[Bug]: MissingParameter: Source group ID missing

[EugenKon]

Terraform Core Version

v1.8.5

AWS Provider Version

v5.55.0

Affected Resource(s)

• aws_security_group

Expected Behavior

No error should happen

Actual Behavior

We got the error about missing "group ID"

Relevant Error/Panic Output Snippet

╷
│ Error: updating Security Group (sg-095e1b15d993f7adb) ingress rules: authorizing Security Group (ingress) rules: MissingParameter: Source group ID missing.
│   status code: 400, request id: a9a55811-2427-410b-a491-fe66bd0394c3
│
│   with module.private-cloud.aws_security_group.consul_nomad_ui,
│   on modules/private-cloud/vpc.tf line 99, in resource "aws_security_group" "consul_nomad_ui":
│   99: resource "aws_security_group" "consul_nomad_ui" {
│
╵
╷
│ Error: updating Security Group (sg-0c262672425c429b4) ingress rules: authorizing Security Group (ingress) rules: MissingParameter: Source group ID missing.
│   status code: 400, request id: a97dd448-109a-4b6d-b7da-07b98d17efa7
│
│   with module.private-cloud.aws_security_group.server_ssh,
│   on modules/private-cloud/vpc.tf line 130, in resource "aws_security_group" "server_ssh":
│  130: resource "aws_security_group" "server_ssh" {
│
╵

Terraform Configuration Files

"permission deniend" to send them to your dedicated address

Steps to Reproduce

Turn off VPN gateway

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place - destroy Terraform will perform the following actions: # module.client-vpn[0].aws_acm_certificate.vpn_client_root_cert will be destroyed # (because module.client-vpn[0] is not in configuration) - resource "aws_acm_certificate" "vpn_client_root_cert" { - arn = "XX" -> null - certificate_body = <<-EOT Certificate: Data: Version: 3 (0x2) Serial Number: 8e:6d:56:1a:61:c0:95:ba:df:23:35:12:54:42:e6:d2 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=*** Validity Not Before: Jun 29 00:33:46 2024 GMT Not After : Jun 29 00:33:46 2026 GMT Subject: CN=__client_root.*** Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:d2:4c:da:b4:e8:e7:81:7c:01:ba:97:52:f2:e7: d6:bb:d9:b5:f9:7c:b5:40:b9:81:45:24:5b:d7:3a: 71:9e:09:62:bc:92:d1:22:b4:1f:72:1d:4b:0d:df: 23:52:3f:fb:a0:1c:47:89:02:a0:3e:80:97:30:77: 33:57:e8:02:88:7b:57:51:f6:7f:5a:ed:8c:26:c9: 91:09:66:a8:13:6e:21:ea:67:9d:7f:51:e5:6a:b7: fc:13:d8:52:fc:e6:da:ac:06:54:1e:b7:7a:63:dc: d2:84:92:e3:43:88:fc:5c:4b:92:aa:fb:92:03:ea: a9:a3:f1:9b:8e:64:3e:0d:eb:2f:fe:31:31:d1:0c: ea:29:5b:d4:e6:71:94:b4:5f:84:e8:8b:c0:af:93: 43:ae:aa:f6:e4:c3:ed:f1:c3:ec:ea:33:90:e1:3d: d8:c3:be:77:85:ac:89:6e:18:8e:9a:9d:fa:6b:49: c6:65:9c:59:79:91:51:68:de:38:9c:c4:dd:84:07: fe:46:fe:19:bc:44:ab:43:0b:fa:c4:3f:5f:a2:ef: 66:85:9c:ec:71:71:a6:54:76:29:70:e6:4e:88:93: 11:68:37:c3:73:9f:5f:e1:6b:a2:a6:b5:fd:aa:c0: d7:5c:e7:87:04:6e:04:fb:d7:4f:61:1b:9d:2a:96: 59:c5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 77:B8:6C:8E:20:C5:F2:89:83:1C:F1:D2:89:4C:C9:FB:03:D9:55:1D X509v3 Authority Key Identifier: keyid:1E:38:CC:2E:80:F3:07:EC:85:56:6E:6E:53:C6:A2:25:9A:37:DB:64 DirName:/CN=*** serial:14:24:E9:7B:E6:81:D8:81:BA:02:AA:5D:CA:A5:E6:E7:26:E2:F9:7F X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature X509v3 Subject Alternative Name: DNS:__client_root.*** Signature Algorithm: sha256WithRSAEncryption Signature Value: 89:af:82:b7:f2:b8:07:f8:15:d6:44:d7:ee:28:bd:c4:d6:4e: 60:96:0d:d9:36:2e:e2:56:23:b5:b4:f9:17:a8:28:44:dd:60: c8:9b:63:ca:4f:c6:16:ad:6a:89:6f:78:c0:3e:d0:5f:76:0b: b5:2b:2b:47:47:a1:17:1d:b1:41:b7:f0:56:ff:34:91:3a:72: 2a:74:79:17:8f:91:aa:af:7b:c0:e1:e0:cb:bf:37:cd:6c:53: 4f:c4:82:dd:7d:5e:3d:a7:6e:ff:34:db:e1:29:20:29:6a:66: 98:dc:d1:93:1e:c8:5e:5c:c5:33:82:11:96:69:5b:18:4b:89: 3d:2e:1c:eb:3a:fa:7c:0c:01:8d:8d:b3:66:29:93:de:ff:2a: b3:50:d2:9c:4d:67:5a:96:fc:87:98:54:31:8a:86:00:2e:08: 92:8c:79:28:c4:50:fb:1d:af:4b:e1:c1:73:9e:68:32:69:07: ed:fe:27:ad:ff:af:23:21:71:94:91:4b:3e:a0:14:e6:d2:f4: 0c:0e:54:c0:76:2c:a0:23:0c:b0:fa:d8:db:35:bc:7d:38:11: c9:29:30:b3:b4:09:53:e7:45:70:f6:19:0b:00:af:90:f2:72: 54:f7:46:f9:55:be:89:27:d2:3d:d6:f6:b4:1c:3a:28:3e:ff: 14:e9:00:a5 -----BEGIN CERTIFICATE----- MIIDnjCCAoagAwIBAgIRAI5tVhphwJW63yM1ElRC5tIwDQYJKoZIhvcNAQELBQAw GjEYMBYGA1UEAwwPbm9tYWQucGxudHIuZGV2MB4XDTI0MDYyOTAwMzM0NloXDTI2 MDYyOTAwMzM0NlowKDEmMCQGA1UEAwwdX19jbGllbnRfcm9vdC5ub21hZC5wbG50 ci5kZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSTNq06OeBfAG6 l1Ly59a72bX5fLVAuYFFJFvXOnGeCWK8ktEitB9yHUsN3yNSP/ugHEeJAqA+gJcw dzNX6AKIe1dR9n9a7YwmyZEJZqgTbiHqZ51/UeVqt/wT2FL85tqsBlQet3pj3NKE kuNDiPxcS5Kq+5ID6qmj8ZuOZD4N6y/+MTHRDOopW9TmcZS0X4Toi8Cvk0Ouqvbk w+3xw+zqM5DhPdjDvneFrIluGI6anfprScZlnFl5kVFo3jicxN2EB/5G/hm8RKtD C/rEP1+i72aFnOxxcaZUdilw5k6IkxFoN8Nzn1/ha6Kmtf2qwNdc54cEbgT7109h G50qllnFAgMBAAGjgdAwgc0wCQYDVR0TBAIwADAdBgNVHQ4EFgQUd7hsjiDF8omD HPHSiUzJ+wPZVR0wVQYDVR0jBE4wTIAUHjjMLoDzB+yFVm5uU8aiJZo322ShHqQc MBoxGDAWBgNVBAMMD25vbWFkLnBsbnRyLmRldoIUFCTpe+aB2IG6AqpdyqXm5ybi +X8wEwYDVR0lBAwwCgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMCgGA1UdEQQhMB+C HV9fY2xpZW50X3Jvb3Qubm9tYWQucGxudHIuZGV2MA0GCSqGSIb3DQEBCwUAA4IB AQCJr4K38rgH+BXWRNfuKL3E1k5glg3ZNi7iViO1tPkXqChE3WDIm2PKT8YWrWqJ b3jAPtBfdgu1KytHR6EXHbFBt/BW/zSROnIqdHkXj5Gqr3vA4eDLvzfNbFNPxILd fV49p27/NNvhKSApamaY3NGTHsheXMUzghGWaVsYS4k9LhzrOvp8DAGNjbNmKZPe /yqzUNKcTWdalvyHmFQxioYALgiSjHkoxFD7Ha9L4cFznmgyaQft/iet/68jIXGU kUs+oBTm0vQMDlTAdiygIwyw+tjbNbx9OBHJKTCztAlT50Vw9hkLAK+Q8nJU90b5 Vb6JJ9I91va0HDooPv8U6QCl -----END CERTIFICATE----- EOT -> null - certificate_chain = <<-EOT -----BEGIN CERTIFICATE----- MIIDVzCCAj+gAwIBAgIUFCTpe+aB2IG6AqpdyqXm5ybi+X8wDQYJKoZIhvcNAQEL BQAwGjEYMBYGA1UEAwwPbm9tYWQucGxudHIuZGV2MB4XDTI0MDYyOTAwMzM0M1oX DTM0MDYyNzAwMzM0M1owGjEYMBYGA1UEAwwPbm9tYWQucGxudHIuZGV2MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmn7R4raiYdVB4mIgEEGOojV0IZ6T uj7Cx4OMIavOR+LyCDl6W+91R0RZtxo/t+b5ETzvY9jn+mseqIYDtxxsGQvOWTuR i7tahbPo1F/RWJPy1ZRHHeq2ARMrYyFqnK+nXEK1JhpbuWU54PKc7u6+gCKYk7zA FobT6RLmLPXt8BtogdPvCvKpNf0D6uH5qsYNC9j49HfvZwamidYbPfbF3Ni2/S23 YYIz2VVffq8VLF2j4fa3Ix4YKTVbRnwLj8Bp1Xy7IR50oqovTRPhbY2Apo9mRFg4 jALSAsF+znPYvOaVu3KYqQpGwY2FdVG4qPLQXXYYMtVmj5ptcEmSRlrnAwIDAQAB o4GUMIGRMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFB44zC6A8wfshVZublPGoiWa N9tkMFUGA1UdIwROMEyAFB44zC6A8wfshVZublPGoiWaN9tkoR6kHDAaMRgwFgYD VQQDDA9ub21hZC5wbG50ci5kZXaCFBQk6XvmgdiBugKqXcql5ucm4vl/MAsGA1Ud DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEALhkTuCO6sJeZIo9vhxY6BzO+2uxa hUwyYCTrlD/i5HIIZoHrBZCHvzbKCNGEGhBaNeFSZaKuCEBhS94vRg6ECFWpqnD0 EoztN2rrgAfsUGta5rf21myF7iNhC7Do64Q+Xjtq9eU50JnsbZrgbBcJpuVsB8Cv DMy9smtX4I+vPWA3Qju4qi3KLriS4k+/yjSzzda39KH47h340yULIsa9j/sAlCt8 volQTShTWdA38FlGW8xN3XJAGMGxdhz26eY8zCeutPkEMedi9dsYWn+2VdZfiMRj 9qcel5USiEzrRpok7GmX56edmOAmlXdoZ/C/MWTk2iuM9xwDnrAM0MpYlA== -----END CERTIFICATE----- EOT -> null - domain_name = "__client_root.***" -> null - domain_validation_options = [] -> null - id = "XX" -> null - key_algorithm = "RSA_2048" -> null - not_after = "2026-06-29T00:33:46Z" -> null - not_before = "2024-06-29T00:33:46Z" -> null - pending_renewal = false -> null - private_key = (sensitive value) -> null - renewal_eligibility = "INELIGIBLE" -> null - renewal_summary = [] -> null - status = "ISSUED" -> null - subject_alternative_names = [ - "__client_root.***", ] -> null - tags = {} -> null - tags_all = { - "Project" = "nomad" } -> null - type = "IMPORTED" -> null - validation_emails = [] -> null - validation_method = "NONE" -> null # (2 unchanged attributes hidden) - options { - certificate_transparency_logging_preference = "DISABLED" -> null } } # module.client-vpn[0].aws_acm_certificate.vpn_server_cert will be destroyed # (because module.client-vpn[0] is not in configuration) - resource "aws_acm_certificate" "vpn_server_cert" { - arn = "XX" -> null - certificate_body = <<-EOT Certificate: Data: Version: 3 (0x2) Serial Number: fb:ba:d9:7a:44:b7:0b:5b:9d:cd:70:0f:50:b3:c4:6f Signature Algorithm: sha256WithRSAEncryption Issuer: CN=*** Validity Not Before: Jun 29 00:33:45 2024 GMT Not After : Jun 28 00:33:45 2029 GMT Subject: CN=__server.*** Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:e1:4f:88:5a:0f:d8:3b:75:99:fc:96:00:51:e1: af:a6:00:da:3f:6b:3b:1b:67:9a:f8:a6:b1:fc:83: 1a:b0:77:e5:fd:0a:0c:21:e0:29:17:02:bc:05:8b: 19:70:a5:db:7e:32:07:a0:6c:0a:81:39:21:29:6e: 76:4c:a7:f9:ac:9a:f1:35:2e:18:07:4a:04:64:96: bc:69:28:a5:c5:13:89:5d:cf:e4:8a:0d:87:65:1e: d4:33:5d:01:af:8c:67:e6:29:4c:10:e0:dd:69:96: bd:c2:ea:23:86:b3:87:43:7f:b2:0e:8e:3f:0c:09: fd:c8:10:e0:0a:ee:0d:7e:4a:e4:75:b1:7b:cd:28: e2:d9:1f:b7:2c:b0:e5:19:b7:2e:8e:50:7f:88:24: 90:9b:de:89:3c:18:07:1e:b4:72:45:4b:e9:53:5f: 0b:be:d1:5b:a8:8b:14:77:ae:e0:4e:fb:ea:e7:99: 8e:a8:95:07:0d:27:2d:8d:b2:e5:e1:81:00:5e:cb: e9:26:aa:e4:d5:49:7e:25:ca:64:4a:71:29:a1:9b: 67:af:71:62:f9:bd:36:a1:f8:3d:14:bc:f5:ef:74: 69:9c:9e:52:3e:dc:6a:0c:7a:7d:f3:d1:22:96:b9: 2a:a6:95:df:42:37:76:b6:ba:c9:fb:16:41:29:24: 5f:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 6C:D7:1C:8B:D0:95:BE:91:41:CA:A1:99:71:D5:8C:27:41:79:3B:29 X509v3 Authority Key Identifier: keyid:1E:38:CC:2E:80:F3:07:EC:85:56:6E:6E:53:C6:A2:25:9A:37:DB:64 DirName:/CN=*** serial:14:24:E9:7B:E6:81:D8:81:BA:02:AA:5D:CA:A5:E6:E7:26:E2:F9:7F X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:__server.*** Signature Algorithm: sha256WithRSAEncryption Signature Value: 5f:bc:cf:ed:d5:f8:e3:a9:6e:04:af:83:30:c4:1a:b2:eb:88: 17:9e:02:3b:13:c2:18:74:af:af:d7:82:74:51:9c:14:26:ec: de:44:5c:19:ff:da:cc:f8:da:93:75:7d:fe:8c:d2:29:39:c4: 2d:e1:99:24:fa:f6:80:bd:ec:7d:1c:87:fc:b8:0e:35:96:b9: 5f:c1:82:b1:97:99:7f:38:08:69:ba:35:8d:e3:47:75:54:89: d5:31:62:af:1c:ce:99:d6:99:ae:7d:43:d7:c1:0b:b3:91:dd: 44:48:96:cb:bc:31:ed:83:b6:d5:a8:68:5b:d0:41:d5:bc:c9: e6:c7:51:07:30:82:2c:58:df:b6:93:84:1c:ee:df:91:e8:56: 8c:50:58:61:58:3f:78:34:e0:f9:ed:96:7c:e2:90:ac:26:4e: d1:5f:ce:29:96:6d:c5:96:84:28:f0:5a:99:63:d2:c6:70:31: 30:41:12:1c:16:c8:50:ee:bc:a1:a5:74:0f:8b:a3:28:61:dd: 87:30:aa:c4:3f:2a:a7:bd:8b:03:f7:e3:32:a3:35:82:68:94: dd:15:52:ff:83:6e:e5:14:39:c1:9f:ff:1e:c8:5c:9b:4d:5a: c1:9d:a5:c8:34:93:1c:ee:f1:ad:5f:fd:c4:46:27:c5:11:13: 0f:96:80:48 -----BEGIN CERTIFICATE----- MIIDlDCCAnygAwIBAgIRAPu62XpEtwtbnc1wD1CzxG8wDQYJKoZIhvcNAQELBQAw GjEYMBYGA1UEAwwPbm9tYWQucGxudHIuZGV2MB4XDTI0MDYyOTAwMzM0NVoXDTI5 MDYyODAwMzM0NVowIzEhMB8GA1UEAwwYX19zZXJ2ZXIubm9tYWQucGxudHIuZGV2 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4U+IWg/YO3WZ/JYAUeGv pgDaP2s7G2ea+Kax/IMasHfl/QoMIeApFwK8BYsZcKXbfjIHoGwKgTkhKW52TKf5 rJrxNS4YB0oEZJa8aSilxROJXc/kig2HZR7UM10Br4xn5ilMEODdaZa9wuojhrOH Q3+yDo4/DAn9yBDgCu4NfkrkdbF7zSji2R+3LLDlGbcujlB/iCSQm96JPBgHHrRy RUvpU18LvtFbqIsUd67gTvvq55mOqJUHDSctjbLl4YEAXsvpJqrk1Ul+JcpkSnEp oZtnr3Fi+b02ofg9FLz173RpnJ5SPtxqDHp989EilrkqppXfQjd2trrJ+xZBKSRf MQIDAQABo4HLMIHIMAkGA1UdEwQCMAAwHQYDVR0OBBYEFGzXHIvQlb6RQcqhmXHV jCdBeTspMFUGA1UdIwROMEyAFB44zC6A8wfshVZublPGoiWaN9tkoR6kHDAaMRgw FgYDVQQDDA9ub21hZC5wbG50ci5kZXaCFBQk6XvmgdiBugKqXcql5ucm4vl/MBMG A1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIFoDAjBgNVHREEHDAaghhfX3Nl cnZlci5ub21hZC5wbG50ci5kZXYwDQYJKoZIhvcNAQELBQADggEBAF+8z+3V+OOp bgSvgzDEGrLriBeeAjsTwhh0r6/XgnRRnBQm7N5EXBn/2sz42pN1ff6M0ik5xC3h mST69oC97H0ch/y4DjWWuV/BgrGXmX84CGm6NY3jR3VUidUxYq8czpnWma59Q9fB C7OR3URIlsu8Me2DttWoaFvQQdW8yebHUQcwgixY37aThBzu35HoVoxQWGFYP3g0 4PntlnzikKwmTtFfzimWbcWWhCjwWplj0sZwMTBBEhwWyFDuvKGldA+Loyhh3Ycw qsQ/Kqe9iwP34zKjNYJolN0VUv+DbuUUOcGf/x7IXJtNWsGdpcg0kxzu8a1f/cRG J8UREw+WgEg= -----END CERTIFICATE----- EOT -> null - certificate_chain = <<-EOT -----BEGIN CERTIFICATE----- MIIDVzCCAj+gAwIBAgIUFCTpe+aB2IG6AqpdyqXm5ybi+X8wDQYJKoZIhvcNAQEL BQAwGjEYMBYGA1UEAwwPbm9tYWQucGxudHIuZGV2MB4XDTI0MDYyOTAwMzM0M1oX DTM0MDYyNzAwMzM0M1owGjEYMBYGA1UEAwwPbm9tYWQucGxudHIuZGV2MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmn7R4raiYdVB4mIgEEGOojV0IZ6T uj7Cx4OMIavOR+LyCDl6W+91R0RZtxo/t+b5ETzvY9jn+mseqIYDtxxsGQvOWTuR i7tahbPo1F/RWJPy1ZRHHeq2ARMrYyFqnK+nXEK1JhpbuWU54PKc7u6+gCKYk7zA FobT6RLmLPXt8BtogdPvCvKpNf0D6uH5qsYNC9j49HfvZwamidYbPfbF3Ni2/S23 YYIz2VVffq8VLF2j4fa3Ix4YKTVbRnwLj8Bp1Xy7IR50oqovTRPhbY2Apo9mRFg4 jALSAsF+znPYvOaVu3KYqQpGwY2FdVG4qPLQXXYYMtVmj5ptcEmSRlrnAwIDAQAB o4GUMIGRMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFB44zC6A8wfshVZublPGoiWa N9tkMFUGA1UdIwROMEyAFB44zC6A8wfshVZublPGoiWaN9tkoR6kHDAaMRgwFgYD VQQDDA9ub21hZC5wbG50ci5kZXaCFBQk6XvmgdiBugKqXcql5ucm4vl/MAsGA1Ud DwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEALhkTuCO6sJeZIo9vhxY6BzO+2uxa hUwyYCTrlD/i5HIIZoHrBZCHvzbKCNGEGhBaNeFSZaKuCEBhS94vRg6ECFWpqnD0 EoztN2rrgAfsUGta5rf21myF7iNhC7Do64Q+Xjtq9eU50JnsbZrgbBcJpuVsB8Cv DMy9smtX4I+vPWA3Qju4qi3KLriS4k+/yjSzzda39KH47h340yULIsa9j/sAlCt8 volQTShTWdA38FlGW8xN3XJAGMGxdhz26eY8zCeutPkEMedi9dsYWn+2VdZfiMRj 9qcel5USiEzrRpok7GmX56edmOAmlXdoZ/C/MWTk2iuM9xwDnrAM0MpYlA== -----END CERTIFICATE----- EOT -> null - domain_name = "__server.***" -> null - domain_validation_options = [] -> null - id = "XX" -> null - key_algorithm = "RSA_2048" -> null - not_after = "2029-06-28T00:33:45Z" -> null - not_before = "2024-06-29T00:33:45Z" -> null - pending_renewal = false -> null - private_key = (sensitive value) -> null - renewal_eligibility = "INELIGIBLE" -> null - renewal_summary = [] -> null - status = "ISSUED" -> null - subject_alternative_names = [ - "__server.***", ] -> null - tags = {} -> null - tags_all = { - "Project" = "nomad" } -> null - type = "IMPORTED" -> null - validation_emails = [] -> null - validation_method = "NONE" -> null # (2 unchanged attributes hidden) - options { - certificate_transparency_logging_preference = "DISABLED" -> null } } # module.client-vpn[0].aws_cloudwatch_log_group.cloudwatch_log_group will be destroyed # (because module.client-vpn[0] is not in configuration) - resource "aws_cloudwatch_log_group" "cloudwatch_log_group" { - arn = "XX" -> null - id = "nomad_client-vpn-endpoint" -> null - log_group_class = "STANDARD" -> null - name = "nomad_client-vpn-endpoint" -> null - retention_in_days = 30 -> null - skip_destroy = false -> null - tags = {} -> null - tags_all = { - "Project" = "nomad" } -> null # (2 unchanged attributes hidden) } # module.client-vpn[0].aws_ec2_client_vpn_authorization_rule.authorization_rule_to_vpc will be destroyed # (because module.client-vpn[0] is not in configuration) - resource "aws_ec2_client_vpn_authorization_rule" "authorization_rule_to_vpc" { - authorize_all_groups = true -> null - client_vpn_endpoint_id = "cvpn-endpoint-0dd10f4e9754377e1" -> null - description = "authorization rule for clients and resources" -> null - id = "cvpn-endpoint-0dd10f4e9754377e1,172.31.0.0/16" -> null - target_network_cidr = "172.31.0.0/16" -> null # (1 unchanged attribute hidden) } # module.client-vpn[0].aws_ec2_client_vpn_endpoint.client_vpn_endpoint will be destroyed # (because module.client-vpn[0] is not in configuration) - resource "aws_ec2_client_vpn_endpoint" "client_vpn_endpoint" { - arn = "XX" -> null - client_cidr_block = "10.0.0.0/20" -> null - description = "Client VPN endpoint" -> null - dns_name = "*.cvpn-endpoint-0dd10f4e9754377e1.prod.clientvpn.us-west-2.amazonaws.com" -> null - dns_servers = [] -> null - id = "cvpn-endpoint-0dd10f4e9754377e1" -> null - security_group_ids = [ - "sg-0967c786892a7e15d", ] -> null - self_service_portal = "disabled" -> null - server_certificate_arn = "XX" -> null - session_timeout_hours = 24 -> null - split_tunnel = true -> null - tags = {} -> null - tags_all = { - "Project" = "nomad" } -> null - transport_protocol = "udp" -> null - vpc_id = "vpc-0096a5be1bafea6ad" -> null - vpn_port = 443 -> null # (1 unchanged attribute hidden) - authentication_options { - root_certificate_chain_arn = "XX" -> null - type = "certificate-authentication" -> null # (3 unchanged attributes hidden) } - client_connect_options { - enabled = false -> null # (1 unchanged attribute hidden) } - client_login_banner_options { - enabled = false -> null # (1 unchanged attribute hidden) } - connection_log_options { - cloudwatch_log_group = "nomad_client-vpn-endpoint" -> null - cloudwatch_log_stream = "cvpn-endpoint-0dd10f4e9754377e1-us-west-2-2024/06/29-xjgOOQhxdqtY" -> null - enabled = true -> null } } # module.client-vpn[0].aws_ec2_client_vpn_network_association.client_vpn_network_association will be destroyed # (because module.client-vpn[0] is not in configuration) - resource "aws_ec2_client_vpn_network_association" "client_vpn_network_association" { - association_id = "cvpn-assoc-07ee443b3aba53fa7" -> null - client_vpn_endpoint_id = "cvpn-endpoint-0dd10f4e9754377e1" -> null - id = "cvpn-assoc-07ee443b3aba53fa7" -> null - subnet_id = "subnet-00fe69c7934b8c6dd" -> null - vpc_id = "vpc-0096a5be1bafea6ad" -> null } # module.client-vpn[0].aws_security_group.client_vpn_access will be destroyed # (because module.client-vpn[0] is not in configuration) - resource "aws_security_group" "client_vpn_access" { - arn = "XX" -> null - description = "Managed by Terraform" -> null - egress = [ - { - cidr_blocks = [ - "0.0.0.0/0", ] - from_port = 0 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "-1" - security_groups = [] - self = false - to_port = 0 # (1 unchanged attribute hidden) }, ] -> null - id = "sg-0967c786892a7e15d" -> null - ingress = [] -> null - name = "nomad_vpn2024062900432772150000000a" -> null - name_prefix = "nomad_vpn" -> null - owner_id = "XXX" -> null - revoke_rules_on_delete = false -> null - tags = {} -> null - tags_all = { - "Project" = "nomad" } -> null - vpc_id = "vpc-0096a5be1bafea6ad" -> null } # module.private-cloud.aws_instance.client[0] will be updated in-place ~ resource "aws_instance" "client" { id = "i-0d820d96a173942e7" tags = { "ConsulAutoJoin" = "nomad-auto-join" "Name" = "nomad-client-0" "NomadType" = "client" } ~ vpc_security_group_ids = [ - "sg-064e3d5beb07e7a35", - "sg-08fb336593a0e9c10", - "sg-09bb138143c465e4c", - "sg-0fe8ab4fd8a142d1d", ] -> (known after apply) # (39 unchanged attributes hidden) # (9 unchanged blocks hidden) } # module.private-cloud.aws_security_group.consul_nomad_ui will be updated in-place ~ resource "aws_security_group" "consul_nomad_ui" { id = "sg-095e1b15d993f7adb" ~ ingress = [ - { - cidr_blocks = [] - from_port = 4646 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [ - "sg-0967c786892a7e15d", ] - self = false - to_port = 4646 # (1 unchanged attribute hidden) }, - { - cidr_blocks = [] - from_port = 8500 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [ - "sg-0967c786892a7e15d", ] - self = false - to_port = 8500 # (1 unchanged attribute hidden) }, + { + cidr_blocks = [ + "XX/32", + "XX/32", ] + from_port = 4646 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [ + null, ] + self = false + to_port = 4646 # (1 unchanged attribute hidden) }, + { + cidr_blocks = [ + "XX/32", + "XX/32", ] + from_port = 8500 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [ + null, ] + self = false + to_port = 8500 # (1 unchanged attribute hidden) }, ] name = "nomad-webui" tags = {} # (8 unchanged attributes hidden) } # module.private-cloud.aws_security_group.server_ssh will be updated in-place ~ resource "aws_security_group" "server_ssh" { id = "sg-0c262672425c429b4" ~ ingress = [ - { - cidr_blocks = [] - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [ - "sg-0967c786892a7e15d", ] - self = false - to_port = 22 # (1 unchanged attribute hidden) }, + { + cidr_blocks = [ + "XX/32", + "XX/32", ] + from_port = 22 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [ + null, ] + self = false + to_port = 22 # (1 unchanged attribute hidden) }, ] name = "nomad-server-ssh" tags = {} # (8 unchanged attributes hidden) } # module.private-cloud.aws_security_group.ssh_for_all[0] will be created + resource "aws_security_group" "ssh_for_all" { + arn = (known after apply) + description = "Allow SSH traffic from anywhere" + egress = (known after apply) + id = (known after apply) + ingress = [ + { + cidr_blocks = [ + "0.0.0.0/0", ] + from_port = 22 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 22 # (1 unchanged attribute hidden) }, ] + name = (known after apply) + name_prefix = "nomad_ssh_for_all" + owner_id = (known after apply) + revoke_rules_on_delete = false + tags_all = { + "Project" = "nomad" } + vpc_id = "vpc-0096a5be1bafea6ad" } # module.private-cloud.aws_security_group.ssh_from_client_vpn_ssh_only[0] will be destroyed # (because index [0] is out of range for count) - resource "aws_security_group" "ssh_from_client_vpn_ssh_only" { - arn = "XX" -> null - description = "Allow SSH traffic via VPN (SSH only)" -> null - egress = [] -> null - id = "sg-09bb138143c465e4c" -> null - ingress = [ - { - cidr_blocks = [] - from_port = 22 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [ - "sg-0967c786892a7e15d", ] - self = false - to_port = 22 # (1 unchanged attribute hidden) }, ] -> null - name = "nomad_ssh_only_from_vpn2024062900433047040000000c" -> null - name_prefix = "nomad_ssh_only_from_vpn" -> null - owner_id = "XX" -> null - revoke_rules_on_delete = false -> null - tags = {} -> null - tags_all = { - "Project" = "nomad" } -> null - vpc_id = "vpc-0096a5be1bafea6ad" -> null } # module.private-cloud.aws_security_group.www[0] will be created + resource "aws_security_group" "www" { + arn = (known after apply) + description = "Allow HTTP/HTTPS traffic from anywhere" + egress = (known after apply) + id = (known after apply) + ingress = [ + { + cidr_blocks = [ + "0.0.0.0/0", ] + from_port = 443 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 443 # (1 unchanged attribute hidden) }, + { + cidr_blocks = [ + "0.0.0.0/0", ] + from_port = 80 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [] + self = false + to_port = 80 # (1 unchanged attribute hidden) }, ] + name = (known after apply) + name_prefix = "nomad_www" + owner_id = (known after apply) + revoke_rules_on_delete = false + tags_all = { + "Project" = "nomad" } + vpc_id = "vpc-0096a5be1bafea6ad" } # module.private-cloud.aws_security_group.www_ssh_only_vpn[0] will be destroyed # (because index [0] is out of range for count) - resource "aws_security_group" "www_ssh_only_vpn" { - arn = "XX" -> null - description = "Allow HTTP/HTTPS traffic from anywhere" -> null - egress = [] -> null - id = "sg-0fe8ab4fd8a142d1d" -> null - ingress = [ - { - cidr_blocks = [ - "0.0.0.0/0", ] - from_port = 443 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 443 # (1 unchanged attribute hidden) }, - { - cidr_blocks = [ - "0.0.0.0/0", ] - from_port = 80 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "tcp" - security_groups = [] - self = false - to_port = 80 # (1 unchanged attribute hidden) }, ] -> null - name = "nomad_www_ssh_only20240629004326625900000008" -> null - name_prefix = "nomad_www_ssh_only" -> null - owner_id = "XX" -> null - revoke_rules_on_delete = false -> null - tags = {} -> null - tags_all = { - "Project" = "nomad" } -> null - vpc_id = "vpc-0096a5be1bafea6ad" -> null } # module.private-cloud.aws_sns_topic_subscription.notify-devops will be created + resource "aws_sns_topic_subscription" "notify-devops" { + arn = (known after apply) + confirmation_timeout_in_minutes = 1 + confirmation_was_authenticated = (known after apply) + endpoint = "XXX" + endpoint_auto_confirms = false + filter_policy_scope = (known after apply) + id = (known after apply) + owner_id = (known after apply) + pending_confirmation = (known after apply) + protocol = "email" + raw_message_delivery = false + topic_arn = "XX" } # module.private-cloud.aws_sns_topic_subscription.ses-private-portal-bounces will be created + resource "aws_sns_topic_subscription" "ses-private-portal-bounces" { + arn = (known after apply) + confirmation_timeout_in_minutes = 1 + confirmation_was_authenticated = (known after apply) + endpoint = "XXX" + endpoint_auto_confirms = false + filter_policy_scope = (known after apply) + id = (known after apply) + owner_id = (known after apply) + pending_confirmation = (known after apply) + protocol = "email" + raw_message_delivery = false + topic_arn = "XX" } # module.private-cloud.aws_sns_topic_subscription.ses-private-portal-complaints will be created + resource "aws_sns_topic_subscription" "ses-private-portal-complaints" { + arn = (known after apply) + confirmation_timeout_in_minutes = 1 + confirmation_was_authenticated = (known after apply) + endpoint = "XXX" + endpoint_auto_confirms = false + filter_policy_scope = (known after apply) + id = (known after apply) + owner_id = (known after apply) + pending_confirmation = (known after apply) + protocol = "email" + raw_message_delivery = false + topic_arn = "XX" } # module.private-cloud.aws_sns_topic_subscription.ses-private-portal-delivery will be created + resource "aws_sns_topic_subscription" "ses-private-portal-delivery" { + arn = (known after apply) + confirmation_timeout_in_minutes = 1 + confirmation_was_authenticated = (known after apply) + endpoint = "XXX" + endpoint_auto_confirms = false + filter_policy_scope = (known after apply) + id = (known after apply) + owner_id = (known after apply) + pending_confirmation = (known after apply) + protocol = "email" + raw_message_delivery = false + topic_arn = "XX" } Plan: 6 to add, 3 to change, 9 to destroy. ```

Minified plan

``` Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place - destroy -/+ destroy and then create replacement Terraform will perform the following actions: # module.client-vpn[0].aws_security_group.client_vpn_access will be destroyed # (because module.client-vpn[0] is not in configuration) - resource "aws_security_group" "client_vpn_access" { - arn = "XX" -> null - description = "Managed by Terraform" -> null - egress = [ - { - cidr_blocks = [ - "0.0.0.0/0", ] - from_port = 0 - ipv6_cidr_blocks = [] - prefix_list_ids = [] - protocol = "-1" - security_groups = [] - self = false - to_port = 0 # (1 unchanged attribute hidden) }, ] -> null - id = "sg-0967c786892a7e15d" -> null - ingress = [] -> null - name = "nomad_vpn2024062900432772150000000a" -> null - name_prefix = "nomad_vpn" -> null - owner_id = "315400321086" -> null - revoke_rules_on_delete = false -> null - tags = {} -> null - tags_all = { - "Project" = "nomad" } -> null - vpc_id = "vpc-0096a5be1bafea6ad" -> null } # module.private-cloud.aws_instance.server[0] must be replaced -/+ resource "aws_instance" "server" { ~ arn = "XX" -> (known after apply) ~ associate_public_ip_address = false -> true # forces replacement ~ cpu_core_count = 1 -> (known after apply) ~ cpu_threads_per_core = 1 -> (known after apply) ~ disable_api_stop = false -> (known after apply) ~ ebs_optimized = false -> (known after apply) - hibernation = false -> null + host_id = (known after apply) + host_resource_group_arn = (known after apply) ~ id = "i-07387ed9af4e24158" -> (known after apply) ~ instance_initiated_shutdown_behavior = "stop" -> (known after apply) + instance_lifecycle = (known after apply) ~ instance_state = "stopped" -> (known after apply) ~ ipv6_address_count = 0 -> (known after apply) ~ ipv6_addresses = [] -> (known after apply) ~ monitoring = false -> (known after apply) + outpost_arn = (known after apply) + password_data = (known after apply) + placement_group = (known after apply) ~ placement_partition_number = 0 -> (known after apply) ~ primary_network_interface_id = "eni-0c16b826fef1e142f" -> (known after apply) ~ private_dns = "ip-172-31-2-242.us-west-2.compute.internal" -> (known after apply) ~ private_ip = "172.31.2.242" -> (known after apply) + public_dns = (known after apply) + public_ip = (known after apply) ~ secondary_private_ips = [] -> (known after apply) ~ security_groups = [] -> (known after apply) + spot_instance_request_id = (known after apply) tags = { "ConsulAutoJoin" = "nomad-auto-join" "Name" = "nomad-server-0" "NomadType" = "server" } ~ tenancy = "default" -> (known after apply) + user_data_base64 = (known after apply) # (13 unchanged attributes hidden) - capacity_reservation_specification { - capacity_reservation_preference = "open" -> null } - cpu_options { - core_count = 1 -> null - threads_per_core = 1 -> null # (1 unchanged attribute hidden) } - credit_specification { - cpu_credits = "standard" -> null } - enclave_options { - enabled = false -> null } - maintenance_options { - auto_recovery = "default" -> null } ~ metadata_options { ~ http_put_response_hop_limit = 1 -> (known after apply) ~ http_tokens = "optional" -> (known after apply) # (3 unchanged attributes hidden) } - private_dns_name_options { - enable_resource_name_dns_a_record = false -> null - enable_resource_name_dns_aaaa_record = false -> null - hostname_type = "ip-name" -> null } ~ root_block_device { ~ device_name = "/dev/sda1" -> (known after apply) ~ encrypted = false -> (known after apply) ~ iops = 100 -> (known after apply) + kms_key_id = (known after apply) - tags = {} -> null ~ tags_all = { - "Project" = "nomad" } -> (known after apply) ~ throughput = 0 -> (known after apply) ~ volume_id = "vol-095f23d1fab36a3e3" -> (known after apply) # (3 unchanged attributes hidden) } } # module.private-cloud.aws_security_group.consul_nomad_ui will be updated in-place ~ resource "aws_security_group" "consul_nomad_ui" { id = "sg-095e1b15d993f7adb" ~ ingress = [ + { + cidr_blocks = [ + "XX/32", + "XX/32", ] + from_port = 4646 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [ + null, ] + self = false + to_port = 4646 # (1 unchanged attribute hidden) }, + { + cidr_blocks = [ + "XX/32", + "XX/32", ] + from_port = 8500 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [ + null, ] + self = false + to_port = 8500 # (1 unchanged attribute hidden) }, ] name = "nomad-webui" tags = {} # (8 unchanged attributes hidden) } # module.private-cloud.aws_security_group.server_ssh will be updated in-place ~ resource "aws_security_group" "server_ssh" { id = "sg-0c262672425c429b4" ~ ingress = [ + { + cidr_blocks = [ + "XX/32", + "XX/32", ] + from_port = 22 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "tcp" + security_groups = [ + null, ] + self = false + to_port = 22 # (1 unchanged attribute hidden) }, ] name = "nomad-server-ssh" tags = {} # (8 unchanged attributes hidden) } Plan: 1 to add, 2 to change, 2 to destroy. [prtl|INFO] Run "terraform apply -state ../../state.d/terraform.tfstate ../../state.d/terraform.plan" module.private-cloud.aws_instance.server[0]: Destroying... [id=i-07387ed9af4e24158] module.private-cloud.aws_instance.server[0]: Still destroying... [id=i-07387ed9af4e24158, 10s elapsed] module.private-cloud.aws_instance.server[0]: Destruction complete after 15s module.private-cloud.aws_security_group.server_ssh: Modifying... [id=sg-0c262672425c429b4] module.private-cloud.aws_security_group.consul_nomad_ui: Modifying... [id=sg-095e1b15d993f7adb] ╷ │ Error: updating Security Group (sg-095e1b15d993f7adb) ingress rules: authorizing Security Group (ingress) rules: MissingParameter: Source group ID missing. │ status code: 400, request id: 672c5cef-3f7d-4c7e-b759-a677f1a5682d │ │ with module.private-cloud.aws_security_group.consul_nomad_ui, │ on modules/private-cloud/vpc.tf line 99, in resource "aws_security_group" "consul_nomad_ui": │ 99: resource "aws_security_group" "consul_nomad_ui" { │ ╵ ╷ │ Error: updating Security Group (sg-0c262672425c429b4) ingress rules: authorizing Security Group (ingress) rules: MissingParameter: Source group ID missing. │ status code: 400, request id: 09389b01-f248-4248-a987-4f649aa0534b │ │ with module.private-cloud.aws_security_group.server_ssh, │ on modules/private-cloud/vpc.tf line 130, in resource "aws_security_group" "server_ssh": │ 130: resource "aws_security_group" "server_ssh" { │ ```

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.