Unable to update security group rule across regions

[ghost]

This issue was originally opened by @jayudhandha as hashicorp/terraform#19246. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

v0.11.8

I am trying to update the rule of security group which is in another region (Ireland) after deploying my current security group (Ohio).

Below is my code snippet:

variable "aws_account_id" {}

terraform {
  backend "s3" {}
}

provider "aws" {
  region              = "us-east-2"
  allowed_account_ids = ["${var.aws_account_id}"]
}

provider "aws" {
  alias               = "TestApp"
  region              = "eu-west-1"
}


data "aws_security_group" "test_sg" {
  provider        = "aws.TestApp"
  name = "test-sg"
}

resource "aws_security_group" "test1_sg" {
  name        = "Test 1"
  vpc_id      = "VPC ID"
}

resource "aws_security_group_rule" "allow_test1_access_test_sg" {
  provider        = "aws.TestApp"

  type            = "ingress"
  from_port       = "80"
  to_port         = "80"
  protocol        = "tcp"
  security_group_id = "${data.aws_security_group.test_sg.id}"

  source_security_group_id = "${aws_security_group.test1_access_test2.id}"
}

I am getting cercular dependency like below.

Case 1: Run above code, Getting error that test1_access_test2 security group does not exist.
Case 2: Run above code without provider = "aws.TestApp" in aws_security_group_rule, Getting error that test_sg security group does not exist.
Case 3: Run above code without provider = "aws.TestApp" in data "aws_security_group" "test_sg" , Getting error that test_sg security group does not exist.

I am not sure this is 100% issue of inter region communication but it seems like this is the case.

Note: The above error is coming while running terraform apply. Plan is showing correct change without any error.

Any help will be highly appreciated.

Thanks!

[jayudhandha]

Please check https://stackoverflow.com/questions/53113568/unable-to-update-security-group-rule-across-regions/53114948#53114948

It seems this is not supported by AWS itself. We have to use cidr_block while referencing in cross region.

[bflad]

Thanks for the update, @jayudhandha! To help others I have submitted a pull request to update the Terraform resource documentation to link to the AWS documentation regarding those restrictions: #6358

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!