terraform-provider-aws: aws_security_group_rule: InvalidParameterValue: When protocol is ALL, you cannot specify from-port.

Hi there, I found issue when I tried to update description of aws_security_group_rule.

Terraform Version

Terraform v0.10.7
terraform-provider-aws_v1.1.0_x4

Affected Resource(s)

Terraform Configuration Files

resource "aws_security_group_rule" "sg-egress" {
  security_group_id = "${aws_security_group.sg.id}"
  type = "egress"
  from_port = 0
  to_port = 0
  protocol = -1
  cidr_blocks = ["0.0.0.0/0"]
  description = "all"
}

Debug Output

$ terraform plan
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ module.network.aws_security_group_rule.sg-egress
      description: "" => "all"


Plan: 0 to add, 1 to change, 0 to destroy.

Panic Output

$ terraform apply
module.network.aws_security_group_rule.sg-egress: Modifying... (ID: sgrule-xxxx)
  description: "" => "all"
Error applying plan:

1 error(s) occurred:

* module.network.aws_security_group_rule.sg-egress: 1 error(s) occurred:

* aws_security_group_rule.sg-egress: Error updating security group sg-xxxx rule description: InvalidParameterValue: When protocol is ALL, you cannot specify from-port.
	status code: 400, request id: xxxxx

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Expected Behavior

Actual Behavior

Steps to Reproduce

Important Factoids

References

#1661
#1793

About this issue

Original URL
State: closed
Created 7 years ago
Reactions: 24
Comments: 32 (8 by maintainers)

Commits related to this issue

Workaround for bug when updating description of a rule with protocol all (#34) * Workaround for bug when updating description of a rule with protocol all Error: "Error updating security group r... — committed to terraform-aws-modules/terraform-aws-security-group by nazartm 6 years ago

Most upvoted comments

I get the same error when I try to update an aws_security_group_rule in eu-west-1. I did not get this error in us-west-2 or us-east-1.

Edit: I am using terraform 0.10.8. Edit: I upgraded from version 1.1 of the aws provider to version 1.2 and I am still seeing the problem.

joypeterson on Nov 14, 2017

The fix for this has been merged and will release with version 1.43.1 of the AWS provider, likely in the next hour or so. 👍

bflad on Nov 9, 2018

Bug fix pull request submitted: #6407

bflad on Nov 9, 2018

For what its worth, a large portion of these issues would likely go away if the EC2 API provided stable identifiers for security group rules. As it stands currently, we’re dependent on identifying and modifying rules/descriptions using the EC2 data type IpPermissions (e.g. a combination of IPs, protocol, ports) along with converting between supported values that AWS will accept on input and normalized ones on their backend (e.g. -1 <=> ALL).

In this case (without diving into the code) seems we might be passing too much information to UpdateSecurityGroupRuleDescriptions(Ingress|Egress)

bflad on Feb 5, 2018