-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws_security_group: DependencyViolation: resource sg-XXX has a dependent object #1671
Comments
I have run into this issue with terraform 0.10.6.
the delete retried multiple times
|
Terraform v0.9.9 Same issue |
Terraform v0.10.7 Same issue. Is the only workaround to delete the SG manually and then recreate it via TF? |
Same issue. For me I'm 99% sure it's because there an ec-2 instance not being changed that is still using the security group. So right now looks like I have to make this change manually. |
Yes, that's indeed the case. I don't have access to the Web UI (managed by the client), so I had to resolve it manually. I created an empty security group, replaced the existing one with that empty SG and then reran the Terraform command. That worked fine. |
Same issue for us, has anyone tested if v0.10.8 fixes this? |
I'm on v0.10.8 and have experienced this. |
Got it again...
|
Hey all – It sounds like, because this is intermittent, that the times it's failing is because As a workaround for that, version Adding that to the security group in the module will likely work around this. There was other mention of an instance still using the group, can anyone provide a configuration that triggers this with instances? Thanks! |
@catsby I just tried setting The code doesn't seem to be doing anything very complicated. The simplified version is as follows. I have a module called resource "aws_instance" "instance" {
ami = "${var.ami}"
instance_type = "${var.instance_type}"
vpc_security_group_ids = ["${aws_security_group.instance.id}"]
user_data = "${var.user_data}"
# ... (other params omitted) ...
}
resource "aws_security_group" "instance" {
name = "${var.name}"
description = "Security Group for ${var.name}"
vpc_id = "${var.vpc_id}"
# This workaround, unfortunately, did not help
revoke_rules_on_delete = true
}
resource "aws_security_group_rule" "allow_outbound_all" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.instance.id}"
}
resource "aws_security_group_rule" "allow_inbound_ssh_from_cidr" {
count = "${signum(var.allow_ssh_from_cidr)}"
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["${var.allow_ssh_from_cidr_list}"]
security_group_id = "${aws_security_group.instance.id}"
}
resource "aws_security_group_rule" "allow_inbound_ssh_from_security_group" {
count = "${signum(var.allow_ssh_from_security_group)}"
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
source_security_group_id = "${var.allow_ssh_from_security_group_id}"
security_group_id = "${aws_security_group.instance.id}"
} I'm using this module in some code that creates a server and two EBS volumes for it: module "example" {
source = "../../modules/single-server"
name = "example"
instance_type = "t2.micro"
ami = "${var.ami}"
allow_ssh_from_cidr_list = ["0.0.0.0/0"]
vpc_id = "${data.aws_vpc.default.id}"
subnet_id = "${data.aws_subnet.selected.id}"
# Script that attaches and mounts the two EBS volumes
user_data = "${data.template_file.user_data.rendered}"
}
resource "aws_ebs_volume" "example_1" {
availability_zone = "${data.aws_subnet.selected.availability_zone}"
type = "gp2"
size = 5
}
resource "aws_ebs_volume" "example_2" {
availability_zone = "${data.aws_subnet.selected.availability_zone}"
type = "gp2"
size = 5
} We have automated tests that run against this code and do the following:
All of this works until |
I'm on 0.10.8 and am currently experiencing this issue. One tip for figuring out what the "dependent object" is: type the name of the SG into the ENI instances searchbox (https://serverfault.com/a/866203/223606). It appears that an attached ENI is preventing Terraform from deleting my SG. |
@brikis98 are you able to do as elektron9 above mentioned, and determine what the dependency is? The |
I'll have to check next time I'm working on this code, but I'm pretty sure it's not an ENI, as there are no ENIs being created in that code. |
Update: we eventually determined that this issue was being caused by a security group that had an inbound rule for another security group. After we manually removed the inbound rule, Terraform was able to proceed with the destruction of the security group that was causing this issue. We did toggle the |
@elektron9 Can you confirm that |
@CamelCaseNotation yes, our issue was resolved after setting |
Spent several hours on various configurations to attempt to work around this. The DependencyViolation... has a dependent object error occurs after the 5 minute timeout in every scenario. Bottom line is that the network interface does not get assigned to the new security group if a new SG resource must be created (e.g. sg name change). The security group is created (if lifecycle create_before_destroy = true) as desired alongside the existing sg which is assigned to the ENI, but the ENI is never reassigned to the new SG. While Terraform is waiting, I can go into the AWS console and do "change security groups" on either the Network Interface or the ec2 Instance itself and Terraform will immediately continue its process and remove the old SG before completing. I also tried several iterations using aws_network_interface_sg_attachment without a security_group block on the aws_instance. This deploys fine, but it relies on the AZs default_vpc to initially launch the ec2 instance into which is a security issue for us and leaves the issue of removing it after deployment. Anyway, the idea was to see if a more specific dependency on the ENI would cause terraform to make the change on AWS (ENI to new SG). It did not work. Is there no explicit way of causing the "Change Security Group" functionality? Seems this should be done under the Terraform hood whenever it recognizes that the SG will change for an instance or ENI. |
OK, I finally had some time to go back and dig into this, and I think I've figured out what's happening! The code looks roughly like this: resource "aws_instance" "example" {
# ... (other params omitted) ...
vpc_security_group_ids = ["${aws_security_group.example.id}"]
tags {
Name = "${var.name}"
}
}
resource "aws_security_group" "example" {
name = "${var.name}"
revoke_rules_on_delete = true
# ... (other params omitted) ...
} In our test code, we are updating I think all we really need is a |
OK, it looks like adding resource "aws_security_group" "example" {
name_prefix = "${var.name}"
# ... (other params omitted) ...
lifecycle {
create_before_destroy = true
}
} |
Sweet! I tested create_before_destroy = true, and using name_prefix instead of name fixed it for me! Thank you brikis98 |
I am experiencing the issue where security groups are not deleted, referencing dependent objects, because they are attached to lingering ENIs. The ENIs seem to be coming from an aws_launch_template/aws_autoscaling_group combo and since I did not experience this behaviour when I was using aws_launch_configuration, I suspect that aws_launch_template is somehow the cause of this. I have tried to solve the problem via |
As of 0.11.7 it was fixed by lifecycle { create_before_destroy = true } |
@martinbokmankewill I've been running into the same issue recently as well. Noticed, the lingering ENIs are almost always previously attached to an ELB. Are you still running into the issue? |
I am not running into the issue anymore. I traced it to not having set |
Anything I try is doesn't work. You can try in this repo. Just make sure you have DEBUG enabled. Is anyone knows the solution for this repo? |
No of the above work for me, i have to change SG name in terraform |
Encountered this today as well.
fixed it for me as well. |
I've also encountered this, and it's easily repeatable. A cut down example:
With these resources, a change requiring replacement of the security group will cause the apply to timeout with the dependency violation. Adding create_before_destroy to the security group works around the problem. I think in this specific case, the aws_efs_mount_target cannot have no security group - so terraform attempts to destroy the SG without first removing it from the mount target. Create before destroy results in the order of operations changing, so the mount targets get modified with the new security group before the (now deposed) security group is destroyed. |
The Problem is, that
prevents updates, as security groups with the same name cannot exist. |
Yes - the security group has to use "name_prefix" instead of "name" to use this workaround |
After #1530, we're hitting an error applying the plan: ``` Error: Error applying plan: 2 errors occurred: * aws_security_group.mysql-replica (destroy): 1 error occurred: * aws_security_group.mysql-replica: Error deleting security group: DependencyViolation: resource sg-26a3915d has a dependent object status code: 400, request id: 481cb159-77ee-46ef-813a-e82a9b91f754 * aws_security_group.mysql-primary (destroy): 1 error occurred: * aws_security_group.mysql-primary: Error deleting security group: DependencyViolation: resource sg-d1bc8eaa has a dependent object status code: 400, request id: c9eee46f-f760-460f-929e-07e600d4c700 ``` Trying a fix outlined in hashicorp/terraform-provider-aws#1671 (comment)
After #1530, we're hitting an error applying the plan: ``` Error: Error applying plan: 2 errors occurred: * aws_security_group.mysql-replica (destroy): 1 error occurred: * aws_security_group.mysql-replica: Error deleting security group: DependencyViolation: resource sg-26a3915d has a dependent object status code: 400, request id: 481cb159-77ee-46ef-813a-e82a9b91f754 * aws_security_group.mysql-primary (destroy): 1 error occurred: * aws_security_group.mysql-primary: Error deleting security group: DependencyViolation: resource sg-d1bc8eaa has a dependent object status code: 400, request id: c9eee46f-f760-460f-929e-07e600d4c700 ``` Trying a fix outlined in hashicorp/terraform-provider-aws#1671 (comment)
Saved my life. Verified that the creation and destruction will automatically replace the old security group with the new one without any downtime. |
This functionality has been released in v4.29.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
This issue was originally opened by @brikis98 as hashicorp/terraform#11047. It was migrated here as a result of the provider split. The original body of the issue is below.
Terraform Version
Terraform v0.8.2
Affected Resource(s)
Terraform Configuration Files
This is part of a larger configuration, but I think the relevant parts are as follows.
Under
modules/webserver-cluster/main.tf
, I define a module with the following code:In a separate folder, I use this module in the usual way, but also add a custom security group rule:
Expected Behavior
I expect to be able to run
terraform apply
andterraform destroy
without errors.Actual Behavior
terraform apply
works fine. Occasionally,terraform destroy
fails with the following error:Steps to Reproduce
terraform apply
terraform destroy
Important Factoids
It's an intermittent issue, so I can't be sure, but I don't think this error happened with Terraform 0.7.x.
The text was updated successfully, but these errors were encountered: