Creating ENI and security group attachments separately leaves the default security group on the ENI

[ghost]

This issue was originally opened by @dead10ck as hashicorp/terraform#22051. It was migrated here as a result of the provider split. The original body of the issue is below.

---

When you define a aws_network_interface and its security group attachments separately in aws_network_interface_sg_attachments, it first creates the ENI with no security groups, which causes the AWS API to add the VPC's default security group. Then it attaches the other security groups to the existing ENI, but it leaves the default security group in place.

This can lead to a situation where the user thinks they have defined all the exact security groups they wanted attached to the ENI, but in fact, there is one more.

What's worse is that the default security group essentially says "allow all traffic on any port for anything else in the default security group," which means all EC2 nodes created with this pattern will inadvertently have full network access to each other.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[dead10ck]

Has this issue been fixed? Just because no dev has triaged or looked into the bug does not mean it doesn't exist or isn't important. I can appreciate that this project probably gets a lot of issues that can be difficult to keep up with, but automatically closing issues because there has been no activity is a very counterproductive way to comb the backlog.

[based3]

Also facing the issue with TF 1.1.4 and AWS prov 3.73.0:
The default SG is added with the expected customized SG on an ENI EC2 case.