aws_security_group_rule requires replacement when ordering of cidr_blocks argument changes

[Gowiem]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.13.3

Provider version is 3.37.0

Affected Resource(s)

• aws_security_group_rule

Terraform Configuration Files

Using https://github.com/cloudposse/terraform-aws-elasticsearch

resource "aws_security_group_rule" "ingress_cidr_blocks" {
  count             = module.this.enabled && var.vpc_enabled && length(var.allowed_cidr_blocks) > 0 ? 1 : 0
  description       = "Allow inbound traffic from CIDR blocks"
  type              = "ingress"
  from_port         = var.ingress_port_range_start
  to_port           = var.ingress_port_range_end
  protocol          = "tcp"
  cidr_blocks       = var.allowed_cidr_blocks
  security_group_id = join("", aws_security_group.default.*.id)
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

When the ordering of var.allowed_cidr_blocks changes, then the security group rule should not be rebuilt.

Actual Behavior

When the ordering of var.allowed_cidr_blocks changes, the security group rule is replaced:

  # module.elasticsearch_logs[0].aws_security_group_rule.ingress_cidr_blocks[0] must be replaced
-/+ resource "aws_security_group_rule" "ingress_cidr_blocks" {
  ~ cidr_blocks              = [ # forces replacement
        "10.10.5.0/26",
      - "10.10.5.64/26",
        "10.10.5.128/26",
      + "10.10.5.64/26",
    ]
    description              = "Allow inbound traffic from CIDR blocks"
    from_port                = 0
  ~ id                       = "sgrule-REDACTED" -> (known after apply)
  - ipv6_cidr_blocks         = [] -> null
  - prefix_list_ids          = [] -> null
    protocol                 = "tcp"
    security_group_id        = "sg-REDACTED"
    self                     = false
  + source_security_group_id = (known after apply)
    to_port                  = 65535
    type                     = "ingress"
}

Steps to Reproduce

1. Create a aws_security_group and associated aws_security_group_rule
2. Provide a list of 3 CIDR blocks to the cidr_blocks argument.
3. terraform apply
4. Change the ordering of the cidr blocks via sort
5. terraform plan
6. Resource is changed.

Important Factoids

N/A

References

• N/A

[project-administrator]

Moreover I'd say that it would fail to replace the resource with an error like

 Error: InvalidPermission.Duplicate: the specified rule "peer: 10.0.0.0/21, TCP, from port: 2182, to port: 2182, ALLOW" already exists
│ 	status code: 400, request id: ********-****-****-****-************

Also, it's a problem if you try to change anything in the cidr_block (like add one more entry or modify any existing entry).. This basically breaks terraform's ability to apply any changes after the rule has already been created.

[project-administrator]

Same issue as #14966