aws_security_group: DependencyViolation: resource sg-XXX has a dependent object #11047
Comments
|
Same issue seen on terraform-0.7.13. |
|
I'm having the same problem with v0.8.5 |
|
Hitting the issue regularly now with Terraform 0.8.8. |
|
I can confirm I'm also hitting the issue regularly in v0.8.8. It looks like Terraform is indeed waiting for some dependent object on the Security Group... |
|
An anecdotal update on this. When I manually delete the Security Group from the AWS Console, Terraform immediately continues executing, so I suspect there's some bug around deleting a Security Group or first terminating an EC2 Instance and then deleting the Security Group. |
|
I run into the same situation, i need to manually delete the network interfaces from the security groups and then it works. |
|
This appears to be an order of execution problem. I ran into it with security groups. I have verified :
I will explore some more and update this issue as I find more detail. As a workaround for other users I offer the following: While the destroy is underway ...
|
|
Still hitting this on Terraform 0.9. Can maintainers make an official decision on whether to declare this a bug? |
|
Hi all. I've experienced the same error message today when renaming security groups. I suspect that my EC2 instance is the dependant object since it's my environment is quite low-key (1 EC2-instance, 1 ELB, 1 RDS instance and securitygroups, subnets to make things communicate). Terraformversion: 0.9.1 |
|
I am also experiencing this with two interdependent security groups (each refer to the other as a source) Terraform v0.9.3 |
|
We're still suffering from this and it's causing build failures in our automated Terraform tests up to 50% of the time. Is there an update on this? |
|
I am on v0.9.6 and I am also running into this issue. |
|
I'm on 0.9.5 and still see this issue. |
|
I ran into this with 0.9.3. I'm not sure what the Terraform-side answer is since the API pretty much just says, "Dependency failure." From a Terraform provider perspective, one would have to write something that would at least attempt to resolve what that dependency is and either present it to the user or automatically take some kind of action. In my case I was trying to delete a security group that was itself the source security group of a rule on another security group ("Let 'sg-being-destroyed' access this security group on port '80', protocol 'tcp'"). When I removed this rule from the other SG, Terraform finished destroying successfully. I've spoken to others who were able to resolve this issue by attempting to delete the object via the AWS management console - the console will do the legwork of finding the conflict for you. |
|
I am on 0.9.11 and still see this issue. |
|
This happened to me recently after I implemented this after having issues renaming my launch configuration. Using |
|
I still see it on Terraform v0.9.9. |
|
Apparently still a problem in Terraform 0.10. resource "aws_instance" "temp_bastion" {
subnet_id = "${var.vpc_public_subnets[0]}"
instance_type = "t2.nano"
ami = "${var.dcos_ami}"
key_name = "${var.ec2_keypair}"
associate_public_ip_address = true
vpc_security_group_ids = ["${var.vpc_security_group_public_id}", "${aws_security_group.bastion.id}"]
root_block_device {
volume_type = "gp2"
volume_size = "20"
}
tags {
"TerraForm" = "True"
"Name" = "${var.dcos_cluster_name}-bastion"
"Environment" = "${var.tf_env_name}"
}
volume_tags {
"TerraForm" = "True"
"Name" = "${var.dcos_cluster_name}-bastion"
"Environment" = "${var.tf_env_name}"
}
}
resource "aws_security_group" "bastion" {
vpc_id = "${data.aws_subnet.public.vpc_id}"
name = "appBastion"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
tags {
"Name" = "appBastion"
"Environment" = "${var.tf_env_name}"
"TerraForm" = "True"
}
}Changing the name of the SG produces the behavior described by previous posters. Interestingly, adding |
|
Still in v.0.10.3. I changed the description of an SG which triggers a new resource and then this failure. |
|
This error is coming from the AWS API itself. Terraform is retrying it for five minutes because sometimes when e.g. an EC2 instance is connected with a security group there is a delay between the instance being destroyed and its network interface being destroyed, and the network interface "holds on to" the security group. The relationship between network interface and instance is something Terraform doesn't directly manage -- it's done behind the scenes as part of the EC2 instances API -- and so this five-minute retry loop was put into place to allow us to wait until this hidden process completes and the network interface is deleted. It sounds like there's either a situation where the network interface takes longer than five minutes to detach or where some other object is attached to the security group that Terraform can't "see". Either way, this is going to require some research to understand what's going on, so I'm going to have our bot move this over to the AWS provider repository where it's more likely to be seen by those working on that provider. |
|
I think some people here are encountering a slightly different problem where they are trying to apply a plan with an action like I don't think there's any way we can support replacement of the security group without also replacing the EC2 instance, but there is a limitation here similar to hashicorp/terraform-provider-aws#1315 where Terraform would ideally be able to understand that the instance must be replaced in order to replace the security group and correctly describe that in the diff, allowing the user to decide what to do. Since we already have #16065 open to discuss a core change to help Terraform detect and handle that scenario, let's consider this particular issue to be about the unexplained occurrences of this "has a dependent object" error, where it comes up specifically during |
|
This issue has been automatically migrated to hashicorp/terraform-provider-aws#1671 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to this issue and let us know. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Terraform Version
Terraform v0.8.2
Affected Resource(s)
Terraform Configuration Files
This is part of a larger configuration, but I think the relevant parts are as follows.
Under
modules/webserver-cluster/main.tf, I define a module with the following code:In a separate folder, I use this module in the usual way, but also add a custom security group rule:
Expected Behavior
I expect to be able to run
terraform applyandterraform destroywithout errors.Actual Behavior
terraform applyworks fine. Occasionally,terraform destroyfails with the following error:Steps to Reproduce
terraform applyterraform destroyImportant Factoids
It's an intermittent issue, so I can't be sure, but I don't think this error happened with Terraform 0.7.x.
The text was updated successfully, but these errors were encountered: