Reputation: 131
Terraform aws security group revoke_rule_on_delete?
I am getting
~ update in-place
Terraform will perform the following actions:
~ aws_security_group.mayanks-sg revoke_rules_on_delete: "" => "false"
while running terraform plan and I have no idea what it means and why it is coming searched it on google but no luck.
tf file :-
resource "aws_security_group" "mayanks-sg" {
name = "mayanks-sg"
description = "for test purpose"
vpc_id = ""
}
resource "aws_security_group_rule" "mayanks-sg" {
type = "ingress"
security_group_id = "sg-xxxxxxxxx"
from_port = 12345
to_port = 12345
protocol = "tcp"
cidr_blocks = ["x.x.x.x"]
}
resource "aws_security_group_rule" "mayanks-sg-1" {
type = "ingress"
security_group_id = "sg-xxxxxxxxx"
from_port = 54321
to_port = 54321
protocol = "tcp"
cidr_blocks = ["x.x.x.x"]
}
tfstate :-
{
"version": 3,
"terraform_version": "0.11.7",
"serial": 1,
"lineage": "x-x-x-x-x",
"modules": [
{
"path": [
"root"
],
"outputs": {},
"resources": {
"aws_security_group.mayanks-sg": {
"type": "aws_security_group",
"depends_on": [],
"primary": {
"id": "sg-xxxxxxxxx",
"attributes": {
"arn": "arn:aws:ec2:x:x:security-group/sg-xxxxxxxxx",
"description": "for test purpose",
"egress.#": "0",
"id": "sg-xxxxxxxxx",
"ingress.#": "2",
"ingress.1364877358.cidr_blocks.#": "1",
"ingress.1364877358.cidr_blocks.0": "x.x.x.x",
"ingress.1364877358.description": "",
"ingress.1364877358.from_port": "12345",
"ingress.1364877358.ipv6_cidr_blocks.#": "0",
"ingress.1364877358.protocol": "tcp",
"ingress.1364877358.security_groups.#": "0",
"ingress.1364877358.self": "false",
"ingress.1364877358.to_port": "12345",
"ingress.2197545509.cidr_blocks.#": "1",
"ingress.2197545509.cidr_blocks.0": "x.x.x.x",
"ingress.2197545509.description": "",
"ingress.2197545509.from_port": "54321",
"ingress.2197545509.ipv6_cidr_blocks.#": "0",
"ingress.2197545509.protocol": "tcp",
"ingress.2197545509.security_groups.#": "0",
"ingress.2197545509.self": "false",
"ingress.2197545509.to_port": "54321",
"name": "mayanks-sg",
"owner_id": "xxxxxxx",
"tags.%": "0",
"vpc_id": ""
},
"meta": {
"x-x-x-x-x-x": {
"create": 600000000000,
"delete": 600000000000
},
"schema_version": "1"
},
"tainted": false
},
"deposed": [],
"provider": "provider.aws"
},
"aws_security_group_rule.mayanks-sg": {
"type": "aws_security_group_rule",
"depends_on": [],
"primary": {
"id": "sgrule-xxxxxx",
"attributes": {
"cidr_blocks.#": "1",
"cidr_blocks.0": "x.x.x.x",
"description": "",
"from_port": "12345",
"id": "sgrule-xxxxxx",
"ipv6_cidr_blocks.#": "0",
"prefix_list_ids.#": "0",
"protocol": "tcp",
"security_group_id": "sg-xxxxxxxxxx",
"self": "false",
"to_port": "12345",
"type": "ingress"
},
"meta": {
"schema_version": "2"
},
"tainted": false
},
"deposed": [],
"provider": "provider.aws"
},
"aws_security_group_rule.mayanks-sg-1": {
"type": "aws_security_group_rule",
"depends_on": [],
"primary": {
"id": "sgrule-xxxxxx",
"attributes": {
"cidr_blocks.#": "1",
"cidr_blocks.0": "x.x.x.x",
"description": "",
"from_port": "54321",
"id": "sgrule-xxxxx",
"ipv6_cidr_blocks.#": "0",
"prefix_list_ids.#": "0",
"protocol": "tcp",
"security_group_id": "sg-xxxxxxxxxxx",
"self": "false",
"to_port": "54321",
"type": "ingress"
},
"meta": {
"schema_version": "2"
},
"tainted": false
},
"deposed": [],
"provider": "provider.aws"
}
},
"depends_on": []
}
]
}
I want to remove this error from in the by adding something in the configuration file and also whats the meaning of this parameter. Thanks in advance
Upvotes: 2
Views: 5450
Answers (3)
Reputation: 71
You can add "revoke_rules_on_delete": "false" in your terraform state file manually in SG section, and this message will go away.
Upvotes: 0
Reputation: 574
For anyone faced to this issue and wondering how to fix it.
Following the three steps, you can perform the terraform apply with minimal risk.
- You can create a restricted AWS User with S3 full access and VPC read only permission.
- Make sure you use the restricted AWS User to perform
terraform apply - Done
By doing so, you can see the terraform fix the state file and you don't have to worry about the terraform will modify any unexpected resource.
Upvotes: 0
Reputation: 3973
This is not an error message. If you want to remove it, apply your template.
It's stating that if you ran the template it would update the parameter for that security group. revoke_rules_on_delete is currently set to blank. Terraform defaults it to false.
revoke_rules_on_delete - (Optional) Instruct Terraform to revoke all of the Security Groups attached ingress and egress rules before deleting the rule itself. This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false
Bottom line, if you want this to be true set it in your aws_security_group resource and apply your playbook. If you want it to be false, apply your playbook.
https://www.terraform.io/docs/providers/aws/r/security_group.html
Upvotes: 3
Related Questions
- terraform wants to replace ec2 instances when i simply want to add a rule to a security group
- Add an aws_security_group_rule that contains self and a security group id to a security group
- How to use Terraform to disable deletion protection on AWS RDS?
- Creating security group "Error revoking default egress rule for Security Group ... The specified rule does not exist in this security group"
- Security group created by Terraform has no rules
- Terraform force delete IAM group on destroy
- How to append or delete the ingress/egress rule for a security group using Terraform?
- How to destroy rules in a Terraform managed default security group?
- Terraform: All security group rules are destroyed and replaced when adding a single rule
- AWS with Terraform - security groups argument inside a security group rule