All Rules Deleted on Security Group import/apply

[YakDriver]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.11.8
provider.aws v1.38.0

Affected Resource(s)

• aws_security_group
• aws_security_group_rule

Terraform Configuration Files

resource "aws_security_group" "yak-deleterious" {
  name        = "yak-deleterious"
}

resource "aws_security_group_rule" "ingress" {
  security_group_id = "${aws_security_group.yak-deleterious.id}"
  type        = "ingress"
  from_port   = 8000
  to_port     = 8000
  protocol    = "tcp"
  cidr_blocks = ["10.0.3.0/24", "10.0.4.0/24"]
}

resource "aws_security_group_rule" "ingress_2" {
  security_group_id = "${aws_security_group.yak-deleterious.id}"
  type        = "ingress"
  from_port   = 448
  to_port     = 531
  protocol    = "udp"
  ipv6_cidr_blocks = ["2002:db8::/48"]
  self = true
}

Debug Output

https://gist.github.com/YakDriver/b14d8271dc62a181a6820009f8f9c152

Expected Behavior

The AWS security group rules should not have been deleted.

Actual Behavior

Both the security group rules were deleted.

Steps to Reproduce

1. terraform apply
2. terraform state rm aws_security_group.yak-deleterious
3. terraform import aws_security_group.yak-deleterious "${sg_id}"
4. terraform apply

Important Factoids

References

• resource/aws_security_group_rule: Add import functionality for security group rules #6027 (PR: Add import functionality for security group rules)
• Removing ingress rules from aws_security_group is not detected #4399 (Removing ingress rules from aws_security_group is not detected) - Possibly related
• Can't import security_group_rule #2895 (Can't import security_group_rule)
• aws_security_group_rule loses track of certain out-of-band changes #3234 (aws_security_group_rule loses track of certain out-of-band changes)
• aws_security_group: DependencyViolation: resource sg-XXX has a dependent object #1671 (aws_security_group: DependencyViolation: resource sg-XXX has a dependent object) - Possibly related
• Destroying Security Groups Takes Forever with Attached SG #265 - Possibly related
• Terraform shows plan changes when inline security group rules are converted to aws_security_group_rule #5243 (Terraform shows plan changes when inline security group rules are converted to aws_security_group_rule)
• Actual routes deleted by importing aws_route_table followed by apply #5631 (similar cause but related to aws_route_table)

[YakDriver]

After step 1 (apply), the resulting state has 1 aws_security_group with no inline rules and 2 aws_security_group_rules.

{
    "version": 3,
    "terraform_version": "0.11.8",
    "serial": 2,
    "lineage": "b932b5d0-e872-763c-b737-ed4628cc1f5c",
    "modules": [
        {
            "path": [
                "root"
            ],
            "resources": {
                "aws_security_group.yak-deleterious": {
                    "type": "aws_security_group",
                    "depends_on": [],
                    "primary": {
                        "id": "sg-0dc24ce74dd29483c",
                        "attributes": {
                            "arn": "arn:aws:ec2:us-east-1:OWNERID:security-group/sg-0dc24ce74dd29483c",
                            "description": "Managed by Terraform",
                            "egress.#": "0",
                            "id": "sg-0dc24ce74dd29483c",
                            "ingress.#": "0",
                            "name": "yak-deleterious",
                            "owner_id": "OWNERID",
                            "revoke_rules_on_delete": "false",
                            "tags.%": "0",
                            "vpc_id": "vpc-6469726b"
                        },
                        "meta": {
                            "e2bfb730-ecaa-11e6-8f88-34363bc7c4c0": {
                                "create": 600000000000,
                                "delete": 600000000000
                            },
                            "schema_version": "1"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.aws"
                },
                "aws_security_group_rule.ingress": {
                    "type": "aws_security_group_rule",
                    "depends_on": [
                        "aws_security_group.yak-deleterious"
                    ],
                    "primary": {
                        "id": "sgrule-1731541639",
                        "attributes": {
                            "cidr_blocks.#": "2",
                            "cidr_blocks.0": "10.0.3.0/24",
                            "cidr_blocks.1": "10.0.4.0/24",
                            "from_port": "8000",
                            "id": "sgrule-1731541639",
                            "protocol": "tcp",
                            "security_group_id": "sg-0dc24ce74dd29483c",
                            "self": "false",
                            "to_port": "8000",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.aws"
                },
                "aws_security_group_rule.ingress_2": {
                    "type": "aws_security_group_rule",
                    "depends_on": [
                        "aws_security_group.yak-deleterious"
                    ],
                    "primary": {
                        "id": "sgrule-102726069",
                        "attributes": {
                            "from_port": "448",
                            "id": "sgrule-102726069",
                            "ipv6_cidr_blocks.#": "1",
                            "ipv6_cidr_blocks.0": "2002:db8::/48",
                            "protocol": "udp",
                            "security_group_id": "sg-0dc24ce74dd29483c",
                            "self": "true",
                            "to_port": "531",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.aws"
                }
            },
            "depends_on": []
        }
    ]
}

After steps 2, 3, and 4, the state has an aws_security_group resource with 2 inline rules and 2 additional aws_security_group_rule resources.

{
    "version": 3,
    "terraform_version": "0.11.8",
    "serial": 6,
    "lineage": "4212dc97-a64d-1db3-eeec-ab728eddc2ba",
    "modules": [
        {
            "path": [
                "root"
            ],
            "resources": {
                "aws_security_group.yak-deleterious": {
                    "type": "aws_security_group",
                    "depends_on": [],
                    "primary": {
                        "id": "sg-015b6df8f8257aacc",
                        "attributes": {
                            "arn": "arn:aws:ec2:us-east-1:OWNERID:security-group/sg-015b6df8f8257aacc",
                            "description": "Managed by Terraform",
                            "egress.#": "0",
                            "id": "sg-015b6df8f8257aacc",
                            "ingress.#": "2",
                            "ingress.2664512609.cidr_blocks.#": "2",
                            "ingress.2664512609.cidr_blocks.0": "10.0.3.0/24",
                            "ingress.2664512609.cidr_blocks.1": "10.0.4.0/24",
                            "ingress.2664512609.description": "",
                            "ingress.2664512609.from_port": "8000",
                            "ingress.2664512609.ipv6_cidr_blocks.#": "0",
                            "ingress.2664512609.prefix_list_ids.#": "0",
                            "ingress.2664512609.protocol": "tcp",
                            "ingress.2664512609.security_groups.#": "0",
                            "ingress.2664512609.self": "false",
                            "ingress.2664512609.to_port": "8000",
                            "ingress.3470721408.cidr_blocks.#": "0",
                            "ingress.3470721408.description": "",
                            "ingress.3470721408.from_port": "448",
                            "ingress.3470721408.ipv6_cidr_blocks.#": "1",
                            "ingress.3470721408.ipv6_cidr_blocks.0": "2002:db8::/48",
                            "ingress.3470721408.prefix_list_ids.#": "0",
                            "ingress.3470721408.protocol": "udp",
                            "ingress.3470721408.security_groups.#": "0",
                            "ingress.3470721408.self": "true",
                            "ingress.3470721408.to_port": "531",
                            "name": "yak-deleterious",
                            "owner_id": "OWNERID",
                            "revoke_rules_on_delete": "false",
                            "tags.%": "0",
                            "vpc_id": "vpc-6469726b"
                        },
                        "meta": {
                            "e2bfb730-ecaa-11e6-8f88-34363bc7c4c0": {
                                "create": 600000000000,
                                "delete": 600000000000
                            },
                            "schema_version": "1"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.aws"
                },
                "aws_security_group_rule.ingress": {
                    "type": "aws_security_group_rule",
                    "depends_on": [
                        "aws_security_group.yak-deleterious"
                    ],
                    "primary": {
                        "id": "sgrule-1330691249",
                        "attributes": {
                            "cidr_blocks.#": "2",
                            "cidr_blocks.0": "10.0.3.0/24",
                            "cidr_blocks.1": "10.0.4.0/24",
                            "description": "",
                            "from_port": "8000",
                            "id": "sgrule-1330691249",
                            "ipv6_cidr_blocks.#": "0",
                            "prefix_list_ids.#": "0",
                            "protocol": "tcp",
                            "security_group_id": "sg-015b6df8f8257aacc",
                            "self": "false",
                            "to_port": "8000",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.aws"
                },
                "aws_security_group_rule.ingress_2": {
                    "type": "aws_security_group_rule",
                    "depends_on": [
                        "aws_security_group.yak-deleterious"
                    ],
                    "primary": {
                        "id": "sgrule-1062895224",
                        "attributes": {
                            "cidr_blocks.#": "0",
                            "description": "",
                            "from_port": "448",
                            "id": "sgrule-1062895224",
                            "ipv6_cidr_blocks.#": "1",
                            "ipv6_cidr_blocks.0": "2002:db8::/48",
                            "prefix_list_ids.#": "0",
                            "protocol": "udp",
                            "security_group_id": "sg-015b6df8f8257aacc",
                            "self": "true",
                            "source_security_group_id": "sg-015b6df8f8257aacc",
                            "to_port": "531",
                            "type": "ingress"
                        },
                        "meta": {
                            "schema_version": "2"
                        },
                        "tainted": false
                    },
                    "deposed": [],
                    "provider": "provider.aws"
                }
            },
            "depends_on": []
        }
    ]
}

[YakDriver]

A potential workaround is to make sure that your state is clear of aws_security_group_rule resources related to the aws_security_group you want to import. After importing and applying, you will have the appropriate rules. However, in the process the aws_security_group_rule resources have been destroyed and created. This is not ideal for a production environment where this will cause network errors.

[ghost]

This has been released in version 3.0.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!