aws_security_group: Invalid expansion of dynamic ingress block

[mou]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.18
+ provider.aws v2.43.0

Affected Resource(s)

• aws_security_group

Terraform Configuration Files

Minimum reproducible configuration

resource "aws_vpc" "vpc1" {
  cidr_block           = "172.64.0.0/16"
  enable_dns_hostnames = "true"
  enable_dns_support   = "true"
}

resource "aws_security_group" "group_1" {
  name = "group_1"
  vpc_id = aws_vpc.vpc1.id
}

resource "aws_security_group" "group_2" {
  name = "group_2"
  vpc_id = aws_vpc.vpc1.id
}

locals {
  access_sg = [
    {
      "group" = aws_security_group.group_1.id,
      "desc" = "Access from group_1"
    },
    {
      "group" = aws_security_group.group_2.id,
      "desc" = "Access from group_2"
    },
  ]
}

resource "aws_security_group" "bugged_group" {
  name        = "bugged_group"
  vpc_id      = aws_vpc.vpc1.id

  dynamic "ingress" {
    for_each = { for rule in local.access_sg : rule["group"] => rule["desc"] }
    content {
      from_port       = "443"
      to_port         = "443"
      protocol        = "tcp"
      security_groups = [ingress.key]
      description     = ingress.value
    }
  }
}

Debug Output

Contains two log files with TRACE level: one for plan, and one for apply https://gist.github.com/mou/9e56eb603173a6428b42933e4ab49058

Panic Output

Expected Behavior

Security group should be created

Actual Behavior

Error was reported

Error: Provider produced inconsistent final plan

When expanding the plan for aws_security_group.bugged_group to include new values
learned so far during apply, provider "aws" produced an invalid new value for
.ingress: length changed from 2 to 3.

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Steps to Reproduce

1. terraform plan
2. terraform apply

Important Factoids

References

[justinretzolk]

Hey @mou 👋 Thank you for taking the time to file this issue! Given that there's been a number of AWS provider releases since you initially filed it, can you confirm whether you're still experiencing this behavior?

[ljluestc]

provider "aws" {
  region = "us-east-1" # Replace with your desired region
  version = "~> 1.60"  # Ensure you're using the correct version constraint
}

resource "aws_ecs_task_definition" "example" {
  family                   = "my-task-family"
  network_mode             = "bridge"

  container_definitions = jsonencode([
    {
      name      = "my-container"
      image     = "my-docker-image"
      cpu       = 256
      memory    = 512
      essential = true

      portMappings = [
        {
          containerPort = 80
          hostPort      = 80
          protocol      = "tcp"
        }
      ]
    }
  ])

  tags = {
    Name = "My ECS Task Definition"
  }
}

# Optional: Use lifecycle to prevent recreation due to minor changes
resource "aws_ecs_task_definition" "example" {
  # Your task definition settings...

  lifecycle {
    ignore_changes = [
      container_definitions, # Ignore changes to this attribute
      tags                  # Ignore changes to tags, if necessary
    ]
  }
}

output "task_definition_arn" {
  value = aws_ecs_task_definition.example.arn
}