terraform-provider-aws
terraform-provider-aws copied to clipboard
hashicorp
[Bug]: Terraform cannot modify the primary security group of a Network Interface
Terraform Core Version
Terraform v1.3.0 on linux_amd64
AWS Provider Version
4.15.1
Affected Resource(s)
If I Modify the name of a aws network interface, terraform needs to destroy and create the new security group. This fails because the network interface must have a security group attached (it cannot have no security group). so Terraform trying to delete the security group before creating the new one and attaching it, but it fails with a resource dependency error after ~15min
Error deleting security group: DependencyViolation: resource sg-redacted has a dependent object
│ status code: 400, request id: 4322a14f-redactedted
This as far as I can tell makes it impossible to change the name of the primary (and only) security group attached to a network interface.
Expected Behavior
Terraform should correctly order the resources such that it creates and attached the new security group, before removing the old one such that changing the name works correctly
Actual Behavior
terraform spends 15min trying to destroy the security group so it can create a new security group with the updated name. ultimatly it fails with a timeout
Error deleting security group: DependencyViolation: resource sg-redacted has a dependent object
│ status code: 400, request id: 4322a14f-redactedted
Relevant Error/Panic Output Snippet
Error deleting security group: DependencyViolation: resource sg-redacted has a dependent object
│ status code: 400, request id: 4322a14f-redactedted
Terraform Configuration Files
resource "aws_instance" "redacted" { key_name = var.keypair ami = var.ami_map[var.ami[count.index]] instance_type = var.server_type[count.index]
network_interface { network_interface_id = aws_network_interface.serverEth0[count.index].id device_index = 0 } root_block_device { volume_type = "gp2" volume_size = var.root_volsize[count.index] } tags = { Name = var.hostname[count.index] } lifecycle { ignore_changes = [tags] } credit_specification { cpu_credits = "standard" # disable unlimited, throttle instance instead of consuming credits } count = var.server_count["nodes"] user_data = module.user_data[count.index].user_data }
resource "aws_network_interface" "serverEth0" { subnet_id = var.subnet_production["Infrastructure"] security_groups = [module.ingress_rules[count.index].security_group_id] private_ips = [var.server_ip[count.index]] tags = { Name = "${var.hostname[count.index]}-eth0" } count = var.server_count["nodes"] }
############################################################################# module "ingress_rules" { source = "../../module/security_rules" name = "redacted-${var.hostname[count.index]}" tag_name = "redacted-${var.hostname[count.index]}" count = var.server_count["nodes"] custom_rules = var.custom_ingress }
modules code below ##########
resource "aws_security_group" "ingress_rules" { name = var.name description = var.description vpc_id = var.aws_vpc
SSH
tags = { tag_name = var.tag_name } } resource "aws_security_group_rule" "standard_ingress" { type = each.value.type for_each = var.standard_rules description = each.value.description from_port = each.value.from_port to_port = each.value.to_port cidr_blocks = each.value.cidr_blocks protocol = each.value.protocol security_group_id = aws_security_group.ingress_rules.id }
resource "aws_security_group_rule" "custom_ingress" { type = each.value.type for_each = var.custom_rules description = each.value.description from_port = each.value.from_port to_port = each.value.to_port cidr_blocks = each.value.cidr_blocks protocol = each.value.protocol security_group_id = aws_security_group.ingress_rules.id }
Steps to Reproduce
create an aws vm with a primary network interface and security group modify the name of the security group
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
No response
