### Terraform Version ```shell Terraform v1.14.1 on windows_amd64 + provider registry.terraform.io/hashicorp/aws v6.23.0 ``` ### Terraform Configuration Files ```terraform terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 6.0" } } } provider "aws" { # target aws region. region = "eu-west-1" } resource "aws_db_instance" "default" { allocated_storage = 10 db_name = "mydb" engine = "mysql" engine_version = "8.0" instance_class = "db.t3.micro" username = "foo" password = "baaaaaar" vpc_security_group_ids = [ "sg-09f7d1e78103ed6ae", "sg-0a87fcac2744665d7", aws_security_group.db.id ] #depends_on = [ aws_security_group.manual ] } resource "aws_security_group" "db" { name = "terraform-sg" description = "created by terraform" #lifecycle { # create_before_destroy = true #} } ``` ### Debug Output ``` │ Error: deleting ENIs using Security Group (sg-0f5b9958c2158ca75): 1 error occurred: │ * detaching RDS ENI (eni-04cf7c00b668f5c36): detaching EC2 Network Interface (eni-04cf7c00b668f5c36/eni-attach-059627e484b57d0bf): operation error EC2: DetachNetworkInterface, https response error StatusCode: 400, RequestID: 2a02fe21-82b3-4156-95b1-65dc63adc66e, api error AuthFailure: You do not have permission to access the specified resource. ``` ### Expected Behavior Not to get RDS ENI detached. ### Actual Behavior terraform tries to detach network interface instead of just replacing one security group. ### Steps to Reproduce 1. Create the terraform stack 2. Update the security group resource so it should be replaced for example update the name 3. terraform will fail with error `deleting ENIs using Security Group` ### Additional Context The setup is just having RDS instance with security group created with terraform and one day you decide to replace that security group. Terraform plan will say the whole list of security groups will be deleted even though we just change only one security group from the list (which is unexpected). I suppose terraform deletes asks to delete all security groups on the network interface, but network interface has to have at least one group, the network interface gets detached. But the network interface belongs to RDS instance and we don't have rights to detach network interface managed by RDS. ``` Terraform will perform the following actions: # aws_db_instance.default will be updated in-place ~ resource "aws_db_instance" "default" { id = "db-DE3JEYDG3KGUHGRHTZE7XCV3FY" tags = {} ~ vpc_security_group_ids = [ - "sg-09f7d1e78103ed6ae", - "sg-0a87fcac2744665d7", - "sg-0f5b9958c2158ca75", ] -> (known after apply) # (72 unchanged attributes hidden) } ``` Because `vpc_security_group_ids` argument is a set, removing or adding security group gets tracked properly and added/removed by terraform with expected plan output. But if you have reference to a resource, terraform outputs change of the whole list instead of just the resource. I suppose since the new resource is not created and the id is not know, terraform decides to mark the whole list as deleted (I am not sure if this is a bug). I tried to add `depends_on = [ aws_security_group.manual ]` on the aws_db_instance resource, but it didn't help. Actually once somehow I managed to make it work, but I can't reproduce it consistently. I assume it is race condition/undefined behavior. Using `create_before_destroy = true` doesn't help either. The only way to make it work is to remove the security group from `vpc_security_group_ids` before is recreated (terraform apply) and added it back after it is recreated (terraform apply again). Terraform will know what is the security group id to be added in the list and properly notice only one element from the set is changed and the network interface won't be detached. I belie this bug can happen also on EC2, but because I don't get error there I didn't want to investigate it further. Maybe there are other configurations that could lead to the same situation. ### References I am not sure if this one is similar: https://github.com/hashicorp/terraform/issues/30741 ### Generative AI / LLM assisted development? _No response_