Skip to content

aws/compute: SecurityGroup Ingress and Egress Rule causes permanent state drift #40

New issue
New issue
Open
Open
aws/compute: SecurityGroup Ingress and Egress Rule causes permanent state drift#40
@zackhee997

Description

@zackhee997
zackhee997
opened on Jun 24, 2025

Description:
When SecurityGroup to manage AWS VPC security group ingress and egress rules, Terraform repeatedly reports state drift on every plan or apply, even when no changes were made manually outside of Terraform. This results in a non-idempotent deployment experience and causes unnecessary updates on every run.

Expected Behavior:
Security group rules should be consistently managed by Terraform without causing state drift, unless there’s an actual change to the configuration.

Actual Behavior:
Even after a successful terraform apply, running terraform plan again shows that ingress or egress rules are being removed and re-added, despite no code changes. This leads to a permanent state drift cycle.

Steps to Reproduce:

Define a security group using terraconstructs/lib/aws/compute or equivalent abstraction.

Add a rule via .connections.allowFrom or .connections.allowTo methods.

Run terraform apply.

Immediately run terraform plan again.

Notes:
This may be due to how terraconstruct abstracts and renders aws_security_group_rule blocks, or potentially how it handles computed attributes like security_groups vs cidr_blocks.

Please let me know if further logs, a repro repo, or debug traces are helpful. Happy to assist in narrowing it down further.

# aws_vpc_security_group_egress_rule.alb-sg_todevec2-sgD6C6A70280_4515B23F will be updated in-place
  ~ resource "aws_vpc_security_group_egress_rule" "alb-sg_todevec2-sgD6C6A70280_4515B23F" {
        id                           = "sgr-0afe49fedf4a039a9"
      ~ referenced_security_group_id = "196471700257/sg-03b57b7b50c1c8e2b" -> "sg-03b57b7b50c1c8e2b"
        # (8 unchanged attributes hidden)
    }

  # aws_vpc_security_group_ingress_rule.ec2-sg_fromdevalb-sgD1BA87B5443_F350EDB0 will be updated in-place
  ~ resource "aws_vpc_security_group_ingress_rule" "ec2-sg_fromdevalb-sgD1BA87B5443_F350EDB0" {
        id                           = "sgr-0084dd931e8e5ab02"
      ~ referenced_security_group_id = "196471700257/sg-0a257176e26ba8166" -> "sg-0a257176e26ba8166"
        # (8 unchanged attributes hidden)
    }

Ingress and Egress Rule Drift

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions