Why does a aws_vpc Data Source lookup via Tags produce a different plan than by Id?

Terraform Providers AWS
1

We have an ECS service that is being recreated and were getting issues that a Security Group already existed. The state-file was correctly tracking that security group but it would only ever try to create (and not destroy) when it came time to apply.

In the plan, the security group was being replaced explicitly because of the VPC. The plan changed between the following two iterations of the Data Source block for the VPC.

data "aws_vpc" "target_vpc" {
  tags = {
    Zone = var.zone
  }
}

data "aws_vpc" "target_vpc" {
  id = "vpc-123"
}

There was only once VPC with the “Zone” tag set so it should only identify one. I added count = 1 as well but that produced the same plan as the Tag lookup by itself. Lookup by Id did not force replacement of the consuming security group. Ideas as to the reason for this behavior?

2

So we think we found the issue, I’ll paste here

“most terraform resources will do a destroy then a create so seeing them do create before destroy is not normal behavior unless you explicitly call it out… If you take a look at the terraform plan that ***** puts out you can see that the ECS service security group is doing a destroy then create but if you look at the load balancer one it is doing a create then destroy… its inheriting that rule from the target group” So it looks like we might be onto something which is unrelated to my above question…