[Bug]: aws_security_group_rule hangs when no CIDRs or prefix lists are specified

[sodle]

Terraform Core Version

1.11.3

AWS Provider Version

5.93.0

Affected Resource(s)

• aws_security_group_rule

Expected Behavior

When passing an empty list for cidr_blocks, ipv6_cidr_blocks, or prefix_list_ids, Terraform should either reject this resource with an error, or succeed without creating any rules.

Actual Behavior

Creation of this resource hangs until its timeout expires, then Terraform exits with an error.

Relevant Error/Panic Output Snippet

aws_security_group_rule.sg2_rule: Still creating... [5m0s elapsed]
╷
│ Error: waiting for Security Group (sg-02d2ac56463d5ab42) Rule (sgrule-3637919791) create: couldn't find resource
│ 
│   with aws_security_group_rule.sg2_rule,
│   on main.tf line 32, in resource "aws_security_group_rule" "sg2_rule":
│   32: resource "aws_security_group_rule" "sg2_rule" {

Terraform Configuration Files

provider "aws" {
  region = "us-west-2"
}

resource "aws_vpc" "vpc" {
  cidr_block = "10.0.0.0/24"

  tags = {
    "Name" = "tf-repro"
  }
}

resource "aws_security_group" "sg" {
  name   = "sg"
  vpc_id = aws_vpc.vpc.id
}

resource "aws_security_group_rule" "sg_rule" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  security_group_id = aws_security_group.sg.id
  cidr_blocks       = []
}

Steps to Reproduce

• terraform apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[sodle]

Debug output

tf_debug.log

[justinretzolk]

Hey @sodle 👋 Thank you for taking the time to raise this, and for providing debug logging as well -- that was very helpful!

I reviewed the debug logs and found something pretty interesting (mostly for whoever might pick this up, but you may find it interesting as well):

2025-03-27T20:42:00.168-0600 [DEBUG] provider.terraform-provider-aws_v5.93.0_x5: HTTP Request Sent: http.request.header.x_amz_date=20250328T024200Z http.request_content_length=171 tf_aws.signing_region="" rpc.method=AuthorizeSecurityGroupIngress rpc.service=EC2 tf_req_id=e34755e7-d853-cfe8-5543-f2af05e07a1a aws.region=us-west-2 http.request.header.authorization="AWS4-HMAC-SHA256 Credential=AKIA************MPI4/20250328/us-west-2/ec2/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date, Signature=*****" @caller=github.com/hashicorp/aws-sdk-go-base/[email protected]/logging/tf_logger.go:45 http.method=POST http.request.header.amz_sdk_request="attempt=1; max=25" tf_resource_type=aws_security_group_rule tf_mux_provider="*schema.GRPCProviderServer" tf_rpc=ApplyResourceChange @module=aws net.peer.name=ec2.us-west-2.amazonaws.com rpc.system=aws-api http.user_agent="APN/1.0 HashiCorp/1.0 Terraform/1.10.5 (+https://www.terraform.io) terraform-provider-aws/5.93.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go-v2/1.36.3 ua/2.1 os/macos lang/go#1.23.7 md/GOOS#darwin md/GOARCH#arm64 api/ec2#1.210.1 m/n"
  http.request.body=
  | Action=AuthorizeSecurityGroupIngress&GroupId=sg-0c2dda057f56f576a&IpPermissions.1.FromPort=443&IpPermissions.1.IpProtocol=tcp&IpPermissions.1.ToPort=443&Version=2016-11-15
   http.request.header.amz_sdk_invocation_id=e896c4ab-2961-443a-b127-9a78c90ed6ec http.url=https://ec2.us-west-2.amazonaws.com/ tf_provider_addr=registry.terraform.io/hashicorp/aws http.request.header.content_type=application/x-www-form-urlencoded tf_aws.sdk=aws-sdk-go-v2 timestamp=2025-03-27T20:42:00.160-0600

2025-03-27T20:42:00.323-0600 [DEBUG] provider.terraform-provider-aws_v5.93.0_x5: HTTP Response Received: http.response.header.date="Fri, 28 Mar 2025 02:42:00 GMT" http.response.header.server=AmazonEC2 rpc.method=AuthorizeSecurityGroupIngress tf_mux_provider="*schema.GRPCProviderServer" @caller=github.com/hashicorp/aws-sdk-go-base/[email protected]/logging/tf_logger.go:45 http.duration=162 tf_provider_addr=registry.terraform.io/hashicorp/aws tf_req_id=e34755e7-d853-cfe8-5543-f2af05e07a1a http.response.header.cache_control="no-cache, no-store" rpc.service=EC2 tf_rpc=ApplyResourceChange @module=aws aws.region=us-west-2 rpc.system=aws-api tf_resource_type=aws_security_group_rule http.response_content_length=287 http.status_code=200 tf_aws.sdk=aws-sdk-go-v2 tf_aws.signing_region=""
  http.response.body=
  | <?xml version="1.0" encoding="UTF-8"?>
  | <AuthorizeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
  |     <requestId>b437a593-4ad3-47f1-aa7a-6cef1a69322f</requestId>
  |     <return>true</return>
  |     <securityGroupRuleSet/>
  | </AuthorizeSecurityGroupIngressResponse>
   http.response.header.content_type=text/xml;charset=UTF-8 http.response.header.strict_transport_security="max-age=31536000; includeSubDomains" http.response.header.x_amzn_requestid=b437a593-4ad3-47f1-aa7a-6cef1a69322f timestamp=2025-03-27T20:42:00.323-0600

Looking at the request that was made to AuthorizeSecurityGroupIngress, you'll notice that the one IpPermissions object that's sent doesn't include any of the IpRanges, Ipv6Ranges, PrefixListIds, or UserIdGroupPairs arguments, despite the API documentation mentioning:

You must specify exactly one of the following sources: an IPv4 or IPv6 address range, a prefix list, or a security group.

Interestingly, no error is returned from the API and so Terraform waits (the AWS documentation notes that the change have a slight delay before it's propagated) and continues to check if a matching rule has been applied. Since no rule is actually applied, it's never found, and the provider continues to wait and retry until timing out. I suspect this is part of what's called out in the note at the top of the aws_security_group_rule:

Avoid using the aws_security_group_rule resource, as it struggles with managing multiple CIDR blocks, and, due to the historical lack of unique IDs, tags and descriptions. To avoid these problems, use the current best practice of the aws_vpc_security_group_egress_rule and aws_vpc_security_group_ingress_rule resources with one CIDR block per rule.

It's probably worth moving to the dedicated ingress and egress resources given that they're what's considered best practice at this point. In addition to that, given that the CIDR is provided as a string rather than a list, the reported issue wouldn't be possible.

[sodle]

Hey @justinretzolk — thanks for looking at it — yeah ultimately the ingress/egress resources are the way to go. Just need to take the time to migrate.

I just think it would be nice to have consistent behavior in this resource: maybe check for the case where an empty IP or prefix list is provided, and bail out early with an error. I could take a crack at adding that check myself, maybe over the next weekend.

Or else, if the docs so vehemently recommend against using this resource, maybe it should just be formally deprecated?