aws_security_group_rule cidr_blocks should be a list error

[hashibot]

This issue was originally opened by @marionettist as hashicorp/terraform#9123. It was migrated here as part of the provider split. The original body of the issue is below.

---

The following error occurs during a plan

Errors:

  * aws_security_group_rule.my_rule: cidr_blocks: should be a list

This occurs only when one of the variables originates from a remote_state_management data source.
If the variable is declared as a normal tf variable, the error doesn't occur

Background:
I'm trying to dynamically build a cidr block array for a security group rule.
The array is to be made up from 2 parts:

• core_network_cidr: a single cidr block, e.g. "10.0.0.0/8"
• additional_cidrs: a string of comma separated cidr blocks, e.g. "1.2.3.4/32,1.2.4.0/8". The error occurs when this variable is obtained from a remote_state_management data source

In the first iteration, additional_cidrs is a single cidr block, e.g. "1.2.3.4/32" but I'm keen on making the code work in case the list has to be extended to more than one value.

The following resource fails during a plan when var.additional_cidrs is passed down from a remote_state_management data source

resource "aws_security_group_rule" "my_rule" {
    type = "egress"
    from_port = 80
    to_port = 80
    protocol = "tcp"
    security_group_id = "${aws_security_group.my_group.id}"
    cidr_blocks = "${split(",", format("%s,%s", var.core_network_cidr, var.additional_cidrs))}"
}

I've narrowed down further what works and doesn't work

Works when additional_cidrs is a single cidr block and the cidr_blocks is constructed as a list
cidr_blocks = ["${var.core_network_cidr}", "${var.additional_cidrs}"]
this proves that var.additional_cidrs is successfully retrieved from the remote_state_management data source

Doesn't work even though the value for var.core_network_cidr is "10.0.0.0/8" (but DOES work if var.core_network_cidr is NOT obtained from a remote_state_management data source)
cidr_blocks = "${split(",", var.core_network_cidr)}"

I've also tried to use native 0.7 lists and the concat function, but the same error occurred.

This might be related to Issue 3888 - When using count parameter w/ a split in aws_security_group_rule, receive parsing error "strconv.ParseInt" .. " invalid syntax" as this issue occurs only when using remote_state_management data

[avengers009]

cidr_block should be a list so it whould be in square brackets.

example usage:

resource "aws_security_group_rule" "allow_all" {
  type            = "ingress"
  from_port       = 0
  to_port         = 65535
  protocol        = "tcp"
  cidr_blocks     = ["0.0.0.0/0"]
  prefix_list_ids = ["pl-12c4e678"]

  security_group_id = "sg-123456"
}

documentation :https://www.terraform.io/docs/providers/aws/r/security_group_rule.html

[bflad]

As noted above, this situation may require workarounds in versions of Terraform up through 0.11:

# Potential Terraform 0.11 workaround 1
resource "aws_security_group_rule" "allow_all" {
  # ... other configuration ...
  cidr_blocks = ["${var.core_network_cidr}"]
}

# Potential Terraform 0.11 workaround 2
resource "aws_security_group_rule" "allow_all" {
  # ... other configuration ...
  logging = "${list(var.core_network_cidr)}"
}

The long story here is that the current configuration language of Terraform (HCL) in Terraform version through Terraform 0.11 does not currently support strong typing throughout its specification and it can sometimes get confused when working with computed values or passing information into modules. The good news is that this is likely being addressed in the next major version of Terraform: https://www.hashicorp.com/blog/terraform-0-1-2-preview

Given some current sketches of the updated HCL specification, the above should be able to be replaced with the simpler configuration below with Terraform 0.12 (not released yet):

# Possible configuration with Terraform 0.12 -- implementation may change during development
resource "aws_security_group_rule" "allow_all" {
  # ... other configuration ...
  cidr_blocks = var.core_network_cidr
}

There are some upstream issues in Terraform core that track this updated handling and potentially are good references for trying to further track the fix for your situation:

• Unable to pass "type: List" variables from data source to modules terraform#17837
• Module output variables cannot be used to create a list input terraform#16916
• Can't conditionally define list terraform#16831

If neither of the above workaround configurations doesn't help in the current versions of Terraform, I'd suggest double checking for a more appropriate upstream issue (as this is not an issue with the AWS provider or its resources) or submitting a new Terraform core issue so we can ensure this behavior is fixed in the next version of Terraform. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!