aws_security_group name_prefix is sometimes not written to the statefile

[alext]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.12.29

• provider.aws v3.0.0

Affected Resource(s)

• aws_security_group

It may also affect other resources that support name_prefix

Terraform Configuration Files

resource "aws_security_group" "test" {
  count = 10

  name_prefix = "my-prefix-"
  description = "Test SG"

  tags = {
    Name = "test-${count.index}"
  }

  lifecycle {
    create_before_destroy = true
  }
}

Debug Output

https://gist.github.com/alext/8daddcc3d51190b18fefaa2a7ab130ef

Panic Output

n/a

Expected Behavior

Terraform should have created the security groups and stored the name_prefixes in the state file so that subsequent runs don't attempt to recreate any of the groups.

Actual Behavior

One of the groups did not have it's name_prefix property stored in the statefile, leading to subsequent terraform runs attempting to recreate the group. A second terraform apply produces the following plan:

Terraform will perform the following actions:

  # aws_security_group.test[3] must be replaced
+/- resource "aws_security_group" "test" {
      ~ arn                    = "arn:aws:ec2:eu-west-2:511939987248:security-group/sg-0bc9ae1864aa43247" -> (known after apply)
        description            = "Test SG"
      ~ egress                 = [] -> (known after apply)
      ~ id                     = "sg-0bc9ae1864aa43247" -> (known after apply)
      ~ ingress                = [] -> (known after apply)
      ~ name                   = "my-prefix-2020080509412527180000000a" -> (known after apply)
      + name_prefix            = "my-prefix-" # forces replacement
      ~ owner_id               = "511939987248" -> (known after apply)
        revoke_rules_on_delete = false
        tags                   = {
            "Name" = "test-3"
        }
      ~ vpc_id                 = "vpc-185bde71" -> (known after apply)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Steps to Reproduce

1. Run an initial terraform apply to create the groups
2. Run a second terraform apply and see that it wants to recreate one of the security groups.

[alext]

I think I've tracked down the source of the problem here. It seems that naming.NamePrefixFromName and related functions assume that the generated ID suffixes are a string of digits, when resource.PrefixedUniqueId actually generates the suffix with hex digits.

I can raise a PR to address this.

[bflad]

The fix for this has been merged and will release with version 3.1.0 of the Terraform AWS Provider, likely tomorrow. Thanks to @alext for the discovery and implementation. 👍

[ghost]

This has been released in version 3.1.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!