IPV6 -Terraform keeps asking to apply even if there is no change

There is a recent change in one of the security group (AWS) to allow IPv6 traffic.
Terraform keeps asking to apply even if there is no change. How do we fix that issue?

Hi @sasikumar.rajagopal,

This sort of problem tends to occur if the remote API allows multiple ways to specify the same information but then returns that information in a different way than you specified it. Terraform providers are supposed to include rules to recognize those situations and treat them as non-changes, but sometimes these situations are not documented and so the provider team finds out about them only through bug reports.

I can’t offer any more specific advice because you’ve not included enough detail about the problem. It would help if you would share the output from terraform plan showing the unexpected proposed change, and also the part of the configuration that described that resource and any other objects you referred to in that resource configuration.

What I would do with that information is observe exactly what change the AWS provider is describing, and try to understand how the configuration differs from what the AWS API has returned as the current state of the security group. I would then try to change the configuration of the security group to match what the API is returning, so that the desired state and actual state will converge.

This is probably also an AWS provider bug, but without more information I can’t say whether it’s a bug that is already open in the provider’s issue tracker.

Thanks for your response .
Please find the out put.

there is a recent change in one of the security group (AWS) to allow IPv6 traffic.
Terraform plan shows the below even after we applied it. Status remains same even after a few updates with no changes.
We are eusing terraform version = ">= 0.12.26

+ {
              + cidr_blocks      = []
              + description      = "RTP"
              + from_port        = 1024
              + ipv6_cidr_blocks = [
                  + "4a13:a380:0240::/43",
                  + "4a13:a380:0260::/43",
                ]
              + prefix_list_ids  = []
              + protocol         = "udp"
              + security_groups  = []
              + self             = false
              + to_port          = 65534
            },
          - {
              - cidr_blocks      = []
              - description      = "RTP"
              - from_port        = 1024
              - ipv6_cidr_blocks = [
                  - "4a13:a380:240::/43",
                  - "4a13:a380:260::/43",
                ]
              - prefix_list_ids  = []
              - protocol         = "udp"
              - security_groups  = []
              - self             = false
              - to_port          = 65534
            },

Hi @sasikumar.rajagopal,

It seems that your configuration specifies the IPv6 addresses with zero-padded segments like 0260, but the AWS API is returning them with the leading zero stripped like 260.

This does seem like an AWS provider bug – I would expect it to treat these addresses as equivalent as required by IPv6 syntax – but for now you could work around it by writing the addresses the way the AWS API prefers, by removing the leading zeros from the third segment of both of your addresses.