aws_security_group module : can't use multiple ingress blobs with same ports/protocols

[neodem]

Terraform Version

Terraform v0.11.2

• provider.aws v1.8.0

Affected Resource(s)

Please list the resources as a list, for example:

• aws_security_group

While it's possible to have multiple ingress blobs in a sec group resource that have duplicate from_port, to_port and protocol fields, TF has trouble processing when you try to apply multiple times. The first time is great and it creates the security group perfectly, but in subsequent plan/apply cycles, it determines that there has been a change and tries to update the security group.

The issue, I believe is that only those 3 fields are required so I'm assuming that some key/hash is being created from those 3 fields. So if you have other discriminating fields like cidr_blocks or description, they aren't considered when TF is checking for idempotentcy.

This makes creating complex security groups difficult since you need to collect all cidr_blocks together for each port pair and you can't add descriptions to different blocks.

[bflad]

Hi folks 👋 Sorry this has been a longstanding issue with the AWS provider. The fix for this should be contained in #4416 which will be released with v1.19.0 of the AWS provider, likely middle of next week.

Shout outs to @loivis (and @svanharmelen who submitted an earlier, likely correct PR, which I admittedly should have reviewed and merged sooner: #3628)

Given there were so many various issues surrounding this bug, I will be locking this issue (amongst all the others) to encourage any lingering issues/discussion to be fully described in new issue(s) for consolidation. Thanks for your understanding.