A security group with a combination of a CIDR, a SG, and self=true, applies but still shows changes

jbscare commented 5 years ago

Community Note

Please vote on this issue by adding a # reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

[12:47:50] jsmift@omni-mgmt-control-0:/home/jsmift/tmp/aws-provider-bug
+$ ./terraform -v
Terraform v0.11.11
+ provider.aws v1.57.0

Affected Resource(s)

aws_security_group

Terraform Configuration Files

{
  "provider": {
    "aws": {
      "__DEFAULT__": {
        "assume_role": {
          "role_arn": "arn:aws:iam::798732171007:role/admin"
        },
        "profile": "chargeup",
        "region": "us-east-1",
        "version": "~> 1.57.0"
      }
    }
  },
  "resource": {
    "aws_security_group": {
      "group-x": {
        "description": "Managed by Terraform",
        "egress": [],
        "ingress": [],
        "name": "group-x",
        "vpc_id": "vpc-9bffd1fe"
      },
      "group-y": {
        "description": "Managed by Terraform",
        "egress": [],
        "ingress": [
          {
            "from_port": 8989,
            "protocol": "tcp",
            "security_groups": [
              "${aws_security_group.group-x.id}"
            ],
            "to_port": 8990
          },
          {
            "cidr_blocks": [
              "10.192.22.52/32"
            ],
            "from_port": 8989,
            "protocol": "tcp",
            "to_port": 8990
          },
          {
            "from_port": 8989,
            "protocol": "tcp",
            "self": true,
            "to_port": 8990
          }
        ],
        "name": "group-y",
        "vpc_id": "vpc-9bffd1fe"
      }
    }
  }
}

Debug Output

https://gist.github.com/jbscare/6918964f0500c71e3c25560b731e5a4f

Panic Output

No panic output.

Expected Behavior

After applying this config, a second terraform apply (or a terraform plan) should show that no changes are needed.

Actual Behavior

The second terraform apply shows that it still wants to make changes. Using terraform plan and a pipe to sed to show only the things that it wants to change:

+$ ./terraform plan | sed -e '/"\(.*\)" => "\1"/d'
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

aws_security_group.group-x: Refreshing state... (ID: sg-05c9cc7e76b83e419)
aws_security_group.group-y: Refreshing state... (ID: sg-0b5b97a5d904f9ca2)

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_security_group.group-y
      ingress.#:                                    "2" => "3"
      ingress.210426432.from_port:                  "" => "8989"
      ingress.210426432.protocol:                   "" => "tcp"
      ingress.210426432.security_groups.#:          "0" => "1"
      ingress.210426432.security_groups.1934294384: "" => "sg-05c9cc7e76b83e419"
      ingress.210426432.self:                       "" => "false"
      ingress.210426432.to_port:                    "" => "8990"
      ingress.2277696117.cidr_blocks.#:             "0" => "1"
      ingress.2277696117.cidr_blocks.0:             "" => "10.192.22.52/32"
      ingress.2277696117.from_port:                 "" => "8989"
      ingress.2277696117.protocol:                  "" => "tcp"
      ingress.2277696117.self:                      "" => "false"
      ingress.2277696117.to_port:                   "" => "8990"
      ingress.9858312.cidr_blocks.#:                "1" => "0"
      ingress.9858312.cidr_blocks.0:                "10.192.22.52/32" => ""
      ingress.9858312.from_port:                    "8989" => "0"
      ingress.9858312.protocol:                     "tcp" => ""
      ingress.9858312.security_groups.#:            "1" => "0"
      ingress.9858312.security_groups.1934294384:   "sg-05c9cc7e76b83e419" => ""
      ingress.9858312.to_port:                      "8990" => "0"

Plan: 0 to add, 1 to change, 0 to destroy.

------------------------------------------------------------------------

That is, it wants to remove ingress.9858312, which contains a CIDR block and a security group, and replace it with ingress.210426432 containing the security group and ingress.2277696117 containing the CIDR block.

Applying the change doesn't seem to change the state; it continues to think it needs to apply this exact change.

Steps to Reproduce

terraform init
terraform apply
terraform apply

NOTE that this doesn't consistently reproduce the problem. If it doesn't, try

terraform destroy
terraform apply
terraform apply

It often reproduces the problem after only one or two tries, but I've sometimes had to try as many as a dozen times.

Important Factoids

We use IAM roles to apply our configs.

If you get to a point where you can reproduce the problem, you can eliminate the problem by changing any of the parameters in the config. For example, if you:

Remove any of the three ingress rules.
Change the to_port or from_port (make it the same on all three rules).
Change the IP address.

Then a terraform apply command will apply the change, and a second terraform apply command will say there are no changes.

If you then put the config back to the original parameters, terraform apply will go back to continuing to think there are changes ever after applying.

We suspect that the reason it doesn't always reproduce is that the security group ID is also signficant, and that some SG IDs trigger the problem while some don't. Unfortunately, that's not a parameter you can just change in your config.

In our testing, we found that these pairs of security group IDs did reproduce the problem:

aws_security_group.group-x: Creation complete after 1s (ID: sg-0a92d7e18ae410e22) aws_security_group.group-y: Creation complete after 1s (ID: sg-0a3cc8872feb026da)

aws_security_group.group-x: Creation complete after 1s (ID: sg-01172b325c5570bda) aws_security_group.group-y: Creation complete after 1s (ID: sg-0007241960f06f4a0)

aws_security_group.group-x: Creation complete after 1s (ID: sg-05c9cc7e76b83e419) aws_security_group.group-y: Creation complete after 1s (ID: sg-0b5b97a5d904f9ca2)

While these combinations did not reproduce the problem:

aws_security_group.group-x: Creation complete after 1s (ID: sg-0eaa35cb65915d1f8) aws_security_group.group-y: Creation complete after 1s (ID: sg-0063137ed8d0db6c8)

aws_security_group.group-x: Creation complete after 1s (ID: sg-0e7b0209bcbc66d83) aws_security_group.group-y: Creation complete after 1s (ID: sg-07c0f432f1a920bf0)

aws_security_group.group-x: Creation complete after 1s (ID: sg-0f985965ac7712fb8) aws_security_group.group-y: Creation complete after 1s (ID: sg-0813d8604667c8371)

aws_security_group.group-x: Creation complete after 1s (ID: sg-0d37d705636acc7fb) aws_security_group.group-y: Creation complete after 1s (ID: sg-0c66b0c05258f92f0)

aws_security_group.group-x: Creation complete after 1s (ID: sg-0ebfed8677b378e81) aws_security_group.group-y: Creation complete after 1s (ID: sg-0f389437a07360b42)

aws_security_group.group-x: Creation complete after 1s (ID: sg-0d83646a14c0e3f30) aws_security_group.group-y: Creation complete after 1s (ID: sg-0e28c2ecea3dac365)

Just in case there's some pattern there (we're not seeing one, but who knows).

I really wanted to title this bug "A CIDR, a SG, and self=true walk into a bar", but managed to resist.

References

None.

bflad commented 5 years ago

Hi @jbscare 👋 Does it work if you combine the two rules with matching ports and protocol?

{
  "provider": {
    "aws": {
      "__DEFAULT__": {
        "assume_role": {
          "role_arn": "arn:aws:iam::798732171007:role/admin"
        },
        "profile": "chargeup",
        "region": "us-east-1",
        "version": "~> 1.57.0"
      }
    }
  },
  "resource": {
    "aws_security_group": {
      "group-x": {
        "description": "Managed by Terraform",
        "egress": [],
        "ingress": [],
        "name": "group-x",
        "vpc_id": "vpc-9bffd1fe"
      },
      "group-y": {
        "description": "Managed by Terraform",
        "egress": [],
        "ingress": [
          {
            "from_port": 8989,
            "protocol": "tcp",
            "security_groups": [
              "${aws_security_group.group-x.id}"
            ],
            "to_port": 8990
          },
          {
            "cidr_blocks": [
              "10.192.22.52/32"
            ],
            "self": true,
            "from_port": 8989,
            "protocol": "tcp",
            "to_port": 8990
          }
        ],
        "name": "group-y",
        "vpc_id": "vpc-9bffd1fe"
      }
    }
  }
}

For historical reasons to match the EC2 API, the Terraform AWS provider should try to combine rules in that manor. Can you let us know? Thanks!

jbscare commented 5 years ago

All three rules have the same ports and protocol.

As it turns out, starting from the original configuration, if I combine:

cidr_blocks and self=true
security_groups and self=true
cidr_blocks and security_groups
all three of them into one rule

... then terraform apply says there are changes; if I apply the change, it then no longer things changes are needed.

jbscare commented 5 years ago

The terraform plan output makes it look like it wants to split things apart:

aws_security_group.group-y: Modifying... (ID: sg-0b5b97a5d904f9ca2)
  ingress.#:                                    "2" => "3"
  ingress.210426432.cidr_blocks.#:              "0" => "0"
  ingress.210426432.description:                "" => ""
  ingress.210426432.from_port:                  "" => "8989"
  ingress.210426432.ipv6_cidr_blocks.#:         "0" => "0"
  ingress.210426432.prefix_list_ids.#:          "0" => "0"
  ingress.210426432.protocol:                   "" => "tcp"
  ingress.210426432.security_groups.#:          "0" => "1"
  ingress.210426432.security_groups.1934294384: "" => "sg-05c9cc7e76b83e419"
  ingress.210426432.self:                       "" => "false"
  ingress.210426432.to_port:                    "" => "8990"
  ingress.2277696117.cidr_blocks.#:             "0" => "1"
  ingress.2277696117.cidr_blocks.0:             "" => "10.192.22.52/32"
  ingress.2277696117.description:               "" => ""
  ingress.2277696117.from_port:                 "" => "8989"
  ingress.2277696117.ipv6_cidr_blocks.#:        "0" => "0"
  ingress.2277696117.prefix_list_ids.#:         "0" => "0"
  ingress.2277696117.protocol:                  "" => "tcp"
  ingress.2277696117.security_groups.#:         "0" => "0"
  ingress.2277696117.self:                      "" => "false"
  ingress.2277696117.to_port:                   "" => "8990"
  ingress.2408792157.cidr_blocks.#:             "0" => "0"
  ingress.2408792157.description:               "" => ""
  ingress.2408792157.from_port:                 "8989" => "8989"
  ingress.2408792157.ipv6_cidr_blocks.#:        "0" => "0"
  ingress.2408792157.prefix_list_ids.#:         "0" => "0"
  ingress.2408792157.protocol:                  "tcp" => "tcp"
  ingress.2408792157.security_groups.#:         "0" => "0"
  ingress.2408792157.self:                      "true" => "true"
  ingress.2408792157.to_port:                   "8990" => "8990"
  ingress.9858312.cidr_blocks.#:                "1" => "0"
  ingress.9858312.cidr_blocks.0:                "10.192.22.52/32" => ""
  ingress.9858312.description:                  "" => ""
  ingress.9858312.from_port:                    "8989" => "0"
  ingress.9858312.ipv6_cidr_blocks.#:           "0" => "0"
  ingress.9858312.prefix_list_ids.#:            "0" => "0"
  ingress.9858312.protocol:                     "tcp" => ""
  ingress.9858312.security_groups.#:            "1" => "0"
  ingress.9858312.security_groups.1934294384:   "sg-05c9cc7e76b83e419" => ""
  ingress.9858312.self:                         "false" => "false"
  ingress.9858312.to_port:                      "8990" => "0"
aws_security_group.group-y: Modifications complete after 0s (ID: sg-0b5b97a5d904f9ca2)

But it doesn't actually do that, I guess? Because the provider combines them before it sends them off to AWS? So maybe the issue is that the provider needs to also want to combine them at plan time?

jbscare commented 5 years ago

I'm also still totally mystified as to why the original config behaves differently if you use 10.192.22.51/32 as the IP address instead of 10.192.22.52/32. If I make only that change to the original config, it says

aws_security_group.group-y: Modifying... (ID: sg-0b5b97a5d904f9ca2)
  ingress.#:                                    "2" => "3"
  ingress.210426432.cidr_blocks.#:              "0" => "0"
  ingress.210426432.description:                "" => ""
  ingress.210426432.from_port:                  "" => "8989"
  ingress.210426432.ipv6_cidr_blocks.#:         "0" => "0"
  ingress.210426432.prefix_list_ids.#:          "0" => "0"
  ingress.210426432.protocol:                   "" => "tcp"
  ingress.210426432.security_groups.#:          "0" => "1"
  ingress.210426432.security_groups.1934294384: "" => "sg-05c9cc7e76b83e419"
  ingress.210426432.self:                       "" => "false"
  ingress.210426432.to_port:                    "" => "8990"
  ingress.2408792157.cidr_blocks.#:             "0" => "0"
  ingress.2408792157.description:               "" => ""
  ingress.2408792157.from_port:                 "8989" => "8989"
  ingress.2408792157.ipv6_cidr_blocks.#:        "0" => "0"
  ingress.2408792157.prefix_list_ids.#:         "0" => "0"
  ingress.2408792157.protocol:                  "tcp" => "tcp"
  ingress.2408792157.security_groups.#:         "0" => "0"
  ingress.2408792157.self:                      "true" => "true"
  ingress.2408792157.to_port:                   "8990" => "8990"
  ingress.3227687077.cidr_blocks.#:             "0" => "1"
  ingress.3227687077.cidr_blocks.0:             "" => "10.192.22.51/32"
  ingress.3227687077.description:               "" => ""
  ingress.3227687077.from_port:                 "" => "8989"
  ingress.3227687077.ipv6_cidr_blocks.#:        "0" => "0"
  ingress.3227687077.prefix_list_ids.#:         "0" => "0"
  ingress.3227687077.protocol:                  "" => "tcp"
  ingress.3227687077.security_groups.#:         "0" => "0"
  ingress.3227687077.self:                      "" => "false"
  ingress.3227687077.to_port:                   "" => "8990"
  ingress.9858312.cidr_blocks.#:                "1" => "0"
  ingress.9858312.cidr_blocks.0:                "10.192.22.52/32" => ""
  ingress.9858312.description:                  "" => ""
  ingress.9858312.from_port:                    "8989" => "0"
  ingress.9858312.ipv6_cidr_blocks.#:           "0" => "0"
  ingress.9858312.prefix_list_ids.#:            "0" => "0"
  ingress.9858312.protocol:                     "tcp" => ""
  ingress.9858312.security_groups.#:            "1" => "0"
  ingress.9858312.security_groups.1934294384:   "sg-05c9cc7e76b83e419" => ""
  ingress.9858312.self:                         "false" => "false"
  ingress.9858312.to_port:                      "8990" => "0"
aws_security_group.group-y: Modifications complete after 0s (ID: sg-0b5b97a5d904f9ca2)

And then a subsequent apply says no changes. So with a different IP address (or port numbers, or SG ID apparently), it's fine with having three rules, but with the original one, it thinks it needs to combine down to two?

jbscare commented 5 years ago

I noticed that the response from the AWS EC2 API seems to be the same regardless:

+$ aws ec2 describe-security-groups --filters "Name=group-name,Values=group-y" 
{
    "SecurityGroups": [
        {
            "IpPermissionsEgress": [], 
            "Description": "Managed by Terraform", 
            "IpPermissions": [
                {
                    "PrefixListIds": [], 
                    "FromPort": 8989, 
                    "IpRanges": [
                        {
                            "CidrIp": "10.192.22.52/32"
                        }
                    ], 
                    "ToPort": 8990, 
                    "IpProtocol": "tcp", 
                    "UserIdGroupPairs": [
                        {
                            "UserId": "798732171007", 
                            "GroupId": "sg-05c9cc7e76b83e419"
                        }, 
                        {
                            "UserId": "798732171007", 
                            "GroupId": "sg-0b5b97a5d904f9ca2"
                        }
                    ], 
                    "Ipv6Ranges": []
                }
            ], 
            "GroupName": "group-y", 
            "VpcId": "vpc-9bffd1fe", 
            "OwnerId": "798732171007", 
            "GroupId": "sg-0b5b97a5d904f9ca2"
        }
    ]
}

So it looks like the AWS EC2 API is in fact representing these as one rule, whether the provider thinks of them that way or not.

jbscare commented 5 years ago

So it looks like the AWS EC2 API is in fact representing these as one rule, whether the provider thinks of them that way or not.

Given that, why does the provider ever think of them as multiple rules? That seems like the crux of this bug, unless there's some other good reason for it to do that.

jbscare commented 5 years ago

We were able to work around this problem in our actual config when it came up before, but it's come up again in a way that we can't work around as easily. Any chance that someone could look into this? It's been labeled needs-triage for months. I checked just now with version 2.32.0 of the provider and the bug still exists.

So it looks like the AWS EC2 API is in fact representing these as one rule, whether the provider thinks of them that way or not.

Given that, why does the provider ever think of them as multiple rules? That seems like the crux of this bug, unless there's some other good reason for it to do that.

I haven't looked at the code, but this still seems true to me: If the code is for some reason treating these as separate rules, that seems like it may be the cause of the problem.

jbscare commented 4 years ago

Updating the title because this isn't really about idempotence, it's about convergence.

We've run into another couple of instances of this bug recently, and have been able to hack our way around all of them so far, by changing the ports or IP addresses that are permitted, but it's not always easy to do. Is there any chance someone could take a look at this at some point?

nurpax commented 4 years ago

I think I'm hitting this same or a very similar issue.

I'm pulling cidr_blocks into a security group like this:

locals {
    corp_ip_ranges_json = jsondecode(file("corp_ip_ranges.json"))
    corp_ip_ranges = [
        for e in local.corp_ip_ranges_json:
            e.ip_prefix
    ]
}

resource "aws_security_group" "nvrweb_sg" {
    description = "ELB Allowed Ports"
    ingress     = [
        {
            cidr_blocks      = local.corp_ip_ranges
            description      = "Accept traffic only from certain IP ranges"
            from_port        = 443
            ipv6_cidr_blocks = []
            prefix_list_ids  = []
            protocol         = "tcp"
            security_groups  = []
            self             = false
            to_port          = 443
        },
    ]
    #...

The contents of the json file look like:

[
  {
    "ip_prefix": "11.22.33.44/30",
    "region": "A"
  },
  {
    "ip_prefix": "22.33.44.55/30",
    "region": "B"
  },
  # ...
]

The list contains 49 elements.

After running terraform apply, terraform plan usually says the cidr_blocks list has changed. Someone else had seen a similar issue here: https://github.com/hashicorp/terraform/issues/8152

Looks like the cidr_blocks list order might be changing, but I don't see what'd be changing the array order.

jbscare commented 3 years ago

We recently upgraded to Terraform 0.13, and with version 3.21 of the AWS provider, we still hit this bug from time to time. :^(

nurpax commented 3 years ago

Looks like I forgot to update my comment. In my case I found out that I had duplicate elements in the cidr_blocks list. Once I removed the duplicates, state consistently converges.

jbscare commented 3 years ago

Alas, that's definitely not our problem. :^( The simple reproducer in the description only has one CIDR block, one security group, and the self=true rule.

muresan commented 3 years ago

It's still happening with terraform 0.14.2 and provider aws 3.21.0, using the exact snippet as in the initial post, just changed vpc-id:

terraform_bug]$  terraform destroy -auto-approve ; terraform apply -auto-approve ; TF_LOG=DEBUG terraform plan 
aws_security_group.group-y: Destroying... [id=sg-0602c6da3bcb73c87]
aws_security_group.group-y: Destruction complete after 1s
aws_security_group.group-x: Destroying... [id=sg-0015745b21da5d2ae]
aws_security_group.group-x: Destruction complete after 1s

Destroy complete! Resources: 2 destroyed.
aws_security_group.group-x: Creating...
aws_security_group.group-x: Creation complete after 2s [id=sg-0aeadf90782073c8f]
aws_security_group.group-y: Creating...
aws_security_group.group-y: Creation complete after 2s [id=sg-0a0e3c06d7b451c45]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
2020/12/16 17:42:28 [WARN] Log levels other than TRACE are currently unreliable, and are supported only for backward compatibility.
  Use TF_LOG=TRACE to see Terraform's internal logs.
  ----
2020/12/16 17:42:28 [INFO] Terraform version: 0.14.2  
2020/12/16 17:42:28 [INFO] Go runtime version: go1.15.2
2020/12/16 17:42:28 [INFO] CLI args: []string{"/usr/local/bin/terraform-0.14.2", "plan"}
2020/12/16 17:42:28 [DEBUG] Attempting to open CLI config file: /home/cata/.terraformrc
2020/12/16 17:42:28 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2020/12/16 17:42:28 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2020/12/16 17:42:28 [DEBUG] ignoring non-existing provider search directory /home/cata/.terraform.d/plugins
2020/12/16 17:42:28 [DEBUG] ignoring non-existing provider search directory /home/cata/.local/share/terraform/plugins
2020/12/16 17:42:28 [DEBUG] ignoring non-existing provider search directory /home/cata/.local/share/flatpak/exports/share/terraform/plugins
2020/12/16 17:42:28 [DEBUG] ignoring non-existing provider search directory /var/lib/flatpak/exports/share/terraform/plugins
2020/12/16 17:42:28 [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2020/12/16 17:42:28 [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2020/12/16 17:42:28 [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2020/12/16 17:42:28 [INFO] CLI command args: []string{"plan"}
2020/12/16 17:42:28 [WARN] Log levels other than TRACE are currently unreliable, and are supported only for backward compatibility.
  Use TF_LOG=TRACE to see Terraform's internal logs.
  ----
2020/12/16 17:42:28 [DEBUG] New state was assigned lineage "77103e01-65e5-8189-925f-7d8ff263eca6"
2020/12/16 17:42:29 [DEBUG] checking for provisioner in "."
2020/12/16 17:42:29 [DEBUG] checking for provisioner in "/usr/local/bin"
2020/12/16 17:42:29 [INFO] Failed to read plugin lock file .terraform/plugins/linux_amd64/lock.json: open .terraform/plugins/linux_amd64/lock.json: no such file or directory
2020/12/16 17:42:29 [INFO] backend/local: starting Plan operation
2020-12-16T17:42:29.313Z [INFO]  plugin: configuring client automatic mTLS
2020-12-16T17:42:29.349Z [DEBUG] plugin: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5]
2020-12-16T17:42:29.349Z [DEBUG] plugin: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 pid=177319
2020-12-16T17:42:29.349Z [DEBUG] plugin: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5
2020-12-16T17:42:29.384Z [INFO]  plugin.terraform-provider-aws_v3.21.0_x5: configuring server automatic mTLS: timestamp=2020-12-16T17:42:29.384Z
2020-12-16T17:42:29.419Z [DEBUG] plugin: using plugin: version=5
2020-12-16T17:42:29.419Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: plugin address: network=unix address=/tmp/plugin493014814 timestamp=2020-12-16T17:42:29.419Z
2020-12-16T17:42:29.661Z [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2020-12-16T17:42:29.665Z [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 pid=177319
2020-12-16T17:42:29.665Z [DEBUG] plugin: plugin exited
2020/12/16 17:42:29 [INFO] terraform: building graph: GraphTypeValidate
2020/12/16 17:42:29 [DEBUG] ProviderTransformer: "aws_security_group.group-x" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2020/12/16 17:42:29 [DEBUG] ProviderTransformer: "aws_security_group.group-y" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2020/12/16 17:42:29 [DEBUG] ReferenceTransformer: "aws_security_group.group-x" references: []
2020/12/16 17:42:29 [DEBUG] ReferenceTransformer: "aws_security_group.group-y" references: [aws_security_group.group-x]
2020/12/16 17:42:29 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2020/12/16 17:42:29 [DEBUG] Starting graph walk: walkValidate
2020-12-16T17:42:29.668Z [INFO]  plugin: configuring client automatic mTLS
2020-12-16T17:42:29.709Z [DEBUG] plugin: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5]
2020-12-16T17:42:29.709Z [DEBUG] plugin: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 pid=177340
2020-12-16T17:42:29.709Z [DEBUG] plugin: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5
2020-12-16T17:42:29.747Z [INFO]  plugin.terraform-provider-aws_v3.21.0_x5: configuring server automatic mTLS: timestamp=2020-12-16T17:42:29.747Z
2020-12-16T17:42:29.781Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: plugin address: address=/tmp/plugin941795778 network=unix timestamp=2020-12-16T17:42:29.780Z
2020-12-16T17:42:29.781Z [DEBUG] plugin: using plugin: version=5
2020-12-16T17:42:30.067Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:30 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:30.067Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:30 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:30.070Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:30 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:30.071Z [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2020-12-16T17:42:30.075Z [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 pid=177340
2020-12-16T17:42:30.075Z [DEBUG] plugin: plugin exited
2020/12/16 17:42:30 [INFO] backend/local: plan calling Plan
2020/12/16 17:42:30 [INFO] terraform: building graph: GraphTypePlan
2020/12/16 17:42:30 [DEBUG] ProviderTransformer: "aws_security_group.group-x (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2020/12/16 17:42:30 [DEBUG] ProviderTransformer: "aws_security_group.group-y (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/hashicorp/aws"]
2020/12/16 17:42:30 [DEBUG] ReferenceTransformer: "aws_security_group.group-y (expand)" references: [aws_security_group.group-x (expand)]
2020/12/16 17:42:30 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/aws\"]" references: []
2020/12/16 17:42:30 [DEBUG] ReferenceTransformer: "aws_security_group.group-x (expand)" references: []
2020/12/16 17:42:30 [DEBUG] Starting graph walk: walkPlan
2020-12-16T17:42:30.079Z [INFO]  plugin: configuring client automatic mTLS
2020-12-16T17:42:30.123Z [DEBUG] plugin: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5]
2020-12-16T17:42:30.123Z [DEBUG] plugin: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 pid=177361
2020-12-16T17:42:30.123Z [DEBUG] plugin: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5
2020-12-16T17:42:30.167Z [INFO]  plugin.terraform-provider-aws_v3.21.0_x5: configuring server automatic mTLS: timestamp=2020-12-16T17:42:30.167Z
2020-12-16T17:42:30.221Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: plugin address: address=/tmp/plugin297727332 network=unix timestamp=2020-12-16T17:42:30.220Z
2020-12-16T17:42:30.221Z [DEBUG] plugin: using plugin: version=5
2020-12-16T17:42:30.417Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:30 [INFO] AWS Auth provider used: "SharedCredentialsProvider"
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:30 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:30 [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ REQUEST POST-SIGN ]-----------------------------
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: POST / HTTP/1.1
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Host: sts.amazonaws.com
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: User-Agent: aws-sdk-go/1.36.0 (go1.14.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.14.2 (+https://www.terraform.io)
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 43
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amz-Date: 20201216T174230Z
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Accept-Encoding: gzip
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Action=GetCallerIdentity&Version=2011-06-15
2020-12-16T17:42:30.418Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ RESPONSE ]--------------------------------------
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: HTTP/1.1 200 OK
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Connection: close
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 405
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: text/xml
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Date: Wed, 16 Dec 2020 17:42:30 GMT
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amzn-Requestid: e6dbd0c6-8423-4b0e-b00c-6967c45ccf72
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:   <GetCallerIdentityResult>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <Arn>arn:aws:iam::100040461591:user/xxxxx</Arn>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <UserId>AIDAI53EZHNPSIX7IBVE6</UserId>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <Account>100040461591</Account>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:   </GetCallerIdentityResult>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:   <ResponseMetadata>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <RequestId>e6dbd0c6-8423-4b0e-b00c-6967c45ccf72</RequestId>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:   </ResponseMetadata>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: </GetCallerIdentityResponse>
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ REQUEST POST-SIGN ]-----------------------------
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: POST / HTTP/1.1
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Host: sts.amazonaws.com
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: User-Agent: aws-sdk-go/1.36.0 (go1.14.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.14.2 (+https://www.terraform.io)
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 43
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amz-Date: 20201216T174231Z
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Accept-Encoding: gzip
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Action=GetCallerIdentity&Version=2011-06-15
2020-12-16T17:42:31.038Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ RESPONSE ]--------------------------------------
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: HTTP/1.1 200 OK
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Connection: close
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 405
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: text/xml
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Date: Wed, 16 Dec 2020 17:42:31 GMT
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amzn-Requestid: 2ead9dcf-08f2-4b95-82e4-b1aeb5048a7e
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:   <GetCallerIdentityResult>
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <Arn>arn:aws:iam::100040461591:user/xxxxx</Arn>
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <UserId>AIDAI53EZHNPSIX7IBVE6</UserId>
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <Account>100040461591</Account>
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:   </GetCallerIdentityResult>
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:   <ResponseMetadata>
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <RequestId>2ead9dcf-08f2-4b95-82e4-b1aeb5048a7e</RequestId>
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:   </ResponseMetadata>
2020-12-16T17:42:31.608Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: </GetCallerIdentityResponse>
2020-12-16T17:42:31.614Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeAccountAttributes Details:
2020-12-16T17:42:31.614Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ REQUEST POST-SIGN ]-----------------------------
2020-12-16T17:42:31.614Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: POST / HTTP/1.1
2020-12-16T17:42:31.614Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Host: ec2.eu-west-1.amazonaws.com
2020-12-16T17:42:31.614Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: User-Agent: aws-sdk-go/1.36.0 (go1.14.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.14.2 (+https://www.terraform.io)
2020-12-16T17:42:31.614Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 87
2020-12-16T17:42:31.614Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2020-12-16T17:42:31.615Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amz-Date: 20201216T174231Z
2020-12-16T17:42:31.615Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Accept-Encoding: gzip
2020-12-16T17:42:31.615Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.615Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Action=DescribeAccountAttributes&AttributeName.1=supported-platforms&Version=2016-11-15
2020-12-16T17:42:31.615Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeAccountAttributes Details:
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ RESPONSE ]--------------------------------------
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: HTTP/1.1 200 OK
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Connection: close
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 540
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: text/xml;charset=UTF-8
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Date: Wed, 16 Dec 2020 17:42:31 GMT
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Server: AmazonEC2
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amzn-Requestid: 27cfe35a-f92b-4a03-9660-3a90e91d3caf
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: <DescribeAccountAttributesResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <requestId>27cfe35a-f92b-4a03-9660-3a90e91d3caf</requestId>
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <accountAttributeSet>
2020-12-16T17:42:31.852Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:         <item>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <attributeName>supported-platforms</attributeName>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <attributeValueSet>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                 <item>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     <attributeValue>VPC</attributeValue>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                 </item>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             </attributeValueSet>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:         </item>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     </accountAttributeSet>
2020-12-16T17:42:31.853Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: </DescribeAccountAttributesResponse>
2020/12/16 17:42:31 [DEBUG] ReferenceTransformer: "aws_security_group.group-x" references: []
aws_security_group.group-x: Refreshing state... [id=sg-0aeadf90782073c8f]
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:31 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeSecurityGroups Details:
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ REQUEST POST-SIGN ]-----------------------------
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: POST / HTTP/1.1
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Host: ec2.eu-west-1.amazonaws.com
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: User-Agent: aws-sdk-go/1.36.0 (go1.14.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.14.2 (+https://www.terraform.io)
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 79
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amz-Date: 20201216T174231Z
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Accept-Encoding: gzip
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Action=DescribeSecurityGroups&GroupId.1=sg-0aeadf90782073c8f&Version=2016-11-15
2020-12-16T17:42:31.857Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeSecurityGroups Details:
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ RESPONSE ]--------------------------------------
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: HTTP/1.1 200 OK
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Connection: close
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 611
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: text/xml;charset=UTF-8
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Date: Wed, 16 Dec 2020 17:42:31 GMT
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Server: AmazonEC2
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amzn-Requestid: f051e16f-5ab3-455e-ba07-3f4b454c5fb2
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: <DescribeSecurityGroupsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <requestId>f051e16f-5ab3-455e-ba07-3f4b454c5fb2</requestId>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <securityGroupInfo>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:         <item>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <ownerId>100040461591</ownerId>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <groupId>sg-0aeadf90782073c8f</groupId>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <groupName>group-x</groupName>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <groupDescription>Managed by Terraform</groupDescription>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <vpcId>vpc-29847d4c</vpcId>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <ipPermissions/>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <ipPermissionsEgress/>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:         </item>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     </securityGroupInfo>
2020-12-16T17:42:32.121Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: </DescribeSecurityGroupsResponse>
2020/12/16 17:42:32 [WARN] Provider "registry.terraform.io/hashicorp/aws" produced an unexpected new value for aws_security_group.group-x during refresh.
      - .tags: was null, but now cty.MapValEmpty(cty.String)
2020-12-16T17:42:32.122Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:32.122Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020/12/16 17:42:32 [DEBUG] ReferenceTransformer: "aws_security_group.group-y" references: []
aws_security_group.group-y: Refreshing state... [id=sg-0a0e3c06d7b451c45]
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeSecurityGroups Details:
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ REQUEST POST-SIGN ]-----------------------------
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: POST / HTTP/1.1
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Host: ec2.eu-west-1.amazonaws.com
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: User-Agent: aws-sdk-go/1.36.0 (go1.14.5; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/0.14.2 (+https://www.terraform.io)
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 79
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: application/x-www-form-urlencoded; charset=utf-8
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amz-Date: 20201216T174232Z
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Accept-Encoding: gzip
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Action=DescribeSecurityGroups&GroupId.1=sg-0a0e3c06d7b451c45&Version=2016-11-15
2020-12-16T17:42:32.131Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeSecurityGroups Details:
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: ---[ RESPONSE ]--------------------------------------
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: HTTP/1.1 200 OK
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Connection: close
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Length: 1518
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Content-Type: text/xml;charset=UTF-8
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Date: Wed, 16 Dec 2020 17:42:31 GMT
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: Server: AmazonEC2
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: X-Amzn-Requestid: a1bce876-a026-4544-9172-648712801a21
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: -----------------------------------------------------
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: <DescribeSecurityGroupsResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <requestId>a1bce876-a026-4544-9172-648712801a21</requestId>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     <securityGroupInfo>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:         <item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <ownerId>100040461591</ownerId>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <groupId>sg-0a0e3c06d7b451c45</groupId>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <groupName>group-y</groupName>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <groupDescription>Managed by Terraform</groupDescription>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <vpcId>vpc-29847d4c</vpcId>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <ipPermissions>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                 <item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     <ipProtocol>tcp</ipProtocol>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     <fromPort>8989</fromPort>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     <toPort>8990</toPort>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     <groups>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                         <item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                             <userId>100040461591</userId>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                             <groupId>sg-0a0e3c06d7b451c45</groupId>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                         </item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                         <item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                             <userId>100040461591</userId>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                             <groupId>sg-0aeadf90782073c8f</groupId>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                         </item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     </groups>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     <ipRanges>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                         <item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                             <cidrIp>10.192.22.52/32</cidrIp>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                         </item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     </ipRanges>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     <ipv6Ranges/>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                     <prefixListIds/>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:                 </item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             </ipPermissions>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:             <ipPermissionsEgress/>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:         </item>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5:     </securityGroupInfo>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: </DescribeSecurityGroupsResponse>
2020-12-16T17:42:32.363Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [DEBUG] Found a remote Rule that wasn't empty: (map[string]interface {}{"cidr_blocks":[]string{"10.192.22.52/32"}, "from_port":8989, "protocol":"tcp", "security_groups":*Set(map[string]interface {}{"857616327":"sg-0aeadf90782073c8f"}), "to_port":8990})
2020/12/16 17:42:32 [WARN] Provider "registry.terraform.io/hashicorp/aws" produced an unexpected new value for aws_security_group.group-y during refresh.
      - .ingress: planned set element cty.ObjectVal(map[string]cty.Value{"cidr_blocks":cty.ListVal([]cty.Value{cty.StringVal("10.192.22.52/32")}), "description":cty.StringVal(""), "from_port":cty.NumberIntVal(8989), "ipv6_cidr_blocks":cty.ListValEmpty(cty.String), "prefix_list_ids":cty.ListValEmpty(cty.String), "protocol":cty.StringVal("tcp"), "security_groups":cty.SetValEmpty(cty.String), "self":cty.False, "to_port":cty.NumberIntVal(8990)}) does not correlate with any element in actual
      - .ingress: planned set element cty.ObjectVal(map[string]cty.Value{"cidr_blocks":cty.ListValEmpty(cty.String), "description":cty.StringVal(""), "from_port":cty.NumberIntVal(8989), "ipv6_cidr_blocks":cty.ListValEmpty(cty.String), "prefix_list_ids":cty.ListValEmpty(cty.String), "protocol":cty.StringVal("tcp"), "security_groups":cty.SetVal([]cty.Value{cty.StringVal("sg-0aeadf90782073c8f")}), "self":cty.False, "to_port":cty.NumberIntVal(8990)}) does not correlate with any element in actual
      - .tags: was null, but now cty.MapValEmpty(cty.String)
2020-12-16T17:42:32.368Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:32.368Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:32.368Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:32.368Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:32.368Z [DEBUG] plugin.terraform-provider-aws_v3.21.0_x5: 2020/12/16 17:42:32 [WARN] Truncating attribute path of 0 diagnostics for TypeSet
2020-12-16T17:42:32.375Z [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2020-12-16T17:42:32.381Z [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.21.0/linux_amd64/terraform-provider-aws_v3.21.0_x5 pid=177361
2020-12-16T17:42:32.381Z [DEBUG] plugin: plugin exited
2020/12/16 17:42:32 [INFO] backend/local: plan operation completed

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_security_group.group-y will be updated in-place
  ~ resource "aws_security_group" "group-y" {
        id                     = "sg-0a0e3c06d7b451c45"
      ~ ingress                = [
          - {
              - cidr_blocks      = [
                  - "10.192.22.52/32",
                ]
              - description      = ""
              - from_port        = 8989
              - ipv6_cidr_blocks = []
              - prefix_list_ids  = []
              - protocol         = "tcp"
              - security_groups  = [
                  - "sg-0aeadf90782073c8f",
                ]
              - self             = false
              - to_port          = 8990
            },
          + {
              + cidr_blocks      = [
                  + "10.192.22.52/32",
                ]
              + description      = ""
              + from_port        = 8989
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = []
              + self             = false
              + to_port          = 8990
            },
          + {
              + cidr_blocks      = []
              + description      = ""
              + from_port        = 8989
              + ipv6_cidr_blocks = []
              + prefix_list_ids  = []
              + protocol         = "tcp"
              + security_groups  = [
                  + "sg-0aeadf90782073c8f",
                ]
              + self             = false
              + to_port          = 8990
            },
            # (1 unchanged element hidden)
        ]
        name                   = "group-y"
        tags                   = {}
        # (6 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

github-actions[bot] commented 1 year ago

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

jbscare commented 1 year ago

This is still a problem and it'd be nice if someone could take a look at it.

hashicorp / terraform-provider-aws