Unexpected removal of values when updating aws_security_group


We are looking to use the “aws_security_group” resource and have already used it to deploy some security groups into our VPC.

The problem comes when we want to update this security group.

If we change/add a group to the list of security_groups inside an ingress block (https://www.terraform.io/docs/providers/aws/r/security_group.html#security_groups)
then running terraform plan, you can see Terraform will perform an update in place. However, instead of going straight from old_value => new_value, the change goes in two steps; from old_value => “0” or “” then from “0” or “” => new_value.

This needs clarifying for us because we wish to use Terraform to administer the security groups in our production environment and are concerned this may affect network connectivity for a short time.

  • Does Terraform actually remove all values and re-add them quickly as the plan implies?
  • Are there/could there be any network outages by updating in place in this way?
  • It appears previously established connections are unaffected until broken, but what about connections that are attempted during the terraform apply? Will we see an elevated error rate due to this behaviour?
  • Is there an alternative/better way to manage security groups without outage if there is one?