Refresh required on aws_security_group ingress output after apply aws_security_group_rule

[tbugfinder]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform 0.14.9
AWS Provider 3.33

Affected Resource(s)

• aws_security_group
• aws_security_group_rule

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
########
resource "aws_security_group_rule" "example" {
  type              = "ingress"
  from_port         = 0
  to_port           = 65535
  protocol          = "tcp"
  cidr_blocks       = [aws_vpc.example.cidr_block]
  security_group_id = aws_security_group.this.0.id
}

resource "aws_security_group" "this" {
  count = 1 #var.create && false == var.use_name_prefix ? 1 : 0

  name                   = "my-lovely-sg"
  description            = "sg-desc"
  vpc_id                 = aws_vpc.example.id
  revoke_rules_on_delete = true # var.revoke_rules_on_delete

  tags = merge(
    {
      "Name" = format("%s", "sg-name")
    },
    var.tags,
  )
}

resource "aws_vpc" "example" {
  cidr_block = "10.0.0.0/16"
}


output "ingress" {
  value = aws_security_group.this.*.ingress
}

Debug Output

Panic Output

Expected Behavior

In case aws_security_group rules are managed using additional resources of type aws_security_group_rule, then the output ingress and egress of aws_security_group should be available / valid within the same terraform apply execution.

Basically this means the aws_security_group_rule resources "somehow" how to trigger an update of aws_security_group.

Actual Behavior

Rules within aws_security_group definition created using additional resources of type aws_security_group_rule, do not provide valid output ingress and egress in aws_security_group within the same terraform apply execution. A second terraform apply is required to update ingress/egress properties.

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

References

[tatodorov]

I am also experiencing the same issue.
When I manage Security Group rules with the resource aws_security_group_rule, they are not reflected in the aws_security_group resource during the same terraform apply.
So I always have to execute terraform refresh after terraform apply.

Here is an example:

1. I execute terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  - destroy

Terraform will perform the following actions:

  # module.ec2.aws_security_group_rule.rules["6aa28bac18752aaccdc4859a0096f091"] will be destroyed
  - resource "aws_security_group_rule" "rules" {
      - cidr_blocks       = [
          - "0.0.0.0/0",
        ] -> null
      - description       = "HTTP traffic" -> null
      - from_port         = 80 -> null
      - id                = "sgrule-3664357640" -> null
      - ipv6_cidr_blocks  = [] -> null
      - prefix_list_ids   = [] -> null
      - protocol          = "tcp" -> null
      - security_group_id = "sg-09716c0d40c38a185" -> null
      - self              = false -> null
      - to_port           = 80 -> null
      - type              = "ingress" -> null
    }

  # module.ec2.aws_security_group_rule.rules["bc11bef037aafab5918567ea6f3196bf"] will be created
  + resource "aws_security_group_rule" "rules" {
      + description              = "HTTP traffic"
      + from_port                = 80
      + id                       = (known after apply)
      + protocol                 = "tcp"
      + security_group_id        = "sg-09716c0d40c38a185"
      + self                     = true
      + source_security_group_id = (known after apply)
      + to_port                  = 80
      + type                     = "ingress"
    }

Plan: 1 to add, 0 to change, 1 to destroy.

2. I execute terraform plan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.ec2.aws_security_group.ec2 has been changed
  ~ resource "aws_security_group" "ec2" {
        id                     = "sg-09716c0d40c38a185"
      ~ ingress                = [
          - {
              - cidr_blocks      = [
                  - "0.0.0.0/0",
                ]
              - description      = "HTTP traffic"
              - from_port        = 80
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = []
              - self             = false
              - to_port          = 80
            },
          + {
              + cidr_blocks      = []
              + description      = "HTTP traffic"
              + from_port        = 80
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = true
              + to_port          = 80
            },
        ]
        name                   = "example-sg"
        tags                   = {
            "Name" = "example-sg"
        }
        # (7 unchanged attributes hidden)
    }
  # module.ec2.aws_security_group_rule.rules["bc11bef037aafab5918567ea6f3196bf"] has been changed
  ~ resource "aws_security_group_rule" "rules" {
      + cidr_blocks              = []
        id                       = "sgrule-2393865896"
      + ipv6_cidr_blocks         = []
      + prefix_list_ids          = []
      + source_security_group_id = "sg-09716c0d40c38a185"
        # (7 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

[jonathanrgreene]

This is happening to me too. I can't believe nothing has moved on this since 2021.