Cannot set SG on instance with FNI

[outscale-toa]

Terraform Version

Terraform v1.0.6
+ provider v0.4.0

Terraform Configuration Files

resource "outscale_vm" "foobar" {
    image_id = var.image_centos8["eu-west-2"]
    vm_type = "tinav5.c2r2p2"
    keypair_name = var.keypair
    subnet_id = outscale_subnet.foobar.id
    security_group_ids = [
        outscale_security_group.foo.id,
        outscale_security_group.bar.id #add once the instance and FNI are created
    ]    
    vm_initiated_shutdown_behavior = "restart"    
    lifecycle {
        ignore_changes = [ image_id ]
    }
    tags {
        key = "Name"
        value = "foobar"
    }
}
resource "outscale_nic" "foobar" {
    subnet_id = outscale_subnet.foobar.id
}
resource "outscale_nic_link" "foobar" {
    device_number = 1
    vm_id = outscale_vm.foobar.id
    nic_id = outscale_nic.foobar.id
}

Debug Output

Crash Output

Expected Behavior

Actual Behavior

Steps to Reproduce

Additional Context

References

[boussoufiane]

Hello , Any news about this issue ?

[jerome-jutteau]

Hi @boussoufiane, I will let @outscale-mgo or @outscale-toa confirm but this has not been planned in a milestone yet.

[franksauvag]

Hello @jerome-jutteau, @outscale-toa @outscale-mgo

How can we get visibility on the milestone/roadmap ?

We tried several workaround, none being satisfying,

This limitation is blocking large scale usage of Outscale. (E.g. Provisioning multiple ephemeral environments).

[outscale-mgo]

Hello,

you can find the milestone here: https://github.com/outscale-dev/terraform-provider-outscale/milestones

Thanks to your feedback, will push this issue to the next milestone.

[outscale-toa]

Hello,

Updating the security groups of a VM having multiple NICs is not allowed in Outscale API.
We are working to find a workaround for terraform plugin.
For the moment, you can either specify the security group when creating the VM or unlink the secondary NIC temporary to update the VM security group then link the secondary NIC again.

Thanks,

[john-scalingo]

Hi there,

Updating the security groups of a VM having multiple NICs is not allowed in Outscale API.

I understand that part. But the issue is that with the current code, if the default NIC security group has changed, terraform will still mark the resource as valid and will not show any error nor propose to update the VM Security groups.

This has big security implications since with this we can't trust the terraform output to check that there was no modifications on a VM default NIC security groups. Which could lead to undetected security issues.

[outscale-toa]

Hello @john-scalingo,

I understand that part. But the issue is that with the current code, if the default NIC security group has changed,
 terraform will still mark the resource as valid and will not show any error nor propose to update the VM Security groups.

I think you are using an old version of terrfrom-plugin, because we fixed that issue

....
resource "outscale_vm" "outscale_vm01" {                                                                                                                                                                                                                                                
  image_id           = var.image_id
  vm_type            = var.vm_type                                                                                                                                                                                     
  keypair_name       = var.keypair_name
}
...

terrraform init 
terrafrom apply
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

In your second apply or plan you will get

~/local_tf_test$ terraform plan 
outscale_vm.outscale_vm01: Refreshing state... [id=i-7f0779ef]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # outscale_vm.outscale_vm01 will be updated in-place
  ~ resource "outscale_vm" "outscale_vm01" {
        id                             = "i-7f0779ef"
      ~ security_group_ids             = [
          - "sg-583f2770",
        ]
        # (34 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

It is the same with outscale_nic resource

[john-scalingo]

We are using the 1.0.0-rc2 version of the plugin.
And indeed it showed that change the first time. But then we tried to apply the plan. The applied failed with the 4045 error code. (I guess it's because 2 NICs were attached to the VM).
However after this apply failed, the next plan showed no diff on the VM security groups even though we did not have the correct security group applied on the VM's default NIC.

[outscale-toa]

Can you please create a new issue with an use case ?
I will check it.

Thanks,