issues with aws_security_group and multiple ingress blocks

[jyoungs]

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Affected Resource(s)

Please list the resources as a list, for example:

• aws_security_group

Terraform Configuration Files

resource "aws_security_group" "issue" {
    name = "terraform issue"
    description = "ECS ALB access"
    vpc_id = "${var.aws_vpc_id}"

    ingress {
        from_port = 80
        to_port = 80
        protocol = "tcp"
        description = "WORK"
        cidr_blocks = [ "8.8.8.8/32" ]
    }
    
    ingress {
    from_port = 80
    to_port = 80
    protocol = "tcp"
    description = "HOME"
    cidr_blocks = [ "9.8.7.6/32" ]
    }

    egress {
        from_port = 0
        to_port = 0
        protocol = "-1"
        cidr_blocks = ["0.0.0.0/0"]
    }
}


# resource "aws_security_group_rule" "ingress_work" {
#   type            = "ingress"
#   from_port       = 80
#   to_port         = 80
#   protocol        = "tcp"
#   cidr_blocks     = ["8.8.8.8/32"]
#   security_group_id = "${aws_security_group.issue.id}"
#   description = "WORK"
# }
# 
# resource "aws_security_group_rule" "ingress_home" {
#   type            = "ingress"
#   from_port       = 80
#   to_port         = 80
#   protocol        = "tcp"
#   cidr_blocks     = ["9.8.7.6/32"]
#   security_group_id = "${aws_security_group.issue.id}"
#   description = "HOME"
# }

Expected Behavior

This should idempotently create a security group with 2 rules ONCE, then consider it unchanged

Actual Behavior

It tries to update the rules every time, and fails (perhaps trying to add a conflicting rule before removing? not totally sure.)

Steps to Reproduce

Run the above config (multiple times)- only variable is a VPC ID

Important Factoids

Having separate ingress blocks is how you would define different descriptions- so tha's why I don't just have multiple CIDRs defined in the single rule.

The separate aws_security_group_rule config commented at the bottom is a workaround that seems to work.

[bflad]

Hi folks 👋 Sorry this has been a longstanding issue with the AWS provider. The fix for this should be contained in #4416 which will be released with v1.19.0 of the AWS provider, likely middle of next week.

Shout outs to @loivis (and @svanharmelen who submitted an earlier, likely correct PR, which I admittedly should have reviewed and merged sooner: #3628)

Given there were so many various issues surrounding this bug, I will be locking this issue (amongst all the others) to encourage any lingering issues/discussion to be fully described in new issue(s) for consolidation. Thanks for your understanding.