Error revoking security group ingress rules: InvalidPermission.NotFound

[hashibot]

This issue was originally opened by @djgrubson as hashicorp/terraform#17042. It was migrated here as a result of the provider split. The original body of the issue is below.

---

-terraform version
0.11.1

-this is happening in custom created VPC
each terraform apply generate update in place even no changes are made with sg-caci-all-ip SG;

-plan output
Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

~ module.bastion.aws_security_group.sg-caci-all-ip
ingress.1228639923.cidr_blocks.#: "0" => "1"
ingress.1228639923.cidr_blocks.0: "" => "195.1.1.1/26"
ingress.1228639923.description: "" => "CACI Proxy"
ingress.1228639923.from_port: "" => "0"
ingress.1228639923.ipv6_cidr_blocks.#: "0" => "0"
ingress.1228639923.protocol: "" => "tcp"
ingress.1228639923.security_groups.#: "0" => "0"
ingress.1228639923.self: "" => "false"
ingress.1228639923.to_port: "" => "65535"
ingress.1455026123.cidr_blocks.#: "0" => "1"
ingress.1455026123.cidr_blocks.0: "" => "195.1.1.2/32"
ingress.1455026123.description: "" => "LDS CACI"
ingress.1455026123.from_port: "" => "0"
...
security_groups.#: "0" => "1" (forces new resource)
security_groups.3062004935: "" => "sg-01efd77a" (forces new resource)

• terraform apply ending with error
  1 error(s) occurred:

• module.bastion.aws_security_group.sg-caci-all-ip: 1 error(s) occurred:

• aws_security_group.sg-caci-all-ip: Error revoking security group ingress rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
  status code: 400, request id: 298dde37-c18f-4fd7-aa77-8e772a8bb517

-config file to reproduce from bastion module

locals {
default_tags = {
Owner = "coop"
Environment = "stage"
Terraform = "true"
}
}

resource "aws_security_group" "sg-caci-all-ip" {
name = "caci-all"
description = "Internal IP for TEST Networks"
vpc_id = "${var.vpc_id}"

ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["195.1.1.1/32"]
    description = "KV TEST"
}
ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["195.1.1.2/32"]
    description = "KV TEST"
}
ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["195.1.1.3/32"]
    description = "KV TEST"
}
ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["195.1.1.3/32"]
    description = "LDS TEST"
}
ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["195.1.1.4/32"]
    description = "LDS TEST"
}
ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["195.1.1.5/29"]
    description = "TEST Proxy"
}
ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["195.1.1.6/26"]
    description = "TEST Proxy"
}
ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = ["195.1.1.7/29"]
    description = "TEST Proxy"
}
ingress {
    from_port = 0
    to_port = 65535
    protocol = "tcp"
    cidr_blocks = [195.1.1.8/32"]
    description = "KV TEST"
}

outbound internet access

egress {
  from_port   = 0
  to_port     = 0
  protocol    = "-1"
  cidr_blocks = ["0.0.0.0/0"]
}

}

resource "aws_instance" "bastion" {
ami = "${var.ami}"
availability_zone = "${var.az-1}"
instance_type = "${var.bastion_instance_type}"
key_name = "${var.key_name}"
vpc_security_group_ids = ["${aws_security_group.sg-caci-all-ip.id}"]
subnet_id = "${var.subnet-az-1-public_id}"
associate_public_ip_address = true

tags = "${merge(
local.default_tags,
map(
   "Name", "coop-bastion",
)

)}"
}

[dmusci-reancloud]

I encountered this as well. As a workaround, I recreated the security group but omitted the descriptions and that resolved the problem.

[neekz0r]

I too have encountered this. It would seem as though the descriptions are a part of it, as we had one.

[bflad]

Hi folks 👋 Sorry this has been a longstanding issue with the AWS provider. The fix for this should be contained in #4416 which will be released with v1.19.0 of the AWS provider, likely middle of next week.

Shout outs to @loivis (and @svanharmelen who submitted an earlier, likely correct PR, which I admittedly should have reviewed and merged sooner: #3628)

Given there were so many various issues surrounding this bug, I will be locking this issue (amongst all the others) to encourage any lingering issues/discussion to be fully described in new issue(s) for consolidation. Thanks for your understanding.