROR] Error Deleting Security Group Targets : The specified endpoint gateway is not attached to any other security groups.
│ {
│     "StatusCode": 409,
│     "Headers": {
│         "Cache-Control": [
│             "max-age=0, no-cache, no-store, must-revalidate"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "70ae38610c4a13e0-SEA"
│         ],
│         "Content-Length": [
│             "268"
│         ],
│         "Content-Type": [
│             "application/json"
│         ],
│         "Date": [
│             "Fri, 13 May 2022 20:42:22 GMT"
│         ],
│         "Expect-Ct": [
│             "max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\""
│         ],
│         "Expires": [
│             "-1"
│         ],
│         "Pragma": [
│             "no-cache"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Vary": [
│             "Accept-Encoding"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Request-Id": [
│             "1e83b7e7-f706-462a-9d1d-b15b512cd8c7"
│         ],
│         "X-Xss-Protection": [
│             "1; mode=block"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "conflict_field",
│                 "message": "The specified endpoint gateway is not attached to any other security groups.",
│                 "target": {
│                     "name": "id",
│                     "type": "parameter",
│                     "value": "r006-492dbaf1-5f86-4519-8ad3-1628434fbc6e"
│                 }
│             }
│         ],
│         "trace": "1e83b7e7-f706-462a-9d1d-b15b512cd8c7"
│     },
│     "RawResult": null
│ }
│
│

Race condition between the destroy of ibm_is_virtual_endpoint_gateway which is reported as destroyed, and later the destroy of the ibm_is_security_group_rule which fails because it is the only SG attached to the endpoint_gateway.

cat sgeg.tf.bu

resource "ibm_is_security_group" "cos" {
  name           = "${local.BASENAME_CLOUD}-cos"
  vpc            = ibm_is_vpc.cloud.id
  resource_group = data.ibm_resource_group.all_rg.id
}

resource "ibm_is_security_group_rule" "cloud_ingress_cos" {
  group     = ibm_is_security_group.cos.id
  direction = "inbound"
  remote    = "10.0.0.0/8" // on prem and cloud
  tcp {
    port_min = 443
    port_max = 443
  }
}
resource "ibm_is_security_group_rule" "cloud_egress_cos" {
  group     = ibm_is_security_group.cos.id
  direction = "outbound"
  remote    = "10.0.0.0/8" // on prem and cloud
}

resource "ibm_is_virtual_endpoint_gateway" "cos" {
  vpc            = ibm_is_vpc.cloud.id
  name           = "${local.BASENAME_CLOUD}-cos"
  resource_group = data.ibm_resource_group.all_rg.id
  target {
    crn           = "crn:v1:bluemix:public:cloud-object-storage:global:::endpoint:${local.cos_endpoint}"
    resource_type = "provider_cloud_service"
  }

  security_groups = [ibm_is_security_group.cos.id]

  # one Reserved IP per zone in the VPC
  ips {
    subnet = ibm_is_subnet.cloud.id
    name   = "cos"
  }
  tags = local.tags
}

Debug Output

Steps to Reproduce

cd /tmp
git clone https://github.com/powellquiring/tfbugs
cd tfbugs/bug-vpc-endpoint-gateway-security-group
terraform init
terraform apply
mv sgeg.tf sgeg.tf.bu
terraform apply

powellquiring avatar May 13 '22 20:05 powellquiring

Hi @powellquiring,

Thanks for reporting the issue.

As a first step of my analysis i tried to reproduce the issue in test.cloud.ibm account and creation and destroy worked fine.

Also,

I ran the same test case in prod env i.e cloud.ibm account and still everything worked fine for me.

Please find the attached template and the result of the testing.

Can you please try again with the latest provider and if the issue still persist we can have a call to discus on the issue.

resource "ibm_is_security_group" "cos" {
  name = "security-group-testing"
  #   vpc  = "r134-7b4a313e-d8cc-4d50-92ea-7dd315dadd9b"
  vpc = "r006-b0031fff-c6bb-4a4d-9afd-6c3fc9b7fb5b"
  #   resource_group = data.ibm_resource_group.all_rg.id
}

resource "ibm_is_security_group_rule" "cloud_ingress_cos" {
  group     = ibm_is_security_group.cos.id
  direction = "inbound"
  remote    = "10.0.0.0/8" // on prem and cloud
  tcp {
    port_min = 443
    port_max = 443
  }
}
resource "ibm_is_security_group_rule" "cloud_egress_cos" {
  group     = ibm_is_security_group.cos.id
  direction = "outbound"
  remote    = "10.0.0.0/8" // on prem and cloud
}

resource "ibm_is_virtual_endpoint_gateway" "endpoint_gateway" {
  name = "virtual-endpoint-gateway-cos"
  target {
    name          = "ibm-dns-server2"
    resource_type = "provider_infrastructure_service"
  }
  #   vpc             = "r134-7b4a313e-d8cc-4d50-92ea-7dd315dadd9b"
  vpc             = "r006-b0031fff-c6bb-4a4d-9afd-6c3fc9b7fb5b"
  security_groups = [ibm_is_security_group.cos.id]

}
Screenshot 2022-05-30 at 1 52 45 PM

SunithaGudisagarIBM avatar May 30 '22 08:05 SunithaGudisagarIBM

I was able to reproduce using the steps provided, they are repeated below. Did you try these steps?

cd /tmp
git clone https://github.com/powellquiring/tfbugs
cd tfbugs/bug-vpc-endpoint-gateway-security-group
terraform init
terraform apply
mv sgeg.tf sgeg.tf.bu
terraform apply

`

powellquiring avatar May 30 '22 13:05 powellquiring

@powellquiring I followed the steps you have mentioned and i still dont face any issue, can you please help me to reproduce the issue.

Please find the screen shot of the result:

Screenshot 2022-05-31 at 6 51 57 PM Screenshot 2022-05-31 at 6 51 46 PM

SunithaGudisagarIBM avatar May 31 '22 13:05 SunithaGudisagarIBM