aws_security_group documentation and plan validation issues with a non-vpc SG using a protocol value of "-1"

[ryno75]

Terraform Version

Terraform v0.10.4

Terraform Configuration Files

resource "aws_security_group" "test" {
  name        = "test_sg"
  description = "Test SG"

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["192.168.0.0/16"]
  }
}

Debug Output

plan: https://gist.github.com/ryno75/9bc7f915b2de350976e03e1fe6c410a5
apply: https://gist.github.com/ryno75/0356173e5ab99fd30b5814b027dbc2e2

Expected Behavior

According to the Terraform documentation (and plan seems to confirm this) this should be perfectly acceptable configuration but it in fact is not. Only Security Groups created under VPCs are allowed to have a protocol value of anything but "tcp", "udp", and "icmp" (i.e. "-1")

Actual Behavior

An EC2 API exception is returned to Terraform and raised.

Error applying plan:

1 error(s) occurred:

* aws_security_group.test_sg: 1 error(s) occurred:

* aws_security_group.test_sg: Error authorizing security group ingress rules: InvalidPermission.Malformed: Unsupported IP protocol "-1"  - supported: [tcp, udp, icmp]
	status code: 400, request id: 14e00208-087d-4cf1-b5c0-23c48f70f0d9

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. Create an aws_security_group resource that has no vpc_id and contains an ingress rule with a protocol value of "-1"
2. terraform init
3. terraform apply

Important Factoids

I am not expecting this to result in a change to the behavior of terraform apply but rather that the documentation will be updated to reflect this limitation and that terraform plan will return an exception indicating an invalid configuration.

The Terraform documentation for aws_security_group
https://www.terraform.io/docs/providers/aws/r/security_group.html actually has an example that would result in the above error if it were ran as presented (it does not have a vpc_id defined but has a protocol value of "-1"). See "Basic Usage" under "Example Usage".

[hashibot]

This issue has been automatically migrated to hashicorp/terraform-provider-aws#1670 because it looks like an issue with that provider. If you believe this is not an issue with the provider, please reply to this issue and let us know.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.