Problem with EC2 Tag made by CloudFormation

Terraform v0.12.28

  • provider.aws v2.70.0

I’m describing existing infrastructure with terrafrom, using terraform import to add resources. Some security groups have tags made by AWS CloudFormation. Terraform can’t accept or recreate them.

Tags look like this: aws:cloudformation:logical-id

I’ve tried to put those tags as is in resource "aws_security_group" and as a separate resource:

resource "aws_ec2_tag" "security_group_name-tags" {
  for_each = {
        "aws:cloudformation:stack-name": "amazon-ecs-stack-name",
        "aws:cloudformation:stack-id": "stack-id"
        "aws:cloudformation:logical-id": "logical-id"
        }    

  resource_id = aws_security_group.security_group_name.id
  key         = each.key
  value       = each.value
}

terraform plan shows no errors.
terraform apply in both situations gives me:

InvalidParameterValue: Value ( '' ) for parameter Tag key is invalid. Tag key cannot be null or empty.

What could be the problem?