New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cluster Security Group Change Issue #3014
Comments
I've been seeing this error a lot. All the other issues that I've seen with this are closed without solution. Theres the workaround of changing the IP ranges to force a change but thats not pratical. Another hacky way I found is to create a variable and append it to the key of the security group rules. For instance, in your case would be something like: variable "security_group_update_trigger" {
description = "Trigger updates without getting duplicate security group rule error"
type = bool
default = false
} cluster_security_group_additional_rules = merge(
{
# Default Private Control Plane Access
"vpc_${var.security_group_update_trigger}" = {
description = "Allow VPC Network Access"
protocol = "tcp"
from_port = 443
to_port = 443
cidr_blocks = data.aws_vpc.vpc.cidr_block_associations[*].cidr_block
type = "ingress"
},
"private_network_access_${var.security_group_update_trigger}" = {
description = "Allow Private Network Access"
protocol = "tcp"
from_port = 443
to_port = 443
cidr_blocks = ["10.0.0.0/8"]
type = "ingress"
}
}, var.cluster_security_group_additional_rules) But if you have a huge list of CIDRs like in my case, its bad since you dont have the easy tracking of changes when adding/removing a single cidr, because it will show as adding/removing all. I hope we can have a proper fix for this issue. |
I don't see how these relate to the module - this looks like you could easily reproduce this on just simple security group rule resources. |
I guess I had opened this because it was not clear to me why the |
its being replaced due to changes that it has identified here: ~ cidr_blocks = [ # forces replacement
# (2 unchanged elements hidden)
"10.60.7.0/24",
+ "10.40.0.0/16",
] And I suspect the duplicate rules is being thrown because both private_network_access = {
description = "Allow Private Network Access"
protocol = "tcp"
from_port = 443
to_port = 443
cidr_blocks = ["10.0.0.0/8"]
type = "ingress"
} |
I can confirm the second isn't an issue, we had multiple overlapping rules already in place within the rule that do overlap with I was also able to manually add To get around this issue, since I already had that overlapping I'd suspected something about how the variables are getting passed into the But wasn't sure how to investigate further. Also wonder if this even newer resource might avoid this as well, especially since within the EC2 console, each CIDR block we're adding has its own unique security group rule ID already: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule |
the newer individual rules (cannot pass a list of CIDRs, etc.) are recommended but, that comes at the cost of disruption to users. we have started to use those where possible, but we have to identify the right time to introduce those since it will be disruptive for users |
This issue has been automatically marked as stale because it has been open 30 days |
Description
It appears I've hit this bug: #2469
But specifically I am already over the v18/v19 module upgrades. The only change we've made is that our VPC has added a CIDR block, which seems to be breaking the module with:
Plan:
Apply:
So I am somewhat concerned this is not an issue specific to the module upgrades but a bug/limitation in the module.
If your request is for a new feature, please use the
Feature request
template.Versions
Module version [Required]: 20.1.1
Terraform version: v1.3.6
Provider version(s): v5.35.0
Reproduction Code
Steps to reproduce the behavior:
Modify the incoming VPC to add another CIDR block:
Is the issue potentially that we're using a computed value as the input to this variable in the module?
Minimal re-pro would probably be to set this cluster_security_group_additional_rules and then modify it or provide a computed value that changes/forces modification.
Expected behavior
Terraform updates the security group rules
Actual behavior
Terraform errors out on an existing cluster
Additional context
The text was updated successfully, but these errors were encountered: