aws_security_group_rule resource ERROR after trying to create the rule on each apply

[kristjanelias]

Terraform version:
terraform --version Terraform v0.6.13-dev (1448b84b37524eb2f22826dc90ffed65df68e27d)

When creating aws_security_group_rule resource and running more than 1 apply i get an error:

• aws_security_group_rule.ingress_ssh: [WARN] A duplicate Security Group rule was found. This may be a side effect of a now-fixed Terraform issue causing two security groups with identical attributes but different source_security_group_ids to overwrite each other in the state. See Consider security groups with source security groups when hashing #2376 for more information and instructions for recovery. Error message: the specified rule "peer: 10.1.0.0/16, TCP, from port: 22, to port: 22, ALLOW" already exists

Each time terraform apply is executed the rule is created again.
Rules are not recorded in terraform.tfstate

Code to reproduce (main.tf):
main.txt

Terraform apply output:
terraform_apply.txt

tfstate file after apply:
terraform_tfstate.txt

[kristjanelias]

This error does not appear when specified protocol is "-1"(all).
In that case rule is saved in tfstate file.

However it is saved uncorrectly causing the rule to be recreated at each apply.

[jen20]

Hi @kristjanelias! Thanks for opening this issue. Did you take a look at the steps in #2376 for resolving this class of issue? If that did not work this is likely something we need to dig deeper into.

[kristjanelias]

Hi @jen20
I see #2376 is merged to master so i should have these fixes on my latest version.
They obviously did not help.
You should be able reproduce this issue very easily with the few lines of code i have attached in the "main.txt" file.

[kristjanelias]

@jen20
The problem i am facing is caused by 2 separate issues:

1. Terraform fail on second apply when creating AWS SG rules - SG rule IpProtocol case sensitivity - When terraform resource (aws security group) is described with capital letters the resource is created successfully but terraform is unable to find it after creation. This is because aws returns a lower case protocol name when listing rules. Terraform is unable to compare these different case values and thinks it needs to create a new rule every time.

• Workaround: Use lower case protocol names when defining security group rules
• Fix: All protocol values should be casted to lower case before comparison.

2. Some AWS SG rules are regenerated each terraform execution - Nature of "-1"(all) port rules returned by go-aws-sdk - Every time a SG rule is defined in Terraform with source or destination ports set to all (-1) the rule is successfully created but the return value set does not include values for said ports. Therefore terraform replaces these non-extsitent values with 0. Source and destination ports change force a new resource. Therefore each time terraform is executed a "0=<-1" is encountered and these rules are regenerated.

• Workaround: haven't found one yet
• Fix: Terraform should be able to manage this case and substitute the missing value with -1 not 0.

[rdark]

I'm being affected by this issue too. Running v0.6.12.

If I create an aws_security_group_rule along the lines of:

resource "aws_security_group_rule" "allow_all_outbound" {
  type = "egress"
  from_port = 0
  to_port = 0
  protocol = "-1"
  cidr_blocks = ["0.0.0.0/0"]
  security_group_id = "${aws_security_group.app_name.id}"
}

..And apply it to a group, it applies successfully for the first run.
Subsequent runs bomb with "duplicate Security Group rule was found" > https://gist.github.com/rdark/c19165c7e3b60a98a89b

If I manually delete that egress rule from the group, then first terraform run following that adds it back in, and then all subsequent runs work as expected.

[c4urself]

I've now run into this as well -- it seems that you can reproduce this by creating a aws_security_group_rule, applying it (runs fine), and then adding an item to the cidr_blocks. Applying after this will result in the exact same error @rdark gets.

[ajlanghorn]

I concur with @c4urself and @rdark. Seeing this behaviour here, too, using 0.6.16.

[dtolnay]

I have a fix in #7377. The bug was a poorly handled error case where any error (including spurious network issues) would result in a duplicate security group rule being created.

I suspect that the people who commented saying they were able to reproduce the issue reliably were running Terraform with the AuthorizeSecurityGroupIngress and/or AuthorizeSecurityGroupEgress permissions but not the DescribeSecurityGroups permission. That results in the first apply succeeding and the second apply failing.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.