aws_security_group (Haven't tested but I suspect the same applies to this resource)
Expected Behavior
aws_network_acl resource doesn't report changes to egress and ingress attributes as performed outside of Terraform when acl rules are defined via the resource aws_network_acl_rule (aka no inline rules are specified)
Actual Behavior
execution reports changes outside of Terraform
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the last "terraform apply":
# aws_network_acl.vpc_subnet_nacls has been changed
~ resource "aws_network_acl" "vpc_subnet_nacls" {
~ egress = [
+ {
+ action = "allow"
+ cidr_block = "XXXXX"
+ from_port = 1024
+ icmp_code = 0
+ icmp_type = 0
+ ipv6_cidr_block = ""
+ protocol = "6"
+ rule_no = 200
+ to_port = 1024
},
]
id = "acl-XXXXXXX"
Since rules can be defined via network_acl_rule, if the user doesn't specify the attribute the state shouldn't store the list of rules against the resource network_acl.
A similar issue is probably present for the security group implementation that follows the same pattern
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.0.6
AWS Provider Version
4.34.0
Affected Resource(s)
Expected Behavior
aws_network_acl resource doesn't report changes to
egress
andingress
attributes as performed outside of Terraform when acl rules are defined via the resource aws_network_acl_rule (aka no inline rules are specified)Actual Behavior
execution reports changes outside of Terraform
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
This is happening because the resource is reading (and updating in the state file) the NACL rules even if the attribute is not defined by the user https://github.com/hashicorp/terraform-provider-aws/blob/main/internal/service/ec2/vpc_network_acl.go#L181-L236
Since rules can be defined via
network_acl_rule
, if the user doesn't specify the attribute the state shouldn't store the list of rules against the resourcenetwork_acl
.A similar issue is probably present for the security group implementation that follows the same pattern
Would you like to implement a fix?
No response