Importing aws_security_group creates aws_security_group_rule's

[u2mejc]

Terraform Version

$ terraform version
Terraform v0.11.10
+ provider.aws v1.39.0

Affected Resource(s)

• aws_security_group

Expected Behavior

When importing aws_security_group resources, I would expect only aws_security_group resource be added to the state file.

Actual Behavior

Instead of creating rules inside a aws_security_group, the unexpect state of aws_security_group_rules is added to state after an import, needing to state rm potentially hundreds for resources from state to clean up.

Example:

$ terraform import aws_security_group.foobar sg-12kjhkjkj
aws_security_group.foobar: Importing from ID "sg-12kjhkjkj"...
aws_security_group.foobar: Import complete!
  Imported aws_security_group (ID: sg-12kjhkjkj)
  Imported aws_security_group_rule (ID: sgrule-4016805459)
  Imported aws_security_group_rule (ID: sgrule-3107266339)
  Imported aws_security_group_rule (ID: sgrule-1861818077)
  Imported aws_security_group_rule (ID: sgrule-1999111377)
  Imported aws_security_group_rule (ID: sgrule-3783187589)
  Imported aws_security_group_rule (ID: sgrule-2896515610)
  Imported aws_security_group_rule (ID: sgrule-1797687703)
  Imported aws_security_group_rule (ID: sgrule-3822760003)
  Imported aws_security_group_rule (ID: sgrule-3549229588)

[u2mejc]

For anyone who stumbled across this issue, here is your quick and dirty to fix your state:

for i in $(terraform show | grep aws_security_group_rule | sed  's/://'); do echo "terraform state rm $i"; done > /tmp/rm-me.sh

You can then execute /tmp/rm-me.sh, after sanity checking the contents. For fun, count how many resources were erroneously crested:

$ wc -l < /tmp/rm-me.sh
     441

😮

[u2mejc]

Additionally, DB may not be locking (or respecting locks):

1 items removed.
Error saving the state: Atlas detected a remote state conflict.

Message: {"errors":["The MD5 hash of the state provided does not match what is currently\nknown for the same serial number"],"success":false}

The state was not saved. No items were removed from the persisted
state. No backup was created since no modification occurred. Please
resolve the issue above and try again.

Since this feature doesn't appear to support --target to specify more than one at a time, each execution takes ~3secs or 20+mins to delete over 400 errant entries.

[joaquinclearmetal]

I am reproducing this issue with Terraform v0.12.1 + provider.aws v2.13.0.

When I want to do a terraform plan, it potentially wants to delete the resources, as there's a mismatch between the state and tf declaration.

terraform import aws_security_group.sg-ops_salt sg-xxxxxxxx
terraform state list
aws_security_group.sg-ops_salt
aws_security_group_rule.sg-ops_salt
aws_security_group_rule.sg-ops_salt-1

WORKAROUND: After doing an import I have to run this: terraform state list | grep aws_security_group_rule | xargs terraform state rm

[bflad]

Please note that we plan on addressing this for the 3.0.0 release of the Terraform AWS Provider, likely in a few weeks.

[ghost]

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!