aws_security_group erroneously wants to recreate with provider v3.0.0

[grimm26]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v0.12.28

• provider.aws v3.0.0

Affected Resource(s)

• aws_security_group

Terraform Configuration Files

https://gist.github.com/grimm26/14cd526ebd45ca22d442bbf5fb80059e

Debug Output

https://gist.github.com/grimm26/98c1acbdb5a7381cab9a6574ef938487

Expected Behavior

No changes.

Actual Behavior

terraoform wanted to recreate teh aws_security_group because it claimed the name_prefix was new. It is not. If I init with aws v2.70.0 a terraform plan shows no changes. If I init with aws provider v3.0.0, a plan shows name_prefix is being added and forcing a delete/create.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.vpc.module.vpc_base_security_groups.aws_security_group.allow_enova_internal_ssh must be replaced
-/+ resource "aws_security_group" "allow_our_internal_ssh" {
      ~ arn                    = "arn:aws:ec2:us-east-2:1234567890:security-group/sg-14c18f7c" -> (known after apply)
        description            = "Allow SSH from our internal subnets"
        egress                 = [
            {
                cidr_blocks      = [
                    "0.0.0.0/0",
                ]
                description      = ""
                from_port        = 0
                ipv6_cidr_blocks = []
                prefix_list_ids  = []
                protocol         = "-1"
                security_groups  = []
                self             = false
                to_port          = 0
          },
....
      ~ name                   = "allow_our_internal00e8eef0f31c2f62c9c4b5bebc" -> (known after apply)
      + name_prefix            = "allow_our_internal" # forces replacement
....

Steps to Reproduce

I haven't been able to reproduce this from scratch, and I haven't had this problem on every use of my VPC module. Basically, all I do is change the version pin to allow v3.x and this problem crops up in some cases.

Important Factoids

We wrap terraform with terragrunt.

[ewbankkit]

@grimm26 Thanks for raising this issue.
It has already been noticed in #14474. I'm going to close this one as a duplicate so that we can concentrate discussion in the linked issue.
Please add any additional comments there.

The issue has been fixed in #14475 which will be released in v3.1.0 of the Terraform AWS Provider.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!