Duplicate Security Group Rules in statefile on terraform import of Security Groupย #13535
Description
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
terraform -v
Terraform v0.12.20
+ provider.aws v2.63.0
Affected Resource(s)
- aws_security_group
- aws_security_group_rule
Expected Behavior
On terraform import of an existing security group in AWS, we expect the outputted statefile to have the Security Group Rule either...
- defined as separate resource not inline under the Security Group.
or - defined inline under the Security Group not as separate resource
Actual Behavior
A little background, we have an enterprise tool which scans security groups in aws and outputs corresponding tf code and tf statefile. It is built all around the terraform import command and we build up the tf code using the outputted statefile from the import as reference.
On terraform import of an existing security group in AWS, we see in the outputted statefile that the Security Group rule is defined twice. As inline under the Security Group and as separate resource.
An example statefile (with sensitive info redacted) we see is like so with rules defined twice...
{
"version": 4,
"terraform_version": "0.12.20",
"serial": 1,
"lineage": "5c79302d-3cd1-7963-6f07-4448074f3137",
"outputs": {},
"resources": [
{
"mode": "managed",
"type": "aws_security_group",
"name": "test_nimbus",
"provider": "provider.aws",
"instances": [
{
"schema_version": 1,
"attributes": {
"arn": "arn:aws:ec2:some_region:some_account_id:security-group/redacted_security_group_id",
"description": "Some Description",
"egress": [
{
"cidr_blocks": [
"redacted_ip"
],
"description": "",
"from_port": 0,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "-1",
"security_groups": [],
"self": false,
"to_port": 0
},
{
"cidr_blocks": [],
"description": "",
"from_port": 21344,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [
"redacted_sg"
],
"self": false,
"to_port": 21344
}
],
"id": "redacted_sg_id",
"ingress": [
{
"cidr_blocks": [
"redacted_ip_1"
],
"description": "Redacted Description 1",
"from_port": 21344,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 21344
},
{
"cidr_blocks": [
"redacted_ip_2"
],
"description": "Redacted Description 2",
"from_port": 21344,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 21344
},
{
"cidr_blocks": [
"redacted_ip_3"
],
"description": "Redacted Description 3",
"from_port": 21344,
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_groups": [],
"self": false,
"to_port": 21344
}
],
"name": "SomeSecurityGroupName",
"name_prefix": null,
"owner_id": "some_account_id",
"revoke_rules_on_delete": null,
"tags": {
"tfe": "14 MAY 2020"
},
"timeouts": {
"create": null,
"delete": null
},
"vpc_id": "some_vpc_id"
},
"private": "REDACTED PRIVATE"
}
]
},
{
"mode": "managed",
"type": "aws_security_group_rule",
"name": "test_nimbus",
"provider": "provider.aws",
"instances": [
{
"schema_version": 2,
"attributes": {
"cidr_blocks": [
"redacted_ip_1",
"redacted_ip_2",
"redacted_ip_3"
],
"description": "Redacted Description 1",
"from_port": 21344,
"id": "sgrule-XXXXXX",
"ipv6_cidr_blocks": [],
"prefix_list_ids": [],
"protocol": "tcp",
"security_group_id": "redacted_security_group_id",
"self": false,
"source_security_group_id": null,
"to_port": 21344,
"type": "ingress"
},
"private": "REDACTED PRIVATE"
}
]
}
]
}
From the statefile above we can see the ingress rules defined twice.
As part of the process that builds up the tf code, we do ignore the duplicate inline rules in the statefile and only define the rules as individual aws_security_group_rule resources. However, when we then try to apply changes to the security group rules, terraform attempts to destroy the inline rules not defined in our tf code (but exists in the statefile from import) and we get the following error...
Error revoking security group sg-XXXXXXXXX rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
Steps to Reproduce
terraform import aws_security_group.test_nimbus sg-xxxxx