aws_security_group_rule: "the specified rule <rule> already exists"

[PeterGrace]

I have a terraform recipe where I create via interpolation a set of security groups to authorize ssh access to our instances. When the list of addresses changes, it causes the interpolation to also change, such that all of the security_group_rules need to be deleted and recreated. Unfortunately, the new rules are trying to create while the old rules are still deleting, and I get an error message like below:

* aws_security_group_rule.entries[38]: 1 error(s) occurred:

* aws_security_group_rule.entries.38: [WARN] A duplicate Security Group rule was found on (sg-db2b8396). This may be
a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each
other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
information and instructions for recovery. Error message: the specified rule "peer: redacted/32, TCP, from port: 22, to port: 22, ALLOW" already exists
* aws_security_group_rule.entries[36]: 1 error(s) occurred:

* aws_security_group_rule.entries.36: [WARN] A duplicate Security Group rule was found on (sg-db2b8396). This may be
a side effect of a now-fixed Terraform issue causing two security groups with
identical attributes but different source_security_group_ids to overwrite each
other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
information and instructions for recovery. Error message: the specified rule "peer: redacted/32, TCP, from port: 22, to port: 22, ALLOW" already exists

Terraform does not automatically rollback in the face of errors.

Here's a snippet of how I generate the security group rules. I set "create_before_destroy = false" on an expert's suggestion, however it has not solved the issue.

resource "aws_security_group_rule" "entries" {
  count             = "${length(data.aws_security_groups.sg_list.ids) * length(var.authorized_ssh_rangelist)}"
  security_group_id = "${element(data.aws_security_groups.sg_list.ids, count.index / length(var.authorized_ssh_rangelist))}"
  type              = "ingress"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = ["${lookup(var.authorized_ssh_rangelist[count.index % length(var.authorized_ssh_rangelist)], "cidr")}"]
  description       = "${lookup(var.authorized_ssh_rangelist[count.index % length(var.authorized_ssh_rangelist)], "description")}"

  lifecycle {
    create_before_destroy = false
  }
}

[PeterGrace]

I originally posted this as issue#82 in terraform-aws-security-group repo but not sure if this is the better place for said issue. If this is the right place, I'll close the other issue. Thanks!

[tomelliff]

Terraform doesn't really handle looping through lists of things where the order might change right now as you've seen. The upcoming 0.12 release should have better support for this and allow you to remove items from the middle of a list you are looping over without forcing Terraform to change every item from the indexed position until the n-1 position and delete the last element.

[aeschright]

Hi @PeterGrace! As mentioned above, the dynamic expression blocks added in Terraform 0.12 will probably give you a better way of handling this. I'm going to close the issue, but if you continue to run into problems please open a new bug report following the template. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!