"When protocol is ALL, you cannot specify from-port."

[boldandbusted]

Error: Error applying plan:                                                                                              
                                                                                                                         1 error(s) occurred:                                                                                                     
                                                                                                                         * module.security_group.aws_security_group_rule.egress_rules: 1 error(s) occurred:                                       
* aws_security_group_rule.egress_rules: Error updating security group sg-455e8739 rule description: InvalidParameterValue
: When protocol is ALL, you cannot specify from-port.
        status code: 400, request id: 82db9a18-0a94-458a-8eef-884aef980c35

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

with the following definition:

module "security_group" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "ping_http_ssh"
  description = "Allow ICMP Ping, http, and ssh on standard ports."

  #vpc_id      = "${data.terraform_remote_state.vpc.vpc_id}"
  vpc_id = "${aws_vpc.this_vpc.id}"

  ingress_cidr_blocks = ["0.0.0.0/0"]
  ingress_rules       = ["http-80-tcp", "all-icmp", "ssh-tcp"]
  egress_rules        = ["all-all"]
}

Which worked last week, but I aggressively update modules with terraform init -upgrade=true. Current versions:

❯ terraform -version
Terraform v0.11.7
+ provider.aws v1.15.0
+ provider.template v1.0.0
+ provider.tls v1.1.0

Thanks for any help. Happy to provide more context. Cheers.

P.S. This is on release 1.22 of this module.

[boldandbusted]

FYI, this seems tied to a Terraform AWS provider bug. There is a workaround in this bug - not sure if that workaround is something that should be used within this module until the upstream bug is fixed.

hashicorp/terraform-provider-aws#1920

[antonbabenko]

I can't reproduce the specified bug.

Terraform v0.11.7
+ provider.aws v1.18.0

Not sure what we can do with this. Let's reopen when someone else report about it too and/or we can reproduce it.

[mattgodbolt]

I'm seeing this too.

Terraform v0.11.8
+ provider.aws v1.38.0

I have an existing egress rule to "everywhere" and I updated a comment, and this triggered the error:

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_security_group_rule.CE_EgressToAll
      description: "Temporary hack to see if ALB works" => "Unfettered outbound access"

The change that triggered this in my setup is here.

[antonbabenko]

I have just verified, the problem still exists in Terraform AWS provider - hashicorp/terraform-provider-aws#1920

The problem happens only during update. There is at least one solution/hack described:
hashicorp/terraform-provider-aws#1920 (comment)

I don't think we can do anything in this module at the moment.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.