Questions about modifying AWS security group rules

I have an aws infrastructure configured in a private environment.
We started operating AWS infrastructure with Terraform.
Adding the rule to the security group is successful.
However, an error occurred when deleting a rule from a security group.
There are over 100 ingress rules in the security group. I deleted 2 of them, but about 50 rules were deleted.

Terraform code :

module “proxy-sg-ec2” {
source = “…/modules/networks/securitygroup”
sg_name = “PROXY-SG-EC2”
description = “Proxy SG”
vpc_id = module.proxy-vpc.vpc-id
tags = {
Name = “PROXY-SG-EC2”
}
ingresses = [
{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.101/32”], protocol = “tcp”, description = From PC 101” },
{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.102/32”], protocol = “tcp”, description = From PC 102” },
{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.103/32”], protocol = “tcp”, description = From PC 103” },
{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.104/32”], protocol = “tcp”, description = From PC 104” },
…
{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.188/32”], protocol = “tcp”, description = From PC 188” },
{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.189/32”], protocol = “tcp”, description = From PC 189” },
{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.190/32”], protocol = “tcp”, description = From PC 190” },
{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.191/32”], protocol = “tcp”, description = From PC 191” },
]
egresses = []
}

====

deleted rule :

{ from_port = 443, to_port = 443, cidr_blocks = [“10.200.200.145/32”], protocol = “tcp”, description = From PC 145 },

I deleted one rule, but when I checked in the aws console, about 50 were deleted.

====

The log shows “Still destroying” repeatedly and never completes. It was forced to stop, and deleted rules were restored in the aws console.

module.proxy.module.proxy-sg-ec2.aws_security_group_rule.ingress[46]: Still destroying… [id=sgrule-999999999, 18m50s elapsed]
module.proxy.module.proxy-sg-ec2.aws_security_group_rule.ingress[47]: Still destroying… [id=sgrule-999999999, 18m50s elapsed]
module.proxy.module.proxy-sg-ec2.aws_security_group_rule.ingress[46]: Still destroying… [id=sgrule-999999999, 19m00s elapsed]

======

I wonder why the rule was deleted and why the “Still destroying” log keeps popping up.
And I would like to know if there is a good solution.

Please help me.

It looks like you are using a list to specify the different rules, and presumably within your module you are then using some resource with a count to then create them. The issue you have is that for a list the order matters. So of you remove an entry in the middle of the list, and then are using count to create resources Terraform will delete all the rules after the removed entry and recreate them (as their position in the list has changed).

To resolve this use for_each instead of count. In general count should only be used where you are creating multiple identical resources (e.g. multiple virtual machines) or where order matters.