Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Computed Security Groups for aws_lb trigger a replacement when load_balancer_type == "network" #33813

Closed
jphelton opened this issue Oct 8, 2023 · 3 comments
Closed

[Bug]: Computed Security Groups for aws_lb trigger a replacement when load_balancer_type == "network" #33813

jphelton opened this issue Oct 8, 2023 · 3 comments
Labels
bug Addresses a defect in current functionality. service/elbv2 Issues and PRs that pertain to the elbv2 service.

Comments

@jphelton
Copy link
Contributor

jphelton commented Oct 8, 2023

Terraform Core Version

1.5.7

AWS Provider Version

5.20.0

Affected Resource(s)

  • resource "aws_lb"

Expected Behavior

Background

Per the AWS docs (links have been provided in the references section)

  • You can associate security groups with a Network Load Balancer when you create it. If you create a Network Load Balancer without associating any security groups, you can't associate them with the load balancer later on. We recommend that you associate a security group with your load balancer when you create it.

  • After you create a Network Load Balancer with associated security groups, you can change the security groups associated with the load balancer at any time.

Steps and Expected Behavior

  • In my main.tf I create a security group, and an NLB (with newly created security group attached to it)
  • Next I updated my main.tf file to create a second security group and attach it to the existing NLB
  • From the AWS docs I would expect this to be an "in-place" update that doesn't require the creation of a new NLB

Actual Behavior

When I run terraform plan I see that terraform is trying to create a new NLB, instead of updating in place

  • This behavior is only present when the security_groups field is "computed", i.e. the values are not known at plan time, but will become available at some point during the apply operations
  • If I created the Security groups outside of terraform and passed them in as variables this error does not occur.

Relevant Error/Panic Output Snippet

~ security_groups = [ # forces replacement
    - "sg-<security groupd id>",
    - "sg-0f9ca20d0cfdce3a4",
  ] -> (known after apply) # forces replacement

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 5.19"
    }
  }
}
variable "vpc_id" {
  type=string
}
variable "subnets" {
  type = list(string)
}
variable "num_sgs" {
  type = number
  default = 1
}

resource "aws_security_group" "sg" {
  count = var.num_sgs
  vpc_id = var.vpc_id
}

resource "aws_lb" "lb" {
  subnets = var.subnets
  load_balancer_type = "network"
  security_groups = [ for sg in aws_security_group.sg : sg.id ]
}

Steps to Reproduce

  1. Run terraform apply -auto-approve
  2. Run terraform plan -var num_sgs=2

In the plan output you'll see that the NLB is being replaced, even though updating security groups can be done in-place.

Debug Output

No response

Panic Output

No response

Important Factoids

Looking around in the code the source of the issues appears to be diff.GetChange("security_groups"). When returning a Set object where the values is Computed, the default behavior of the terraform provider is to return an empty set. We could optimize this by also calling diff.NewValueKnown("security_groups.#") to determine if the value is computed.

References

AWS Reference Docs

Relevant Terraform Provider Links

Would you like to implement a fix?

Yes
@jphelton jphelton added the bug Addresses a defect in current functionality. label Oct 8, 2023
@github-actions github-actions bot added service/elbv2 Issues and PRs that pertain to the elbv2 service. service/vpc Issues and PRs that pertain to the vpc service. labels Oct 8, 2023
@github-actions
Copy link

github-actions bot commented Oct 8, 2023

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Oct 8, 2023
@ewbankkit ewbankkit removed needs-triage Waiting for first response or review from a maintainer. service/vpc Issues and PRs that pertain to the vpc service. labels Oct 9, 2023
@ewbankkit ewbankkit mentioned this issue Oct 9, 2023
Closed
@justinretzolk
Copy link
Member

Closed via #33205

@github-actions GitHub Actions
Copy link

Warning

This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/elbv2 Issues and PRs that pertain to the elbv2 service.
Projects
None yet
Milestone
No milestone
3 participants
@ewbankkit @jphelton @justinretzolk