[Bug]: Importing a non existing Security Group Rule is possible with Terraform

[OscarPoels]

Terraform Core Version

1.9.4

AWS Provider Version

5.62.0

Affected Resource(s)

aws_security_group_rule

Expected Behavior

When importing a non existing security group rule, terraform should return cannot import non-existent remote object

Actual Behavior

Terraform does allow to import a non existing security group rule

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

# Provider Configuration
provider "aws" {
  region = "us-east-1"  # Specify your desired AWS region
}

# Terraform Configuration
terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "5.62.0"
    }
  }
}

# VPC Creation
resource "aws_vpc" "example_vpc" {
  cidr_block            = "10.0.0.0/16"
}

# Security Group Creation
resource "aws_security_group" "example_sg" {
  name        = "tmp_test_sg"
  description = "Test Security Group for rule import"
  vpc_id      = aws_vpc.example_vpc.id
}

# Security Group Rule (Ingress)
resource "aws_security_group_rule" "allow_port_6443_self" {
  type              = "ingress"
  from_port         = 6443
  to_port           = 6443
  protocol          = "tcp"
  self              = true
  security_group_id = aws_security_group.example_sg.id
}

Steps to Reproduce

• Connect to your AWS account with the CLI
• Create the VPC and the security group with terraform, do not create the security group rule
  • terraform apply -target='aws_security_group.example_sg' -target='aws_vpc.example_vpc'
• Import the security group rule that does not exist, provide the security group ID that you just created
  • tf import 'aws_security_group_rule.allow_port_6443_self' '<your security group ID>_ingress_tcp_6443_6443_self'
• The import will be successful

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @OscarPoels 👋 Thank you for taking the time to raise this! Maybe I've misunderstood, but it seems like this is covered in the existing documentation (emphasis mine):

NOTE: Not all rule permissions (e.g., not all of a rule's CIDR blocks) need to be imported for Terraform to manage rule permissions. However, importing some of a rule's permissions but not others, and then making changes to the rule will result in the creation of an additional rule to capture the updated permissions. Rule permissions that were not imported are left intact in the original rule.

[OscarPoels]

Hello @justinretzolk and thank you for your reply, Perhaps there's maybe something I haven't understood on my side, The documentation talks about an existing rule that would be modified, but I'm talking about a rule that doesn't exist anywhere. What's more, if I go back to my example and do a terraform apply by modifying permissions in this rule that don't involve recreating a resource (e.g. adding a description), this doesn't create a new rule but returns an error because it let me import a rule that does not exist:

error: updating Security Group (sg-XXXXXXX) Rule (sgrule-XXXXXXX) description: operation error EC2: UpdateSecurityGroupRuleDescriptionsIngress, https response error StatusCode: 400, RequestID: XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX, api error InvalidPermission. NotFound: The specified rule does not exist in this security group. 

[justinretzolk]

Hey @OscarPoels 👋 Thanks for the additional clarification. That makes sense to me. With that in mind, I'm going to remove the needs-triage, indicating that the issue is now waiting to be prioritized.