Hello,
I see “# forces replacement” in the security group module: Terraform Registry
which is triggered by the changes in the security group list (when security groups are added in between than added at the end of the list - a specific usecase)
I’m looking for a resolution here, as if we say by default terraform deletes the resource and then creates it, in that matter I shouldn’t be seeing below error:
Error: [WARN] A duplicate Security Group rule was found on (SECURITY_GROUP). This may be
│ a side effect of a now-fixed Terraform issue causing two security groups with
│ identical attributes but different source_security_group_ids to overwrite each
│ other in the state. See Consider security groups with source security groups when hashing by catsby · Pull Request #2376 · hashicorp/terraform · GitHub for more
│ information and instructions for recovery. Error: InvalidPermission.Duplicate: the specified rule
# module.apple_grape.module.apple_sg[0].aws_security_group_rule.ingress_with_cidr_blocks[0] must be replaced
-/+ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
~ cidr_blocks = [ # forces replacement
- "0.0.0.0/0",
+ "A",
+ "B",
]
~ description = "OLD_DESCRIPTION" -> "NEW_DESCRIPTION"
~ from_port = 8000 -> 9000 # forces replacement
~ id = "SGR_RULE_EXISTS" -> (known after apply)
~ security_group_rule_id = "SGR_RULE_ID_EXISTS" -> (known after apply)
+ source_security_group_id = (known after apply)
~ to_port = 8000 -> 8009 # forces replacement
# (5 unchanged attributes hidden)
}
# module.apple_grape.module.apple_sg[0].aws_security_group_rule.ingress_with_cidr_blocks[1] must be replaced
-/+ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
~ cidr_blocks = [ # forces replacement
- "0.0.0.0/0",
+ "A",
+ "B",
]
~ description = "OLD_DESCRIPTION" -> "NEW_DESCRIPTION"
~ from_port = 9900 -> 8000 # forces replacement
~ id = "SGR_RULE_EXISTS" -> (known after apply)
~ security_group_rule_id = "SGR_RULE_ID_EXISTS" -> (known after apply)
+ source_security_group_id = (known after apply)
~ to_port = 9900 -> 8000 # forces replacement
# (5 unchanged attributes hidden)
}
# module.apple_grape.module.apple_sg[0].aws_security_group_rule.ingress_with_cidr_blocks[2] must be replaced
-/+ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
~ description = "OLD_DESCRIPTION" -> "NEW_DESCRIPTION"
~ from_port = 8009 -> 8000 # forces replacement
~ id = "SGR_RULE_EXISTS" -> (known after apply)
~ security_group_rule_id = "SGR_RULE_ID_EXISTS" -> (known after apply)
+ source_security_group_id = (known after apply)
~ to_port = 8009 -> 8000 # forces replacement
# (6 unchanged attributes hidden)
}
# module.apple_grape.module.apple_sg[0].aws_security_group_rule.ingress_with_cidr_blocks[3] must be replaced
-/+ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
~ cidr_blocks = [ # forces replacement
- "0.0.0.0/0",
+ "A",
+ "B",
]
~ description = "OLD_DESCRIPTION" -> "NEW_DESCRIPTION"
~ from_port = 9000 -> 9059 # forces replacement
~ id = "SGR_RULE_EXISTS" -> (known after apply)
+ security_group_rule_id = (known after apply)
+ source_security_group_id = (known after apply)
~ to_port = 8009 -> 9059 # forces replacement
# (5 unchanged attributes hidden)
}
# module.apple_grape.module.apple_sg[0].aws_security_group_rule.ingress_with_cidr_blocks[4] must be replaced
-/+ resource "aws_security_group_rule" "ingress_with_cidr_blocks" {
~ cidr_blocks = [ # forces replacement
- "0.0.0.0/0",
+ "A",
+ "B",
]
~ description = "OLD_DESCRIPTION" -> "NEW_DESCRIPTION"
~ from_port = 8000 -> 9900 # forces replacement
~ id = "SGR_RULE_EXISTS" -> (known after apply)
+ security_group_rule_id = (known after apply)
+ source_security_group_id = (known after apply)
~ to_port = 8000 -> 9900 # forces replacement
# (5 unchanged attributes hidden)
}
Thanks,
Navneet