We are looking to use the “aws_security_group” resource and have already used it to deploy some security groups into our VPC.
The problem comes when we want to update this security group.
If we change/add a group to the list of security_groups inside an ingress block (https://www.terraform.io/docs/providers/aws/r/security_group.html#security_groups)
then running terraform plan, you can see Terraform will perform an update in place. However, instead of going straight from old_value => new_value, the change goes in two steps; from old_value => “0” or “” then from “0” or “” => new_value.
This needs clarifying for us because we wish to use Terraform to administer the security groups in our production environment and are concerned this may affect network connectivity for a short time.
- Does Terraform actually remove all values and re-add them quickly as the plan implies?
- Are there/could there be any network outages by updating in place in this way?
- It appears previously established connections are unaffected until broken, but what about connections that are attempted during the terraform apply? Will we see an elevated error rate due to this behaviour?
- Is there an alternative/better way to manage security groups without outage if there is one?