Importing an aws_security_group_rule with a source_security_group_id validation

[mojo-redox]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.10

• provider.aws v2.43.0

Affected Resource(s)

• aws_security_group_rule

Terraform Configuration Files

resource "aws_security_group_rule" "test_ingress" {
  type              = "ingress"
  security_group_id = aws_security_group.test.id

  //source_security_group_id = "sg-11111111"
  cidr_blocks = []
  from_port   = 0
  to_port     = 65535
  protocol    = "tcp"
}

Expected Behavior

We'd expect some sort of validation error or at least a change to the security group rule.

Actual Behavior

terraform plan calculates a no-op

Steps to Reproduce

1. terraform import a security group that has a source_security_group_id ingress rule.
2. Write the aws_security_group_rule resource to have cidr_blocks = [], omitting the source_security_group_id.
3. terraform plan will show a no-op change.

Important Factoids

When I attempted to import an aws_security_group and its associated rules I hit this. The terraform import will grab a security group rule that has a source_security_group_id and place it into the state file as expected. However, upon writing the resource definition for the security group rule I accidentally added a cidr_blocks = [] line to the resource and didn't notice the source_security_group_id that had been correctly imported into state. A terraform plan showed a no-op, so I moved on to other resources for this service being imported.

Upon code review we caught that this rule actually had a source security group and fixed it in the resource definition. We never attempted a terraform apply, so I'm not sure if it would throw any errors at that point.

This seems like something validation should pick up. If I've imported a resource with a source_security_group_id set in the state file I probably shouldn't be able to set cidr_blocks to anything.

[ljluestc]

resource "aws_security_group_rule" "test_ingress" {
  type              = "ingress"
  security_group_id = aws_security_group.test.id

  # Ensure cidr_blocks is empty when source_security_group_id is set
  validation {
    condition     = var.source_security_group_id != "" && length(var.cidr_blocks) > 0
    error_message = "When source_security_group_id is set, cidr_blocks must be empty."
  }

  source_security_group_id = var.source_security_group_id
  cidr_blocks             = var.cidr_blocks
  from_port               = 0
  to_port                 = 65535
  protocol                = "tcp"
}

use the validation block within the aws_security_group_rule resource to define custom validation logic.

check if var.source_security_group_id is not an empty string (indicating it was imported) and if var.cidr_blocks has a length greater than 0. If both conditions are met, it means that source_security_group_id is set, but cidr_blocks is not empty, which is not allod. In such cases, Terraform will raise a validation error.

The error_message attribute provides a custom error message to explain why the validation failed.