Security Group tries to be destroyed before detaching from RDS Cluster

[lfventura]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.6

• provider.aws v2.23.0
• provider.random v2.2.0

Affected Resource(s)

• aws_security_group
• aws_rds_cluster

Terraform Configuration Files

Debug Output

Panic Output

No Panic Output, just keeps trying to delete the SG indefinetely

Expected Behavior

The SG should be deleted after updating the RDS Cluster SGs

Actual Behavior

It tries to delete the SG before removing the SG from RDS Cluster

Steps to Reproduce

1. First run a code that will create the SG and add it to the RDS Cluster

resource "aws_rds_cluster" "this" {
... 
  vpc_security_group_ids              = var.allowed_security_groups_count > 0 ? concat([aws_security_group.this[0].id], var.vpc_security_group_ids) : var.vpc_security_group_ids
...
}

resource "aws_security_group" "this" {
  count = var.allowed_security_groups_count > 0 ? 1 : 0
  name_prefix = "${var.name}-"
  vpc_id      = var.vpc_id
  tags = var.tags
}

variable "allowed_security_groups_count" {
  default = 1
}

variable "vpc_security_group_ids" {
  default = ["sg-aaaaaaaa"]
}

2. Then update the code for something that will destroy the SG, Example:

resource "aws_rds_cluster" "this" {
... 
  vpc_security_group_ids              = var.allowed_security_groups_count > 0 ? concat([aws_security_group.this[0].id], var.vpc_security_group_ids) : var.vpc_security_group_ids
...
}

resource "aws_security_group" "this" {
  count = var.allowed_security_groups_count > 0 ? 1 : 0
  name_prefix = "${var.name}-"
  vpc_id      = var.vpc_id
  tags = var.tags
}

variable "allowed_security_groups_count" {
  default = 0
}

variable "vpc_security_group_ids" {
  default = ["sg-aaaaaaaa"]
}

Terraform will recognize that the SG needs to be destroyed and removed from RDS Cluster, but it keeps trying to remove the SG before detaching it from the RDS Cluster.

Important Factoids

Nothing

References

• Bug: Terraform attempts to delete security groups before dependent EC2 instances terraform#8617

[brucedvgw]

Just encountered this issue in v0.12.17.

I had to manually remove the security group from the RDS instances and then run the terraform apply again for it to destroy/replace them. However it didn't re-attach them to the RDS instances. I had to run it again for it t pick up that this also needed updating.

[rehevkor5]

This occurs with security groups attached to aws_vpc_endpoint resources, too.

[janosmiko]

This issue still exist with:

• Terraform v0.12.24

• provider.aws v2.53.0

[emmm-dee]

Confirming this is still a problem in versions. In my case I have EC2 instances attached to the SG and it does not try to detach before destroying the SG.

Terraform v0.12.29
+ provider.aws v3.9.0

[klolik]

Same for load balancer attached security groups.

Renaming TF resource resource "aws_security_group" "this" to resource "aws_security_group" "that" makes TF stuck trying to destroy this security group when it still is applied to application load balancer.

• Terraform v0.12.31
• provider.aws 3.26.0

[c4milo]

It happens as well to SGs attached through ASGs.

[pspot2]

Also applies to VPC endpoint implicitly created by aws_transfer_server resource.

[cfernhout]

I have the same issue with RDS and VPC SG. Running TF v1.1.9 & AWS v4.8.0

[demisx]

Similar issue with EC2 instance hashicorp/terraform#8617. Does anyone have any workaround for disassociating security group first?

[emmaLP]

Getting this issue when leveraged the AWS provider RDS tf module.

I've tried the create_before_destroy option on the security group, you can see the RDS security_group_rule get updated but this doesn't not get applied to the rds cluster.

I am having to manually updated the attached security groups to a RDS instance for the new security group to be added

Please can we get an update on this please or has anyone found a non manual workaround for this please