Security Group vs Rule requires apply to be run twice #10095
Labels
bug
Addresses a defect in current functionality.
service/ec2
Issues and PRs that pertain to the ec2 service.
Milestone
Community Note
After
terraform import
of a Security Group, both theaws_security_group
and associatedaws_security_group_rule
resources are added to the state file, as noted in other issues.Apparently there is no way to import a SG to HCL with inline ingress/egress blocks without (at least temporarily) destroying the rules and running
terraform apply
twice. That is an unacceptable tradeoff, since it imposes downtime on infrastructure, breaks CD, etc.If SG import requires atomic
aws_security_group_rule
resources, that requirement should be more explicitly documented.Terraform Version
v0.12.8
v2.22.0
Affected Resource(s)
aws_security_group
aws_security_group_rule
Terraform Configuration Files
Expected Behavior
terraform import aws_security_group...
should allow targeting inline ingress/egress blocks without requiring downtime and multiple applies.After the first successful
terraform apply
, with no changes,terraform plan
should show no pending changes.Actual Behavior
After
apply
succeeds,plan
shows that ingress and egress blocks need to be created. (Indeed, in console the ingress/egress rules of the SG have been destroyed.) The point is, between the first apply and the next, no code or infrastructure has changed. This is the definition of when plan/apply should be clean.Steps to Reproduce
resource "aws_security_group" "mygroup" {...}
in tf file (but not rules)terraform import aws_security_group.mygroup sg-123456
terraform apply
terraform apply
(again)References
See:
The text was updated successfully, but these errors were encountered: