Duplicate rules in aws_security_group not being identified during plan phase

[igoratencompass]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.12.8

Affected Resource(s)

• aws_security_group

Terraform Configuration Files

resource "aws_security_group" "jumphost" {
  name = "ec2-jumphost"
  ingress {
  }
  ingress {
  }
  ...
  egress {
    from_port   = port
    to_port     = port
    protocol    = "tcp"
    cidr_blocks = [var.cidr]
    description = "Something"
  }
  ...
  egress {
    from_port   = port
    to_port     = port
    protocol    = "tcp"
    cidr_blocks = [var.cidr, var.cidr2]
    description = "Something else"
  }
  ...
}

Debug Output

Expected Behavior

Terraform should discover the duplicate SG rules during the plan phase.

Actual Behavior

This does not happen causing apply phase failure with the error:

Error: Error authorizing security group egress rules: InvalidParameterValue: The same permission must not appear multiple times
	status code: 400, request id: 72ba92a8-7575-4b51-b6ae-1befc93ba9fb

  on modules/bastion/main.tf line 260, in resource "aws_security_group" "jumphost":
 260: resource "aws_security_group" "jumphost" {

Even worse, after fixing the resource and executing the plan phase where I can see the resource scheduled for replacement:

  # module.bastion.aws_security_group.jumphost is tainted, so must be replaced
+/- resource "aws_security_group" "jumphost" {
      ~ arn                    = "arn:aws:ec2:eu-west-2:xxxxxxxxxxxx:security-group/sg-xxxxxxxxxxxx" -> (known after apply)
        description            = "Managed by Terraform"

the apply then fails with the following error:

Error: Error creating Security Group: InvalidGroup.Duplicate: The security group 'ec2-jumphost' already exists for VPC 'vpc-xxxxxxxxxxxx'
	status code: 400, request id: 37b44910-33ba-419e-a4c3-bfd74944056f

  on modules/bastion/main.tf line 260, in resource "aws_security_group" "jumphost":
 260: resource "aws_security_group" "jumphost" {

Steps to Reproduce

1. terraform plan
2. terraform apply
3. remove duplicate egress rule from the aws_security_group resource
4. terraform plan
5. terraform apply

Important Factoids

References

• #0000

[justinretzolk]

Hi @igoratencompass 👋 Thank you for taking the time to file this issue. Given that there's been a number of Terraform and AWS Provider releases since you initially filed it, can you confirm whether you're still experiencing this?