[英]Terraform Apply always modifies a Security Group in place
my Terraform project always seems to modify this aws_security_group.jacobs_rds_security_group_tf
resource in-place when I run terraform apply
.当我运行terraform apply
时,我的 Terraform 项目似乎总是就地修改此aws_security_group.jacobs_rds_security_group_tf
资源。 Everything still works it just makes debugging weird when I always have an extra resource getting modified even though nothing about it is changing.一切仍然有效,当我总是有一个额外的资源被修改时,它只会让调试变得奇怪,即使它没有任何变化。
I have 2 security groups;我有 2 个安全组; 1 is for my RDS DB which whitelists incoming traffic, and the other is for tasks and it attaches to my ECS & Lambda tasks so they can access this RDS DB. 1 用于我的 RDS 数据库,它将传入流量列入白名单,另一个用于任务,它附加到我的 ECS 和 Lambda 任务,以便他们可以访问此 RDS 数据库。 The Task Security Group is whitelisted in the RDS Security Group.任务安全组在 RDS 安全组中列入白名单。
The RDS Security group ( aws_security_group.jacobs_rds_security_group_tf
) is the one that is always getting modified in-place. RDS 安全组 ( aws_security_group.jacobs_rds_security_group_tf
) 是始终在原地进行修改的组。 Below is the code.下面是代码。
resource "aws_vpc" "jacobs_vpc_tf" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
}
resource "aws_security_group" "jacobs_task_security_group_tf"{
name = "jacobs_security_group for tasks"
description = "Connect Tasks to RDS"
vpc_id = aws_vpc.jacobs_vpc_tf.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
resource "aws_security_group" "jacobs_rds_security_group_tf" {
name = "jacobs_security_group for rds"
description = "Allow Jacobs Traffic to RDS"
vpc_id = aws_vpc.jacobs_vpc_tf.id
ingress {
description = "Custom IP Addresses"
from_port = 5432
to_port = 5432
protocol = "tcp"
cidr_blocks = var.jacobs_cidr_block
}
ingress {
description = "Other Security Groups"
from_port = -1
to_port = -1
protocol = "all"
security_groups = [aws_security_group.jacobs_task_security_group_tf.id] # this should be changed to vpc_security_group_ids ?
}
# outbound
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
I research this problem about once a month and screw around with the Terraform to try & fix it and have had no success.我大约每月研究一次这个问题,并使用 Terraform 尝试修复它,但没有成功。 The github issues I come across don't seem to apply to my setup, but maybe I'm missing something obvious?我遇到的 github 问题似乎不适用于我的设置,但也许我遗漏了一些明显的东西? Any help would be appreciated!任何帮助,将不胜感激!
I think your problem is that you have this ingress rule:我认为你的问题是你有这个入口规则:
ingress {
description = "Other Security Groups"
from_port = -1
to_port = -1
protocol = "all"
security_groups = [aws_security_group.jacobs_task_security_group_tf.id]
}
You have the from_port
and to_port
set to -1.您将from_port
和to_port
设置为 -1。 You should set them to 0
.您应该将它们设置为0
。 From the docs :从文档:
If you select a protocol of
-1
(semantically equivalent toall
, which is not a valid value here), you must specify afrom_port
andto_port
equal to0
.如果您 select 协议为-1
(语义等同于all
,此处不是有效值),则必须指定等于0
的from_port
和to_port
。
What is happening in this case is that Terraform (or the AWS API used by Terraform) will set them to 0
, without erroring out.在这种情况下发生的是 Terraform(或 Terraform 使用的 AWS API)将它们设置为0
,而不会出错。 Since there was a change after the apply
, Terraform will try will detect it when you do a plan
again.由于在apply
之后发生了变化,Terraform 将尝试在您再次执行plan
时检测到它。
Moreover, I think the docs are not accurate here, setting all
to protocol
is allowed here (at least with the Terraform version I've tried, v1.0.11
, AWS provider version 3.70.0
).此外,我认为这里的文档不准确,这里允许将all
设置为protocol
(至少我试过的 Terraform 版本, v1.0.11
,AWS 提供商版本3.70.0
)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.