Crash after plan; inconsistent set element types aws_security_group ipv6_cidr_blocks

[amh-mw]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.12.0

• provider.aws v2.9.0

Affected Resource(s)

• aws_security_group
• aws_vpc

Terraform Configuration Files

Apologies for any typos; manual redactions.

terraform {
  backend "remote" {
    organization = "foo"

    workspaces {
      prefix = "foo-"
    }
  }
}

locals {
  cidr_blocks = [
    "1.2.3.4/32",
  ]

  ipv6_cidr_blocks = [
    "12::34/128",
  ]
}

resource "aws_vpc" "foo" {
  assign_generated_ipv6_cidr_block = true
  cidr_block                       = "172.0.0.0/16"
  enable_dns_support               = true
  enable_dns_hostnames             = true
}

resource "aws_security_group" "foo" {
  name   = "foo"
  vpc_id = aws_vpc.foo.id

  ingress {
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks = local.cidr_blocks
    ipv6_cidr_blocks = local.ipv6_cidr_blocks
  }

  ingress {
    from_port        = 22
    to_port          = 22
    protocol         = "tcp"
    cidr_blocks      = [aws_vpc.foo.cidr_block]
    ipv6_cidr_blocks = [aws_vpc.foo.ipv6_cidr_block]
  }

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["172.0.0.0/8"]
    # Note lack of ipv6_cidr_blocks here?
  }

  ingress {
    from_port       = 80
    to_port         = 80
    protocol        = "tcp"
    security_groups = [aws_security_group.bar.id]
    # Note lack of ipv6_cidr_blocks here?
  }
}

Debug Output

Could be provided on request. HCL above is a rather small excerpt of a larger whole.

Panic Output

https://gist.github.com/amh-mw/d09d28a26ef43c2ac0843434023aca6d

...
Plan: 0 to add, 3 to change, 0 to destroy.
Failed running command "cd /terraform; envdir /env terraform show -json /terraform/terraform.tfplan" (exit 2)
Output: panic: inconsistent set element types (
cty.Object(map[string]cty.Type{"cidr_blocks":cty.List(cty.Bool), "description":cty.Bool, "from_port":cty.Bool, "ipv6_cidr_blocks":cty.List(cty.Bool), "prefix_list_ids":cty.List(cty.String), "protocol":cty.Bool, "security_groups":cty.Set(cty.String), "self":cty.Bool, "to_port":cty.Bool}) then
cty.Object(map[string]cty.Type{"cidr_blocks":cty.List(cty.Bool), "description":cty.Bool, "from_port":cty.Bool, "ipv6_cidr_blocks":cty.List(cty.String), "prefix_list_ids":cty.List(cty.String), "protocol":cty.Bool, "security_groups":cty.Set(cty.String), "self":cty.Bool, "to_port":cty.Bool}))
                                                                                                                                                 ^
LOOK HERE ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> ---> |

Expected Behavior

No crash.

Actual Behavior

Crash.

Steps to Reproduce

1. terraform plan

Important Factoids

Just upgraded from 0.11.4 to 0.12.0 per https://www.terraform.io/upgrade-guides/0-12.html
Running against TFE/d377923
I deleted all egress/ingress stanzas and ran plan again, same crash.

References

• None yet.

[mildwonkey]

Hi @amh-mw! I'm sorry you've run across this, and thank you for reporting it! From the error you've shared, it looks like the crash occurs when you run terraform show -json, not terraform plan - if you remove the show command, can you run terraform apply without issue (we will get useful information even if you run terraform apply but then don't approve the changes)?

[ghost]

I'm running terraform plan locally, but TFE is running terraform show -json on the remote before it returns. Running terraform apply locally fails immediately with

Error: Apply not allowed for workspaces with a VCS connection

A workspace that is connected to a VCS requires the VCS-driven workflow to
ensure that the VCS remains the single source of truth.

[mildwonkey]

🤔Thanks for the clarification. I'm going to open a new issue in the main terraform repository and close this one, since the failure is coming from terraform show -json.

I'll copy your comments and put a link to the new issue here, then close this one.

[mildwonkey]

New issue:
hashicorp/terraform#21415

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!