Terraform want to change description even if its not needed

[hashibot]

This issue was originally opened by @jensskott as hashicorp/terraform#16518. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.10.8
provider "aws" (1.2.0)

Terraform Configuration Files

resource "aws_security_group_rule" "allow_self_tcp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "tcp"
  self      = true

  description       = "Access from within this SG"
  security_group_id = "${aws_security_group.instance_sg.id}"
}

# full access from the elb
resource "aws_security_group_rule" "allow_elb_tcp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "tcp"

  description              = "Access from ELBs"
  security_group_id        = "${aws_security_group.instance_sg.id}"
  source_security_group_id = "${aws_security_group.elb_sg.id}"
}

# access from office
resource "aws_security_group_rule" "allow_office_tcp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "tcp"

  description       = "Access from office public network"
  security_group_id = "${aws_security_group.instance_sg.id}"
  cidr_blocks       = ["${var.admin_cidr_ingress}"]
}

resource "aws_security_group_rule" "allow_office_local_tcp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "tcp"

  description       = "Access from office localnet"
  security_group_id = "${aws_security_group.instance_sg.id}"
  cidr_blocks       = ["${var.office_cidr}"]
}

resource "aws_security_group_rule" "allow_office_vpn_tcp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "tcp"

  description       = "Access from office VPN net"
  security_group_id = "${aws_security_group.instance_sg.id}"
  cidr_blocks       = ["${var.office_vpn_cidr}"]
}

# allow all outbound internet access
resource "aws_security_group_rule" "allow_outbound_tcp" {
  type      = "egress"
  from_port = 0
  to_port   = 0
  protocol  = "tcp"

  description       = "Any destination"
  security_group_id = "${aws_security_group.instance_sg.id}"
  cidr_blocks       = ["0.0.0.0/0"]
}

# full access from the sg itself
resource "aws_security_group_rule" "allow_self_ucp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "udp"
  self      = true

  description       = "Access from within this SG"
  security_group_id = "${aws_security_group.instance_sg.id}"
}

# full access from the elb
resource "aws_security_group_rule" "allow_elb_udp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "udp"

  description              = "Access from ELBs"
  security_group_id        = "${aws_security_group.instance_sg.id}"
  source_security_group_id = "${aws_security_group.elb_sg.id}"
}

# access from office
resource "aws_security_group_rule" "allow_office_udp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "udp"

  description       = "Access from office public network"
  security_group_id = "${aws_security_group.instance_sg.id}"
  cidr_blocks       = ["${var.admin_cidr_ingress}"]
}

resource "aws_security_group_rule" "allow_office_local_udp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "udp"

  description       = "Access from office localnet"
  security_group_id = "${aws_security_group.instance_sg.id}"
  cidr_blocks       = ["${var.office_cidr}"]
}

resource "aws_security_group_rule" "allow_office_vpn_udp" {
  type      = "ingress"
  from_port = 0
  to_port   = 0
  protocol  = "udp"

  description       = "Access from office VPN net"
  security_group_id = "${aws_security_group.instance_sg.id}"
  cidr_blocks       = ["${var.office_vpn_cidr}"]
}

# allow all outbound internet access
resource "aws_security_group_rule" "allow_outbound_udp" {
  type      = "egress"
  from_port = 0
  to_port   = 0
  protocol  = "udp"

  description       = "Any destination"
  security_group_id = "${aws_security_group.instance_sg.id}"
  cidr_blocks       = ["0.0.0.0/0"]
}

Expected Behavior

No changes. Infrastructure is up-to-date.

Actual Behavior

Apply

module.ecs.module.network.aws_security_group_rule.allow_office_udp: Modifying... (ID: sgrule-876667411)
  description: "Access from within this SG" => "Access from office public network"
module.ecs.module.network.aws_security_group_rule.allow_office_vpn_udp: Modifying... (ID: sgrule-551534353)
  description: "Access from within this SG" => "Access from office VPN net"
module.ecs.module.network.aws_security_group_rule.allow_office_local_tcp: Modifying... (ID: sgrule-3638646769)
  description: "Access from within this SG" => "Access from office localnet"
module.ecs.module.network.aws_security_group_rule.allow_office_tcp: Modifying... (ID: sgrule-2182054516)
  description: "Access from within this SG" => "Access from office public network"
module.ecs.module.network.aws_security_group_rule.allow_office_vpn_tcp: Modifying... (ID: sgrule-160621870)
  description: "Access from within this SG" => "Access from office VPN net"
module.ecs.module.network.aws_security_group_rule.allow_elb_udp: Modifying... (ID: sgrule-1681102072)
  description: "Access from within this SG" => "Access from ELBs"
module.ecs.module.network.aws_security_group_rule.allow_office_local_udp: Modifying... (ID: sgrule-1856911254)
  description: "Access from within this SG" => "Access from office localnet"
module.ecs.module.network.aws_security_group_rule.allow_elb_tcp: Modifying... (ID: sgrule-4037030785)
  description: "Access from within this SG" => "Access from ELBs"

Plan

Terraform will perform the following actions:

  ~ module.ecs.module.network.aws_security_group_rule.allow_elb_tcp
      description: "Access from within this SG" => "Access from ELBs"

  ~ module.ecs.module.network.aws_security_group_rule.allow_elb_udp
      description: "Access from within this SG" => "Access from ELBs"

  ~ module.ecs.module.network.aws_security_group_rule.allow_office_local_tcp
      description: "Access from within this SG" => "Access from office localnet"

  ~ module.ecs.module.network.aws_security_group_rule.allow_office_local_udp
      description: "Access from within this SG" => "Access from office localnet"

  ~ module.ecs.module.network.aws_security_group_rule.allow_office_tcp
      description: "Access from within this SG" => "Access from office public network"

  ~ module.ecs.module.network.aws_security_group_rule.allow_office_udp
      description: "Access from within this SG" => "Access from office public network"

  ~ module.ecs.module.network.aws_security_group_rule.allow_office_vpn_tcp
      description: "Access from within this SG" => "Access from office VPN net"

  ~ module.ecs.module.network.aws_security_group_rule.allow_office_vpn_udp
      description: "Access from within this SG" => "Access from office VPN net"

Steps to Reproduce

1. terraform init
2. terraform apply
3. terraform plan

Am I missing something here or it this expected behavior from terraform in this case?

[nocode99]

Running into this problem on aws provider 1.1.0 and 1.2.0. Workaround for now is to add a ignore_changes lifecycle on the description.

[trung]

It seems #1959 has fixed this.

[brandonstevens]

I think @trung is correct. I'm also not able to reproduce this on 1.24.0.

[bflad]

There have been a few improvements to the rule gathering and description handling with security group rules. If you are still having issues on the latest version of Terraform and the AWS provider (0.11.7 and 1.24.0 as of this writing), please open a new issue with all the details of the issue template and we'll investigate further. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!