import aws_security_group creates impossible resources

[pdbogen]

Howdy.

In the case where an AWS security group rule exists that includes both the security group itself and a CIDR range, the aws security group import creates a resource that has both a non-empty cidr_blocks as well as the "self" flag set to true.

However, attempting to apply corresponding terraform resource config produces an error message.

Here's the relevant section of the security group from the AWS API:

      "IpPermissionsEgress": [
        {
          "IpProtocol": "-1",
          "PrefixListIds": [],
          "IpRanges": [
            {
              "CidrIp": "0.0.0.0/0"
            }
          ],
          "UserIdGroupPairs": [
            {
              "UserId": "012345678901",
              "GroupId": "sg-01234567"
            }
          ],
          "Ipv6Ranges": []
        }
      ],

Note that the (redacted) sg-01234567 is the ID of this security group.

Here's the "state" for this rule generated when terraform import … is run:

id                       = sgrule-0123456789
cidr_blocks.#            = 1
cidr_blocks.0            = 0.0.0.0/0
from_port                = 0
prefix_list_ids.#        = 0
protocol                 = -1
security_group_id        = sg-01234567
self                     = true
source_security_group_id = sg-01234567
to_port                  = 0
type                     = egress

Note how it has both self = true and cidr_blocks.# = 1.

Here's terraform config that matches this rule:

resource "aws_security_group_rule" "slack-default-dev-sg-01234567-7" {
  security_group_id = "${aws_security_group.slack-default-dev-sg-01234567.id}"
  type              = "egress"
  protocol          = "-1"
  from_port         = 0
  to_port           = 0
  cidr_blocks       = ["0.0.0.0/0"]
  self              = true
}

Here's the error from terraform plan attempting to plan/apply this rule:

There are warnings and/or errors related to your configuration. Please
fix these before continuing.

Errors:

  * aws_security_group_rule.slack-default-dev-sg-01234567-7: "self": conflicts with cidr_blocks ([]interface {}{"0.0.0.0/0"})
exit status 1

[nocode99]

This is happening on both 0.8.7 and '0.9.4'. This appears to happen when the aws_security_group has a mixture of cidr_blocks and source_security_group_ids. I did not see the behavior if the security group only had source_security_group_ids or just cidr_blocks

My workaround was manually editing the state file 😞

[rgs1]

@nocode99 hmm, this looks like #8827

[meyertime]

My pull request #14332 will fix this once I change the way security groups are imported to use the new aws_security_group_rules resource.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.