Terraform: InvalidGroupId.Malformed: Invalid id

Автор: | 11/11/2016

terraform_logoОбновление инфраструктуры с помощью Terraform упало с ошибкой:

...
Error applying plan:

1 error(s) occurred:

* aws_security_group.api_ec2: Error authorizing security group ingress rules: InvalidGroupId.Malformed: Invalid id: "0" (expecting "sg-...")
	status code: 400, request id: f761e22f-9773-413e-af57-a13632569604
...

Ищем в логе модификации для ресурса aws_security_group.api_ec2, и обращаем внимание на  security_group-ы:

...
[0maws_security_group.api_ec2: Modifying...
  egress.#:                                      "6" => "9"
  egress.1163740523.cidr_blocks.#:               "0" => "1"
  egress.1163740523.cidr_blocks.0:               "" => "0.0.0.0/0"
  ...
  egress.2485695960.security_groups.#:           "0" => "0"
  egress.2485695960.self:                        "false" => "false"
  egress.2485695960.to_port:                     "8083" => "8083"
  egress.3464463693.cidr_blocks.#:               "0" => "0"
  egress.3464463693.from_port:                   "" => "587"
  egress.3464463693.prefix_list_ids.#:           "0" => "0"
  egress.3464463693.protocol:                    "" => "tcp"
  egress.3464463693.security_groups.#:           "0" => "1"
  egress.3464463693.security_groups.1080289494:  "" => "0.0.0.0/0"
  egress.3464463693.self:                        "" => "false"
  egress.3464463693.to_port:                     "" => "587"
  egress.516175195.cidr_blocks.#:                "1" => "1"
  egress.516175195.cidr_blocks.0:                "0.0.0.0/0" => "0.0.0.0/0"
  ...
  ingress.3098991785.cidr_blocks.#:              "2" => "2"
  ingress.3098991785.cidr_blocks.0:              "10.4.0.0/24" => "10.4.0.0/24"
  ingress.3098991785.cidr_blocks.1:              "10.4.1.0/24" => "10.4.1.0/24"
  ingress.3098991785.from_port:                  "9999" => "9999"
  ingress.3098991785.protocol:                   "tcp" => "tcp"
  ingress.3098991785.security_groups.#:          "0" => "0"
  ingress.3098991785.self:                       "false" => "false"
  ingress.3098991785.to_port:                    "9999" => "9999"
  ...
  ingress.4120336657.self:                       "false" => "false"
  ingress.4120336657.to_port:                    "8080" => "8080"
...

Вот где возникла проблема – security_groups присваивается значение в виде CIDR, вместо имени Security Group:

...
egress.3464463693.security_groups.1080289494:  "" => "0.0.0.0/0"
...

Проверяем шаблон ресурса aws_security_group для EC2, и вот сама ошибка:

...
  # Allow SMTP to US-WEST
  egress {
    from_port       = 587
    to_port         = 587
    protocol        = "tcp"
    security_groups = ["0.0.0.0/0"]
  }
...

Копировал из другого правила, и не заменил security_groups на cidr_blocks.

Подробнее о aws_security_groupтут>>>.