openstack Security Groups can't be revisited

[tmlink]

My main.tf created a single openstack security group with a single rule.

but when I do the sequence:

1. terraform destroy
2. terraform refresh — show empty
3. terraform plan — show the expected addition
4. terraform apply — SUCCESS!!! shows the expected additions
5. terraform refresh — show the single resource — YEA!!!
6. terraform plan — show that it wants to change the resource and the only rule — ​_HUH??_​
7. terraform apply — ​FAILS​ errors with “security group rule already exist” when adding a rule

My main.tf:

provider "openstack" {
    user_name   = "${var.openstack_user_name}"
    tenant_name = "${var.openstack_tenant_name}"
    password    = "${var.openstack_password}"
    auth_url    = "${var.openstack_auth_url}"
}

resource "openstack_compute_secgroup_v2" "elb" {
  name = "terradev1-elb"
  description = "Apcera ELB instances"

  # HTTP access from anywhere
  rule {
    cidr = "0.0.0.0/0"
    self = "true"
    from_port = 80
    to_port = 80
    ip_protocol = "tcp"
  }
}

Looking at the openstack web console, the group it's there after a delete and is after the first apply.

Detail info:

• terraform_session.txt
• terraform_log.txt
• terraform_tfstate.txt
• Terraform v0.6.8 installed on MacOS via brew (used to work on 0.6.3)

[jtopjian]

Hi there,

Thanks for reporting this.

I think in this case, the bug is caused by having both cidr and self set. If I remove one or the other, I'm unable to reproduce this problem -- can you confirm on your end?

cidr and self are really mutually exclusive:

• cidr specifies a network address range of allowed incoming traffic.
• self is a "meta" rule that allows traffic to all other instances that also have this same security group.

Let me know if this makes sense, if you're seeing different behavior, or if you're trying to do something that should work but is not working.

Per the documentation, self should be taking precedence, but it looks like that slipped at some point. I'll look into this and add some extra guards to error out before anything is actually created in this situation.

Thanks,
Joe

[tmlink]

Thanks Joe!!

That was the problem. I had an invalid security group rules, but didn't know it until this bug was tickled.
Splitting the rules fixed things on my end. I agree that erroring out is probably the right thing to do.

Thanks Again,
Tom

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.