Skip to content

Errors creating custom machine pools without additional security groups #78

New issue
New issue
Open
#79
Open
Errors creating custom machine pools without additional security groups#78
#79
@oswcab

Description

@oswcab
oswcab
opened on Jul 11, 2025

When trying to create custom machine pools, this error is received:


Error: Provider produced inconsistent result after apply  
│  
│ When applying changes to  
│ module.rosa_hcp_cluster.module.rhcs_hcp_machine_pool["pool-useast1c"].rhcs_hcp_machine_pool.machine_pool, provider  
│ "provider[\"registry.terraform.io/terraform-redhat/rhcs\"]" produced an unexpected new value:  
│ .aws_node_pool.additional_security_group_ids: was cty.ListValEmpty(cty.String), but now null.  
│  
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

In our terraform file, we were defining the machine pool like this:

base_machine_pool_config = {
  aws_node_pool = {
    instance_type = var.management_machine_type
    tags = {
      "pool-type" = "autoscaling"
    }
    additional_security_group_ids = []
  }
  autoscaling = {
    enabled      = var.machine_pool_autoscaling_enabled
    min_replicas = var.machine_pool_min_replicas
    max_replicas = var.machine_pool_max_replicas
  }
  auto_repair = true
  openshift_version = var.openshift_version
  labels = {
    "node-role.kubernetes.io/worker" = ""
    "pool-type"                      = "autoscaling"
  }
}

This results in the aws_node_pool not containing additional_security_group_ids in the state, as the configuration is trying to set it to an empty list []. Terraform expects it to be present in the state, but the provider is returning null for this field when it's not explicitly set.

The RHCS provider schema shows that additional_security_group_ids is optional in the aws_node_pool block:

terraform providers schema -json | jq '.provider_schemas["registry.terraform.io/terraform-redhat/rhcs"].resource_schemas.rhcs_hcp_machine_pool.block.attributes.aws_node_pool.block.attributes.additional_security_group_ids'

"additional_security_group_ids": {
"type": ["list", "string"],
"description": "Additional security group ids. After the creation of the resource, it is not possible to update the attribute value.",
"description_kind": "plain",
"optional": true
}

The field is marked as "optional": true, which means:

  • If not specified, the provider treats it as null
  • If specified as an empty list [], Terraform expects it to remain an empty list

This creates an inconsistency when the provider returns null but Terraform expects []

If the additional_security_group_ids is simply removed from the configuration, a new error is shown:

│ Error: Invalid value for input variable  
│  
│ on .terraform/modules/rosa_hcp_cluster/main.tf line 146, in module "rhcs_hcp_machine_pool":  
│ 146: aws_node_pool = each.value.aws_node_pool  
│  
│ The given value is not suitable for module.rosa_hcp_cluster.module.rhcs_hcp_machine_pool["pool-useast1c"].var.aws_node_pool  
│ declared at .terraform/modules/rosa_hcp_cluster/modules/machine-pool/variables.tf:56,1-25: attribute  
│ "additional_security_group_ids" is required.  
╵

The problem seems to be that the ROSA HCP module's variable definition for aws_node_pool requires additional_security_group_ids to be present, even though the provider itself makes it optional.

If we pass:

additional_security_group_ids = null

It also fails because the module's variable definition requires list(string), not null

Looking at the rosa-hcp module examples, a list with an empty string is used:

additional_security_group_ids = [""]

So we tried to do this and this time this error is seen:

Error: Cannot create machine pool  
│  
│ with module.rosa_hcp_cluster.module.rhcs_hcp_machine_pool["pool-useast1b"].rhcs_hcp_machine_pool.machine_pool,  
│ on .terraform/modules/rosa_hcp_cluster/modules/machine-pool/main.tf line 1, in resource "rhcs_hcp_machine_pool" "machine_pool":  
│ 1: resource "rhcs_hcp_machine_pool" "machine_pool" {  
│  
│ Cannot create machine pool for cluster '2jtlbai5es73ratt1pp6t55e5tdqbcqo': status is 400, identifier is '400', code is  
│ 'CLUSTERS-MGMT-400', at '2025-07-08T23:59:31Z' and operation identifier is '0b053b0e-a5aa-4ab1-a8b9-501363ff3075': Provided  
│ Additional Security Group '' is not attached to VPC 'vpc-02f92938be2ff307a'

The problem is that we're passing an empty string "" as a security group ID, and the ROSA API is trying to validate it as an actual security group that should be attached to the VPC. Since an empty string is not a valid security group ID, the API is rejecting the request.

So, in summary, seems the module requires additional_security_group_ids to always be present (given is defined as list(string)), but the provider and API expect it to be omitted entirely if no extra security groups are desired/required.

As a workaround (hack), we copied the rosa hcp module as a local module and changed the definition of the additional_security_group_ids in the aws_node_pool variable of the machine_pool submodule to:

additional_security_group_ids = optional(list(string))

then we removed this argument from the definition of our custom machine pools and used 'our' version of the rosa-hcp module, i.e., the locally modified module:

module "rosa_hcp_cluster" {
source = "./modules/rosa-hcp"
...

and now the creation of the custom machine pools is successful.

Question: shouldn't we use this modification, i.e., making the additional_security_group_ids optional, in the rosa-hcp module?

Or what are we missing here?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions