Security Group (ingress) rules: InvalidParameterValue: The same permission must not appear multiple times

[tbernacchi]

Terraform Core Version

Terraform v1.3.6 on darwin_amd64

AWS Provider Version

AWS

Affected Resource(s)

Facing same issue describe here: https://github.com/hashicorp/terraform-provider-aws/issues/1506

Expected Behavior

Create the appropriate SG on AWS.

Actual Behavior

Not creating.

Relevant Error/Panic Output Snippet

~/ terraform apply "plan"                                                                                                                                              
aws_security_group.rke2-cluster: Destroying... [id=sg-063522ba6bc4b0b66]
aws_security_group.rke2-cluster: Destruction complete after 1s
aws_security_group.rke2-cluster: Creating...
╷
│ Error: updating Security Group (sg-031f9a5d94778eb4f) ingress rules: authorizing Security Group (ingress) rules: InvalidParameterValue: The same permission must not appear multiple times
│   status code: 400, request id: 0b804a12-18f8-4e1c-863f-91278a893535
│
│   with aws_security_group.rke2-cluster,
│   on rke2-sg.tf line 1, in resource "aws_security_group" "rke2-cluster":
│    1: resource "aws_security_group" "rke2-cluster" {
│
╵

Terraform Configuration Files

https://gist.github.com/tbernacchi/b574c3623ce98364a97afadf8257b556

Steps to Reproduce

terraform plan --out=plan terraform apply "plan"

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

Would you like to implement a fix?

No

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[good92]

Even on compacted cidrs it fails. Context: variable for the port number.

[triadcode]

I did get the same error message for what's likely to be a completely different issue. The first thing I did was to check whether my rule was sharing cidr_blocks, source port, destination port, and protocol with any other rule but that was not the case. By concatenating several lists together, I ended up with a duplicate ip/netmask in the cidr_blocks. Wrapping it with a toset() solved it for me.

[adamsir-et]

I did get the same error message for what's likely to be a completely different issue. The first thing I did was to check whether my rule was sharing cidr_blocks, source port, destination port, and protocol with any other rule but that was not the case. By concatenating several lists together, I ended up with a duplicate ip/netmask in the cidr_blocks. Wrapping it with a toset() solved it for me.

This worked for me.. quite triggering i am not even sure how you worked this out as the error messages is not meaningful

Old Code:

cidr_blocks = concat(
    [for subnet_cidr in data.aws_subnet.private_subnets : subnet_cidr.cidr_block],
    [for subnet_cidr in data.aws_subnet.public_subnets : subnet_cidr.cidr_block],
    var.corporate_cidrs
  )

Fix

 cidr_blocks = toset(concat(
    [for subnet_cidr in data.aws_subnet.private_subnets : subnet_cidr.cidr_block],
    [for subnet_cidr in data.aws_subnet.public_subnets : subnet_cidr.cidr_block],
    var.corporate_cidrs
  ))