Error after trying to add AWS security group to whitelist

[NRaf]

In trying to setup VPC Peering, I tried to add an AWS security group to the Atlas IP Whitelist. There's no option for a security group in the resource, so I thought to try setting the security group ID as the cidr_block (as shown below). The first whitelist resource (my_ip) was already created and working.

I added the security group to the whitelist as below:

resource "mongodbatlas_ip_whitelist" "my_ip" {
  group = "${mongodbatlas_project.my_proj.id}"
  cidr_block = "101.180.###.###/32"
  comment = "my home IP"
}

resource "mongodbatlas_ip_whitelist" "ecs-securitygroup" {
  group = "${mongodbatlas_project.my_proj.id}"
  cidr_block = "${aws_security_group.ecs-securitygroup.id}"
  comment = "ECS Security Group"
}

After running the plan, I got the following error:

Error: Error applying plan:

1 error(s) occurred:

* mongodbatlas_ip_whitelist.ecs-securitygroup: 1 error(s) occurred:

* mongodbatlas_ip_whitelist.ecs-securitygroup: Error reading MongoDB Project IP Whitelist sg-<redacted>: MongoDB Atlas: 404 IP Address sg-<redacted> not on Atlas whitelist for group <redacted>.

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Whenever I run plan or apply I see the same error message (as part of refreshing the state). I've tried to delete the resource block but it still comes up with the error. The weird thing is when I check the IP Whitelist section in Atlas, I can see that it's been created.

Any idea what could be causing the issue and how to resolve it?

[dpiddockcmp]

Hi @NRaf. I, too, came across this bug when I was writing the website documentation for the provider. I contacted MongoDB Atlas support. They said it's a known issue and there's no timeline/plan to fix it.

The issue is in the fetching a single IP API endpoint (docs here). It throws an error if you try to pull a security group ID. This is annoying as the adding and fetch-all API endpoints both work correctly. I don't know whether the provider/go-mongodb library could work around the bug?

We're stuck with just IP/CIDR whitelisting in terraform currently.

[NRaf]

Thanks @dpiddockcmp. Yeah, ran into the issue when using the API shortly after raising the bug. Pretty annoying.

Deleting the whitelist entry from the Atlas interface didn't resolve the Terraform issue. I had to delete the resource from the Terraform state file.

With regards to working around the issue in the Terraform module (or the go-mongodb library), could you potentially just make a request to https://cloud.mongodb.com/api/atlas/v1.0/groups/<groupid>/whitelist and then loop through the results looking for the correct entry?

The data for a specific entry in the whitelist seems to match the data returned in whitelist/<ip>, so it should probably work (although it's pretty hacky).

Not sure if delete or update will work on security groups, however. If you can't fetch a security group whitelist, I'm assuming the deleting an updating might also fail?