Error changing security group rules with openstack_compute_secgroup_v2

[scottslowe]

There seems to be a problem with modifying security group rules in an OpenStack security group using Terraform.

Here is what I've observed. If you define a security group using openstack_compute_secgroup_v2 along with a set of rules, on the first run of terraform apply Terraform will properly create the security group, the security group rules, and associate the instances with the security group. If you stop here, everything will be fine.

However, If you later modify the Terraform configuration file to add a rule to the group or remove a rule from the group, Terraform gets "confused".

On the first pass of terraform apply after modifying the Terraform configuration file, the security group will be updated properly (and will maintain the same UUID in OpenStack, as shown by neutron security-group-list), but the security group will be removed from the instances, and terraform apply will report an error along the lines of "Error removing security group from OpenStack server" (followed by the UUID of the instance in question). Note, however, that the security group is removed from the instance.

If you run terraform refresh followed by terraform apply, Terraform will note that the instances are no longer in the security group and will add them back---but it will fail with "Error adding security group to OpenStack server" (followed by the UUID of the instance in question). Note, however, that the security group is added to the instance.

Subsequent runs of terraform apply result in similar errors. The underlying issue, as far as I have been able to glean from the output of terraform plan, is that Terraform wants to remove the security group from the instance (referencing the group by name) and then wants to add it to the security group (referencing the security group by UUID).

Once this error occurs, Terraform is helplessly out of sync with the remote OpenStack cloud, and no number of running terraform refresh (or any other command with which I am familiar) will fix the issue. At this point, Terraform is useless in managing these resources.

This behavior occurs with versions 0.6.7 and 0.6.8. I tested against an OpenStack cloud running the "Juno" release (2014.2).

[jtopjian]

Hi Scott,

Thank you for reporting the issue.

Are you referencing the security group to the instances by the ID of the security group? If so, try referencing by the security group name.

If you are already referencing by security group name, can you provide an example Terraform configuration that can reproduce this problem?

Thanks,
Joe

[scottslowe]

Joe, thanks for the response. Changing the Terraform configuration to reference the security group by name (openstack_compute_secgroup_v2.object-name.name) instead of ID fixes the problem. Is this documented anywhere?

[jtopjian]

kind of 😄

The documentation for openstack_compute_instance_v2 uses the name in the example and the details for the security_groups attribute mention "name", but there's nothing that explicitly calls out avoiding the use of the security group ID.

There are some more details on this subject here.

In your opinion, where do you think would have been the best place to mention this? Maybe as simple as explicitly saying "do not use IDs!" in the above mentioned docs?

[scottslowe]

@jtopjian, where to document this is a good question. I just reviewed the documentation for openstack_compute_instance_v2 and note that the reference to a security group does use the name. Perhaps adding a section to the "Notes" at the bottom, or adding an example (to either openstack_compute_instance_v2 or openstack_compute_secgroup_v2) that shows a security group being created and then referenced by name later?

(Slightly related question: I haven't yet looked, but are the docs maintained as a separate repo? If so, and if contributing to the docs is reasonably straightforward, I might be able to provide a PR that would help. Guidance is welcome, of course.)

[scottslowe]

@jtopjian: In examining the terraform repo more closely, I see the website docs are in the main repo. It looks like perhaps the best place to add it would be in the "Notes" section of the openstack_compute_secgroup_v2 Markdown document here:

https://github.com/hashicorp/terraform/blob/master/website/source/docs/providers/openstack/r/compute_secgroup_v2.html.markdown

Something as simple as stating that you should reference the security group's name attribute (instead of ID) when associating instances with that security group in a Terraform configuration should suffice.

[jtopjian]

Hi Scott,

Sounds good. Let me know if you'd like to submit a PR. No problem if you're not interested - just wanted to open the opportunity up. 😄

Joe

[scottslowe]

@jtopjian, let me try creating a PR to modify the specific file I mentioned earlier in the thread. Stay tuned.

[jtopjian]

I'm going to close this issue, but please feel free to re-open if there's anything else you'd like to discuss around this.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.