[Bug]: `aws_security_group` resource is created with an invalid egress rule

[nikpivkin]

Terraform Core Version

1.8.5

AWS Provider Version

5.57.0

Affected Resource(s)

aws_security_group

Expected Behavior

The resource is successfully created if one of the following arguments is not specified for the rule egress: cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, or security_groups.

Actual Behavior

A resource should not be created.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
    }
  }

  required_version = ">= 1.2.0"
}

provider "aws" {
  region  = "us-west-1"
}

resource "aws_security_group" "this" {
  name = "test_sg"

  egress {
    protocol = "-1"
    from_port = "0"
    to_port = "0"
  }
}

Steps to Reproduce

terrafrom init && terrafrom apply -auto-approve

aws ec2 describe-security-groups --group-ids sg-0f3ac859864629452 --no-cli-pager
{
    "SecurityGroups": [
        {
            "Description": "Managed by Terraform",
            "GroupName": "test_sg",
            "IpPermissions": [],
            "OwnerId": "***",
            "GroupId": "sg-0f3ac859864629452",
            "IpPermissionsEgress": [],
            "VpcId": "***"
        }
    ]
}

Debug Output

No response

Panic Output

No response

Important Factoids

Creating a resource in CloudFormation without specifying a list of CIDR blocks for the Egress rule returns an error.

Example config:

Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      VpcId: !Ref VPC
      GroupDescription: Test
      SecurityGroupEgress:
      - IpProtocol: -1
        FromPort: 0
        ToPort: 0

Response:

Resource handler returned message: "Only one of CidrIp, CidrIpv6, DestinationPrefixListId or DestinationSecurityGroupId can be specified" (RequestToken: cf23d21b-5b77-50c0-6f76-df534f40d904, HandlerErrorCode: InvalidRequest)

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @nikpivkin 👋 Thank you for taking the time to raise this! In this case, this is expected behavior that we note in the resource documentation:

Although cidr_blocks, ipv6_cidr_blocks, prefix_list_ids, and security_groups are all marked as optional, you must provide one of them in order to configure the destination of the traffic.

With that in mind, I'm going to close this issue, but please do let us know if you experience any other unexpected behavior!

[github-actions[bot]]

[!WARNING] This issue has been closed, meaning that any additional comments are hard for our team to see. Please assume that the maintainers will not see them.

Ongoing conversations amongst community members are welcome, however, the issue will be locked after 30 days. Moving conversations to another venue, such as the AWS Provider forum, is recommended. If you have additional concerns, please open a new issue, referencing this one where needed.

[nikpivkin]

@justinretzolk Thank you. But why doesn't an error occur if I don't specify any of these arguments and the resource is just quietly created?

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.