Refreshing a `aws:vpc:SecurityGroupEgressRule` fails with `AutoFlex Flatten; incompatible types`

[Makeshift]

Describe what happened

Refreshing a SecurityGroupEgressRule resource causes incompatible type errors in the terraform-plugin-framework.

Sample program

import * as aws from "@pulumi/aws"
import * as pulumi from "@pulumi/pulumi"

const config = new pulumi.Config()

const buildSecurityGroup = new aws.ec2.SecurityGroup('build-sg', {
  description: 'Test SG',
  vpcId: config.require('vpcId')
})

new aws.vpc.SecurityGroupEgressRule('build-sg-egress', {
  description: 'Allow all outbound traffic',
  securityGroupId: buildSecurityGroup.id,
  cidrIpv4: '0.0.0.0/0',
  ipProtocol: '-1'
}, { parent: buildSecurityGroup })

Full reproduction repo here. Note that in Pulumi.yaml, options.refresh is set to true.

Steps to reproduce:

• Deploy the stack
• Attempt to preview or deploy the stack again (causing a refresh) or alternatively run pulumi refresh
• Pulumi should output the below error message

Log output

Snippet of log:

Diagnostics:
  aws:vpc:SecurityGroupEgressRule (build-sg-egress):
    error:   flex/auto_flatten.go:171: provider.autoflex: AutoFlex Flatten; incompatible types: autoflex.source.type=<nil> autoflex.target.type=github.com/hashicorp/terraform-plugin-framework/types/basetypes.StringValue autoflex.target.path="" provider=aws@6.49.0 autoflex.source.path="" to=basetypes.StringType from=invalid
    error:   flex/auto_flatten.go:171: provider.autoflex: AutoFlex Flatten; incompatible types: provider=aws@6.49.0 autoflex.source.path="" autoflex.target.path="" autoflex.target.type=github.com/hashicorp/terraform-plugin-framework/types/basetypes.StringValue autoflex.source.type=<nil> from=invalid to=basetypes.StringType

Full debug log can be found here

Affected Resource(s)

The only resource I've noticed it affecting is aws:vpc:SecurityGroupEgressRule, though ingress rules and others may also be affected.

Output of pulumi about

CLI
Version      3.129.0
Go Version   go1.22.6
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  aws         6.49.0
resource  aws-native  0.116.0
resource  awsx        2.14.0
resource  docker      4.5.5
resource  docker      3.6.1
language  nodejs      unknown (@makeshift edit - it's 18.18.2)

Host
OS       ubuntu
Version  23.04
Arch     x86_64

This project is written in nodejs: executable='/home/connor/.nvm/versions/node/v18.18.2/bin/node' version='v18.18.2'

Current Stack: organization/pulumi-securitygroup-bug/dev

TYPE                                                     URN
pulumi:pulumi:Stack                                      urn:pulumi:dev::pulumi-securitygroup-bug::pulumi:pulumi:Stack::pulumi-securitygroup-bug-dev
pulumi:providers:aws                                     urn:pulumi:dev::pulumi-securitygroup-bug::pulumi:providers:aws::default_6_49_0
aws:ec2/securityGroup:SecurityGroup                      urn:pulumi:dev::pulumi-securitygroup-bug::aws:ec2/securityGroup:SecurityGroup::build-sg
aws:vpc/securityGroupEgressRule:SecurityGroupEgressRule  urn:pulumi:dev::pulumi-securitygroup-bug::aws:ec2/securityGroup:SecurityGroup$aws:vpc/securityGroupEgressRule:SecurityGroupEgressRule::build-sg-egress

Found no pending operations associated with dev

Backend
Name           einstein
URL            s3://ebx-pulumi-state-store-prod/?profile=original-main-account
User           connor
Organizations
Token type     personal

Dependencies:
NAME                VERSION
@pulumi/aws-native  0.116.0
@pulumi/aws         6.49.0
@pulumi/awsx        2.14.0
@pulumi/pulumi      3.129.0
@types/node         18.19.44
typescript          5.5.4

Additional context

This can be worked around by using --continue-on-error or disabling refresh during preview/deployment, though it obviously isn't ideal.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

This looks like https://github.com/hashicorp/terraform-provider-aws/issues/38830 and should go away once we upgrade upstream to v5.63.0. I'm sorry you are hitting this issue.

[pulumi-bot]

This issue has been addressed in PR #4378 and shipped in release v6.50.0.

[bmillwood]

FWIW I found that even after upgrading my AWS plugin, I was still hitting the error. I did some terrible nonsense in order to delete the affected resources from my state and reimport them with the new provider, and that seemed to fix it. (Can say more about what exactly I did if anyone else has the same problem.)

[mwalker-g2u]

I found that once I was 6.54.2 although all the errors showed during pulumi up --refresh it would let me continue, and once the update was complete it was all resolved.