duplicate security group

[hashibot]

This issue was originally opened by @tomstachura as hashicorp/terraform#9778. It was migrated here as part of the provider split. The original body of the issue is below.

---

This is pointing me to pages of discussion from over a year ago. Seems this bug is still happening

2 error(s) occurred:

• aws_security_group_rule.ivory.0: [WARN] A duplicate Security Group rule was found on (sg-4f0f7836). This may be
  a side effect of a now-fixed Terraform issue causing two security groups with
  identical attributes but different source_security_group_ids to overwrite each
  other in the state. See Consider security groups with source security groups when hashing terraform#2376 for more
  information and instructions for recovery. Error message: the specified rule "peer: 199.58.192.98/32, TCP, from port: 22, to port: 22, ALLOW" already exists
• aws_security_group_rule.ivory.1: [WARN] A duplicate Security Group rule was found on (sg-4f0f7836). This may be
  a side effect of a now-fixed Terraform issue causing two security groups with
  identical attributes but different source_security_group_ids to overwrite each
  other in the state. See Consider security groups with source security groups when hashing terraform#2376 for more
  information and instructions for recovery. Error message: the specified rule "peer: 35.161.227.236/32, TCP, from port: 22, to port: 22, ALLOW" already exists

I have 2 of these pointing to 2 different security groups. If I have just 1 of these, it works. If I have 2 it fails with the above.
resource "aws_security_group_rule" "admin" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
security_group_id = "${aws_security_group.admin.id}" # for the 2nd one, this was changed to another ID
cidr_blocks = ["${var.admin_ips[count.index]}/32"]

count = "${length(var.admin_ips)}"
}

[onedeveloper]

Still getting this kind of error when using terraform. What is worst i think is that trying to clean up by doing terraform plna --destroy --out plan && terraform apply plan, misses resources and leaves garvage created that you then need to go hunt for.

Error applying plan:

2 error(s) occurred:

• aws_security_group_rule.tomcat-1043-elb: 1 error(s) occurred:

• aws_security_group_rule.tomcat-1043-elb: [WARN] A duplicate Security Group rule was found on (sg-b20261d4). This may be
  a side effect of a now-fixed Terraform issue causing two security groups with
  identical attributes but different source_security_group_ids to overwrite each
  other in the state. See Consider security groups with source security groups when hashing terraform#2376 for more
  information and instructions for recovery. Error message: the specified rule "peer: sg-11026177, TCP, from port: 1043, to port: 1043, ALLOW" already exists

• aws_security_group_rule.tomcat-1041-elb: 1 error(s) occurred:

• aws_security_group_rule.tomcat-1041-elb: [WARN] A duplicate Security Group rule was found on (sg-b20261d4). This may be
  a side effect of a now-fixed Terraform issue causing two security groups with
  identical attributes but different source_security_group_ids to overwrite each
  other in the state. See Consider security groups with source security groups when hashing terraform#2376 for more
  information and instructions for recovery. Error message: the specified rule "peer: sg-11026177, TCP, from port: 1041, to port: 1041, ALLOW" already exists

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

[PlugIN73]

Still getting this error.

 (master) aws$ terraform version
Terraform v0.11.2
+ provider.aws v1.5.0

[abtreece]

Also receiving this error. Attempting to change a CIDR and getting the aforementioned "duplicate Security Group rule was found" error

terraform = 0.10.8
provider.aws ~> 1.8

[rajcheval]

Also receiving this error.

Terraform v0.11.7

• provider.aws v1.16.0
• provider.template v1.0.0

I am not sure what I have to do to fix these errors.

[jammerful]

I'm also seeing this error on:

• terraform v0.11.7
• terraform provider aws v1.16.0

[jammerful]

I'm seeing this security rule duplicate error somewhat regularly about every other day, I checked with AWS and it seems that terraform is indeed trying to create some duplicate security group rules.

@bflad @radeksimko @simonvanderveldt As people have been that have been in the security group rule resource file recently, do you know what might be causing this? I'm having some trouble diagnosing the issue, if you have any hints I'd be happy to investigate further and submit a PR fixing the issue.

[simonvanderveldt]

@jammerful I'm not entirely sure what you mean by this

As people have been that have been in the security group rule resource file recently,

But issues with security group rules do keep happening for us. AFAIK the API on the AWS side doesn't return anything useful when creating security group rules (have a look at the output here https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html), meaning there's no unique identifier for security group rules, which means Terraform can only infer which rule is which by looking at the properties one has set for the security group rule. This is obviously not ideal.

I'm not sure if there are any other factors at play, but for some reason sometimes Terraform doesn't notice a Terraform managed SG rule already exists, maybe not all properties of SG rules are being checked?

[rajinders]

In my case it turned out to be a red herring. Terraform was working as expected.
I was using inline rules for defining security groups. I was getting a cyclic reference error.
To fix that problem I had to externalize the security group rules. When I was externalizing them I forgot to comment out the existing inline rules. This is what lead to error about duplicate security group rule.

[github-actions]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!