Terraform times out trying to created a keyed ingress rule

[sjperkins]

Found a bug? Maybe our Slack Community can help.

Describe the Bug

I'm trying to create a security group that allows ingress on port 2049 for EFS from an EKS cluster security group but it times out during creation of the rule. The infrastructure is fairly minimal and based on other cloudposse modules, I've included the relevant sections below:

module "vpc" {
  source = "cloudposse/vpc/aws"
  # Cloud Posse recommends pinning every module to a specific version
  version    = "1.1.1"
  cidr_block = "172.16.0.0/16"

  context = module.this.context
}

module "subnets" {
  source = "cloudposse/dynamic-subnets/aws"
  # Cloud Posse recommends pinning every module to a specific version
  version = "2.0.2"

  availability_zones   = var.availability_zones
  vpc_id               = module.vpc.vpc_id
  igw_id               = [module.vpc.igw_id]
  ipv4_cidr_block      = [module.vpc.vpc_cidr_block]
  nat_gateway_enabled  = true
  nat_instance_enabled = false

  context = module.this.context
}

module "eks_cluster" {
  source = "cloudposse/eks-cluster/aws"
  # Cloud Posse recommends pinning every module to a specific version
  version = "2.3.2"

  region     = var.region
  vpc_id     = module.vpc.vpc_id
  subnet_ids = concat(module.subnets.private_subnet_ids, module.subnets.public_subnet_ids)

  kubernetes_version    = var.kubernetes_version
  oidc_provider_enabled = true

  context = module.this.context
}

module "efs_security_group" {
  source = "cloudposse/security-group/aws"
  version = "1.0.1"

  attributes = ["efs"]

  # Allow unlimited egress
  allow_all_egress = true

  rules = [
    {
      key         = "efs"
      type        = "ingress"
      from_port   = 2049
      to_port     = 2049
      protocol    = "tcp"
      cidr_blocks = null
      source_security_group_id = module.eks_cluster.security_group_id
      description = "Allow access to EFS from the EKS cluster security group"
    },
  ]

  vpc_id  = module.vpc.vpc_id

  depends_on = [module.eks_cluster.kubernetes_config_map_id]
  context = module.this.context
}

For some reason, terraform times out attempting to create the rule for reasons I don't understand

$ terraform apply

module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [10s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [20s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [30s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [40s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [50s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [1m0s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [1m10s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [1m20s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [1m30s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [1m40s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [1m50s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [2m0s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [2m10s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [2m20s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [2m30s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [2m40s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [2m50s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [3m0s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [3m10s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [3m20s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [3m30s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [3m40s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [3m50s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [4m0s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [4m10s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [4m20s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [4m30s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [4m40s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [4m50s elapsed]
module.efs_security_group.aws_security_group_rule.keyed["efs"]: Still creating... [5m0s elapsed]
╷
│ Error: waiting for Security Group (sg-0d6b749720a5712e2) Rule (sgrule-75920449) create: couldn't find resource
│ 
│   with module.efs_security_group.aws_security_group_rule.keyed["efs"],
│   on .terraform/modules/efs_security_group/main.tf line 141, in resource "aws_security_group_rule" "keyed":
│  141: resource "aws_security_group_rule" "keyed" {
│ 
╵
Operation failed: failed running terraform apply (exit 1)

Expected Behavior

I would expect the ingress security rule to be created on the security group.

Steps to Reproduce

Steps to reproduce the behavior:

1. Go to '...'
2. Run '....'
3. Enter '....'
4. See error

Screenshots

If applicable, add screenshots or logs to help explain your problem.

Environment (please complete the following information):

Anything that will help us triage the bug will help. Here are some ideas:

$ terraform version
Terraform v1.2.8
on linux_amd64
+ provider registry.terraform.io/cloudposse/awsutils v0.11.1
+ provider registry.terraform.io/hashicorp/aws v4.27.0
+ provider registry.terraform.io/hashicorp/helm v2.6.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.12.1
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.3.2
+ provider registry.terraform.io/hashicorp/time v0.8.0
+ provider registry.terraform.io/hashicorp/tls v4.0.1

Additional Context

Add any other context about the problem here.

[sjperkins]

Setting the source_security_group_id to the following fixed things

source_security_group_id = module.eks_cluster.eks_cluster_managed_security_group_id