network_security_rule - unnecessary removal

[kisamoto]

Terraform Version

Terraform v0.9.8

Affected Resource(s)

• azurerm_network_security_group
• azurerm_network_security_rule

This could be a dependency graph generation issue in terraform core so apologies in advance if this is the incorrect place to open this bug.

Terraform Configuration Files

In a module define a azurerm_network_security_group with some security_rules:

resource "azurerm_network_security_group" "public_subnet_sg" {
  count               = "${length(var.public_subnets)}"
  name                = "${format("tf-%s-%s", element(split(",", lookup(var.public_subnets, count.index)), 0), var.environment)}"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  location            = "${var.region}"

  security_rule {
    name                       = "allow-ssh-inbound"
    description                = "allow all inbound ssh traffic"
    protocol                   = "tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "Internet"
    destination_address_prefix = "*"
    access                     = "Allow"
    priority                   = 100
    direction                  = "Inbound"
  }
}

In a consumer of that module, define an attachment azurerm_network_security_rule:

resource "azurerm_network_security_rule" "node_port" {
  count                       = "${length(var.node_ports)}"
  name                        = "${element(split(",", element(var.node_ports, count.index)), 0)}"
  description                 = "${format("allow traffic for node port %s through to port %v", element(split(",", element(var.node_ports, count.index)), 0), element(split(",", element(var.node_ports, count.index)), 3))}"
  resource_group_name         = "${module.vpc.resource_group_name}"
  protocol                    = "tcp"
  source_port_range           = "*"
  destination_port_range      = "${element(split(",", element(var.node_ports, count.index)), 3)}"
  source_address_prefix       = "Internet"
  destination_address_prefix  = "*"
  access                      = "Allow"
  priority                    = "${301 + count.index}"
  direction                   = "Inbound"
  network_security_group_name = "${format("tf-frontend-%s", var.environment)}"
}

Expected Behavior

• Initial run: Terraform creates the security group with all rules (both security_rule in group description and separate azurerm_network_security_rule attachments)
• Subsequent runs: No changes made

Actual Behavior

• Initial run: Terraform creates the security group with all rules (both security_rule in group description and separate azurerm_network_security_rule attachments)
• Second run: Terraform removes any azurerm_network_security_rule attachments
• Third run: Terraform spots azurerm_network_security_rule and recreates them
• Subsequent runs: repeat behaviour of second/third

Steps to Reproduce

1. Set up configuration as detailed above
2. Create with terraform apply
3. Do nothing, check terraform plan
4. Notice change - security_rule.#: "2" => "1"
5. Commit removal of rules terraform apply
6. Do nothing, check terraform plan
7. Notice change - Plan: 1 to add

[nbering]

Perhaps this is a documentation issue?

AWS resources that implement a similar pattern - where you can define a sub-resource on the parent directly, or as a discrete resource - state that using both for the same resource is not supported. I imagine this is the case here as well.

This block is from the AWS provider documentation for aws_security_group_rule:

NOTE on Security Groups and Security Group Rules: Terraform currently provides both a standalone Security Group Rule resource (a single ingress or egress rule), and a Security Group resource with ingress and egress rules defined in-line. At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.

[kisamoto]

Having refactored my module to now only use azurerm_network_security_rule it now doesn't have the conflict however it created new security rules without deleting the, now obsolete, security_rule rule attributes.

It's interesting that I did not notice this until recently and that Terraform does in fact want to build the correct state (half of the time). (plan also seems to be doubling the number of resources to add but that's a different issue)

Documentation updated required.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!