[Bug]: Terraform crash after updating AWS SG for Aurora cluster

[DmitriiNadein]

Terraform Core Version

1.3.6

AWS Provider Version

4.45.0

Affected Resource(s)

AWS RDS Aurora cluster Security Group from this module (https://registry.terraform.io/modules/terraform-aws-modules/rds-aurora/aws/latest) module.rds_aurora.aws_security_group.this[0]

Expected Behavior

Recreate Security Group for Aurora cluster

Actual Behavior

I want to create Security Group as separate resource, not as part of RDS module. At first apply Terraform mark newly created SG resource as "deposed" (deposed object d99131a7) After I removed lifecycle block (create before destroy) from Security Group resource and run apply - Terraform crashed

It seems, that I`m unable to change Aurora cluster SG from AWS Console and from Terraform as well.

Relevant Error/Panic Output Snippet

runtime error: invalid memory address or nil pointer dereference
goroutine 4385 [running]:
runtime/debug.Stack()
        /usr/local/go/src/runtime/debug/stack.go:24 +0x65
runtime/debug.PrintStack()
        /usr/local/go/src/runtime/debug/stack.go:16 +0x19
github.com/hashicorp/terraform/internal/logging.PanicHandler()
        /home/circleci/project/project/internal/logging/panic.go:55 +0x153
panic({0x1fdce60, 0x3bfeda0})
        /usr/local/go/src/runtime/panic.go:884 +0x212
github.com/hashicorp/terraform/internal/terraform.(*NodePlannableResourceInstanceOrphan).managedResourceExecute(0xc001b73680, {0x29378d8, 0xc000a6ec40})
        /home/circleci/project/project/internal/terraform/node_resource_plan_orphan.go:128 +0x415
github.com/hashicorp/terraform/internal/terraform.(*NodePlannableResourceInstanceOrphan).Execute(0x0?, {0x29378d8?, 0xc000a6ec40?}, 0x38?)
        /home/circleci/project/project/internal/terraform/node_resource_plan_orphan.go:49 +0x90
github.com/hashicorp/terraform/internal/terraform.(*ContextGraphWalker).Execute(0xc0029af2c0, {0x29378d8, 0xc000a6ec40}, {0x20e3f67fbf0, 0xc001b73680})
        /home/circleci/project/project/internal/terraform/graph_walk_context.go:136 +0xc2
github.com/hashicorp/terraform/internal/terraform.(*Graph).walk.func1({0x2310a20, 0xc001b73680})
        /home/circleci/project/project/internal/terraform/graph.go:74 +0x2f0
github.com/hashicorp/terraform/internal/dag.(*Walker).walkVertex(0xc000a560c0, {0x2310a20, 0xc001b73680}, 0xc006fa5b40)
        /home/circleci/project/project/internal/dag/walk.go:381 +0x2f6
created by github.com/hashicorp/terraform/internal/dag.(*Walker).Update
        /home/circleci/project/project/internal/dag/walk.go:304 +0xf65

Terraform Configuration Files

#---------------------------------------------------------------------------
# Resources names
#---------------------------------------------------------------------------
locals {
  aurora_name    = "rdc-01"
  sg_aurora_name = "lsg-aurora-01"

}

#---------------------------------------------------------------------------
# AWS Security group for RDS Aurora cluster
#---------------------------------------------------------------------------
module "vpc" {
  source = "../../../modules/backend/nonprod_vpc"
}

resource "aws_security_group" "sg_aurora" {
  name   = local.sg_aurora_name
  vpc_id = module.vpc_settings.vpc_id

  ingress {
    from_port   = var.db_port
    to_port     = var.db_port
    protocol    = "tcp"
    cidr_blocks = [module.vpc.trt_az1_subnet_cidr, module.vpc.trt_az2_subnet_cidr, module.vpc.trt_az3_subnet_cidr]
    description = "Control traffic to RDS Aurora"
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = local.sg_aurora_name
  }
}

#---------------------------------------------------------------------------
# AWS RDS Aurora
#---------------------------------------------------------------------------
module "rds_aurora" {
  source                              = "../../../modules/data-storage/aws_rds_aurora"
  name                                = local.aurora_name
  engine                              = var.aurora_engine
  engine_version                      = var.engine_version
  engine_mode                         = var.engine_mode
  port                                = var.db_port
  database_name                       = var.database_name
  storage_encrypted                   = true
  kms_key_id                          = data.terraform_remote_state.global.outputs.key_arn
  copy_tags_to_snapshot               = true
  instance_class                      = var.instance_class
  serverlessv2_scaling_configuration  = var.serverlessv2_scaling_configuration
  instances                           = var.instances
  vpc_id                              = module.vpc.vpc_id
  subnets                             = [module.vpc.rst_az1_subnet_id, module.vpc.rst_az2_subnet_id]
  create_db_subnet_group              = true
  create_security_group               = false
  network_type                        = var.network_type
  security_group_use_name_prefix      = false
  vpc_security_group_ids              = [aws_security_group.sg_aurora.id]
  allowed_cidr_blocks                 = [module.vpc.trt_az1_subnet_cidr, module.vpc.trt_az2_subnet_cidr, module.vpc.trt_az3_subnet_cidr]
  enabled_cloudwatch_logs_exports     = var.enabled_cloudwatch_logs_exports
  create_monitoring_role              = true
  iam_database_authentication_enabled = var.iam_database_authentication_enabled

  cluster_tags = {
    Name = local.aurora_name
  }

  tags = {
    Name = local.aurora_name
  }
}

Steps to Reproduce

1. Create Aurora DB cluster using module https://registry.terraform.io/modules/terraform-aws-modules/rds-aurora/aws/latest and create Security Group using this module "[create_security_group]" parameter.
2. Create new SG as separate resource.
3. Try to switch from SG created from Aurora module to SG created as separate resource and reference its ID in "vpc_security_group_ids" parameter of module.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[DmitriiNadein]

Fixed deployment with terraform state rm 'module.rds_aurora.aws_security_group.this[0]' and importing. But these crash can be investigated.