feat: updating security groups for NLBs doesn't trigger a replacement

elchead · Oct 8, 2023 · 7d43256 · 7d43256
1 parent 3a33e81
commit 7d43256
Showing 1 changed file with 21 additions and 7 deletions.
diff --git a/internal/service/elbv2/load_balancer.go b/internal/service/elbv2/load_balancer.go
@@ -1048,15 +1048,29 @@ func customizeDiffNLB(_ context.Context, diff *schema.ResourceDiff, v interface{
 	}
 
 	// Get diff for security groups.
-	o, n = diff.GetChange("security_groups")
-	os, ns = o.(*schema.Set), n.(*schema.Set)
-
-	if (os.Len() == 0 && ns.Len() > 0) || (ns.Len() == 0 && os.Len() > 0) {
-		if err := diff.ForceNew("security_groups"); err != nil {
-			return err
+	sgCountKnown := diff.NewValueKnown("security_groups.#")
+	o, n = diff.GetChange("security_groups.#")
+	oi, ni := o.(int), n.(int)
+
+	// If the final values for the security_groups field is known, then we can compare the old and new security_group
+	// counts.  If one value is zero and the other value is non-zero, then trigger a replacement
+	if sgCountKnown {
+		if (oi == 0 && ni > 0) || (ni == 0 && oi > 0) {
+			if err := diff.ForceNew("security_groups"); err != nil {
+				return err
+			}
+		}
+		// Here's where things get complicated.  If the value is computed, then the final output could be zero or non-zero
+		// This code block is going to make the assumption that when the value is computed, it is the intent of the
+		// developer for that final computed value to be non-zero.
+	} else {
+		log.Println("[DEBUG] security_groups is a computed value, will assume  the final is greater than 0")
+		if oi == 0 {
+			if err := diff.ForceNew("security_groups"); err != nil {
+				return err
+			}
 		}
 	}
-
 	return nil
 }