[Bug]: aws_network_acl inconsistent state reporting when used in conjunction with aws_network_acl_rule (after first apply only)

[sandrogattuso]

Terraform Core Version

1.0.6

AWS Provider Version

4.34.0

Affected Resource(s)

• aws_network_acl
• aws_security_group (Haven't tested but I suspect the same applies to this resource)

Expected Behavior

aws_network_acl resource doesn't report changes to egress and ingress attributes as performed outside of Terraform when acl rules are defined via the resource aws_network_acl_rule (aka no inline rules are specified)

Actual Behavior

execution reports changes outside of Terraform

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # aws_network_acl.vpc_subnet_nacls has been changed
  ~ resource "aws_network_acl" "vpc_subnet_nacls" {
      ~ egress     = [
          + {
              + action          = "allow"
              + cidr_block      = "XXXXX"
              + from_port       = 1024
              + icmp_code       = 0
              + icmp_type       = 0
              + ipv6_cidr_block = ""
              + protocol        = "6"
              + rule_no         = 200
              + to_port         = 1024
            },
        ]
        id         = "acl-XXXXXXX"

Relevant Error/Panic Output Snippet

Terraform Configuration Files

resource "aws_network_acl" "vpc_subnet_nacls" {
  vpc_id     = "vpc-XXXXXX"

}

resource "aws_network_acl_rule" "vpc_subnet_nacls_inbound_rules" {
  rule_number    = 200
  egress         = false
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "192.168.8.10/32"
  from_port      = 1024
  to_port        = 1024
  network_acl_id = aws_network_acl.vpc_subnet_nacls.id
}

# Outbound Rules
resource "aws_network_acl_rule" "vpc_subnet_nacls_outbound_rules" {
  rule_number    = 200
  egress         = true
  protocol       = "tcp"
  rule_action    = "allow"
  cidr_block     = "192.168.8.10/32"
  from_port      = 1024
  to_port        = 1024
  network_acl_id = aws_network_acl.vpc_subnet_nacls.id
}

Steps to Reproduce

1. Run terraform apply
2. Run terraform plan --> Objects have changed outside of Terraform will be displayed
3. Run terraform apply again
4. Run terraform plan --> No warning displayed because the state has being re-align by the the second apply

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

This is happening because the resource is reading (and updating in the state file) the NACL rules even if the attribute is not defined by the user https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/ec2/vpc_network_acl.go#L181-L236

Since rules can be defined via network_acl_rule, if the user doesn't specify the attribute the state shouldn't store the list of rules against the resource network_acl.

A similar issue is probably present for the security group implementation that follows the same pattern

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.