aws_security_group re-create: diffs didn't match during apply

[alexlouden]

I've renamed all 4 security groups, 3 of which only allow ingress from other security groups. There's one security group per instance type (e.g. instance.worker <==> security_group.worker).

❯ terraform plan

...

~ module.mymodule.aws_instance.api
    security_groups.#: "" => "<computed>"

~ module.mymodule.aws_instance.box2
    security_groups.#: "" => "<computed>"

~ module.mymodule.aws_instance.box3
    security_groups.#: "" => "<computed>"

~ module.mymodule.aws_instance.worker.0
    security_groups.#: "" => "<computed>"

~ module.mymodule.aws_instance.worker.1
    security_groups.#: "" => "<computed>"

-/+ module.mymodule.aws_security_group.api
    egress.#:                             "1" => "1"
    ingress.#:                            "3" => "3"
    name:                                 "oldname" => "newname" (forces new resource)
    vpc_id:                                "vpc-xxxx" => "vpc-xxxx"

-/+ module.mymodule.aws_security_group.box2
    egress.#:                              "1" => "1"
    ingress.#:                             "2" => "2"
    name:                                  "oldname" => "newname" (forces new resource)
    vpc_id:                                "vpc-xxxx" => "vpc-xxxx"

-/+ module.mymodule.aws_security_group.box3
    egress.#:                             "1" => "1"
    ingress.#:                            "2" => "2"
    name:                                 "oldname" => "newname" (forces new resource)
    vpc_id:                                "vpc-xxxx" => "vpc-xxxx"

-/+ module.mymodule.aws_security_group.worker
    egress.#:                              "1" => "1"
    ingress.#:                             "2" => "2"
    name:                                  "oldname" => "newname" (forces new resource)
    vpc_id:                                "vpc-xxxx" => "vpc-xxxx"

On terraform apply, terraform tries to re-create the security groups, but fails with the following error:

Error applying plan:

4 error(s) occurred:

* 1 error(s) occurred:

* 1 error(s) occurred:

* DependencyViolation: resource sg-box2 has a dependent object
* 1 error(s) occurred:

* 1 error(s) occurred:

* DependencyViolation: resource sg-box3 has a dependent object
* 1 error(s) occurred:

* 1 error(s) occurred:

* DependencyViolation: resource sg-api has a dependent object
* 1 error(s) occurred:

* aws_security_group.worker: diffs didn't match during apply. This is a bug with Terraform and should be reported.

I've captured the output of TF_LOG=1 terraform apply and extracted (hopefully) the relevant bit:
https://gist.github.com/alexlouden/58d1d364eee67d050fce

Let me know if there's any more information I can give (privately would be much easier!). I tried to reproduce with only two security groups but the same change succeeded, so there must be more to it than just ingress dependencies. Maybe related to #1877?

Thanks!

[catsby]

Hey @alexlouden – do you have a config file (minus any secrets) that demonstrates this for me?

[alexlouden]

Hey @catsby, at the time I tried to reproduce it in a simpler example but couldn't get it to fail in the same way. I've changed companies now, so don't have access to the original config - sorry!

[ryanking]

I think I'm running into the same problem. Interesting thing about it, the security group that is causing the error doesn't appear in the plan at all (and shouldn't be changing).

[catsby]

Hey all – I'm not able to reproduce this with that we have here, so I'm closing this for now. If you have more information that can help me debug, I'll happily dig in some more.

Thanks!

[ryanking]

I'm still seeing this (but working around it by not changing SG names). I will try and see if I can provide an easier way to reproduce.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.