Terraform-provider-aws: aws_security_group_rule: InvalidParameterValue: When protocol is ALL, you cannot specify from-port.

Edit: I've updated to terraform 0.10.8, and haven't been able to reproduce it, though the problem was somewhat intermittent before.

I am seeing this error as well.

Error applying plan:
4 error(s) occurred:
* module.vpc.module.sg_ssh.aws_security_group_rule.allow_all_egress: 1 error(s) occurred:
* aws_security_group_rule.allow_all_egress: Error updating security group sg-ecfed29e rule description: InvalidParameterValue: When protocol is ALL, you cannot specify from-port.
        status code: 400, request id: da9dec62-1d98-476b-969f-63feaf485f16

• relevant parts of terraform file:

resource "aws_security_group" "default" {
    name = "${var.name}"
    vpc_id = "${var.vpc_id}"
    tags = "${merge(var.default_tags, map(
        "Name", "${var.name}",
        "Environment", "${var.env}",
    ))}"
    description = "Allow ${join(",", var.ports)} (${var.protocol})"
}

/* By default, allow all egress */
resource "aws_security_group_rule" "allow_all_egress" {
    type              = "egress"
    from_port         = 0
    to_port           = 0
    protocol          = "-1"
    cidr_blocks       = ["0.0.0.0/0"]
    security_group_id = "${aws_security_group.default.id}"

    count             = "${var.allow_all_egress ? 1 : 0}"
    description       = "Allow all egress"
}

As you can see, protocol is clearly "-1", and from_port and to_port are 0. So why is terraform sending a port across the API????

I get the same error when I try to update an aws_security_group_rule in eu-west-1. I did not get this error in us-west-2 or us-east-1.

Edit: I am using terraform 0.10.8.
Edit: I upgraded from version 1.1 of the aws provider to version 1.2 and I am still seeing the problem.

Same here, im in us-east-1 and i'm seeing the following:

module.virginia.aws_security_group_rule.private_in1: Modifying... (ID: sgrule-4066064814)
  description: "This is the private subnet,s nat gateway ip. So we allow ingress from public requests originating in the subnet itself" => ""
module.virginia.aws_route_table.private: Modifications complete after 2s (ID: rtb-1251de69)

Error: Error applying plan:

2 error(s) occurred:

* module.virginia.aws_security_group_rule.private_in0: 1 error(s) occurred:

* aws_security_group_rule.private_in0: Error updating security group sg-b1f0c8c1 rule description: InvalidParameterValue: When protocol is ALL, you cannot specify from-port.
    status code: 400, request id: 3fd2a91d-27c8-4df9-a4e3-bd2c7c72a132
* module.virginia.aws_security_group_rule.private_in1: 1 error(s) occurred:

* aws_security_group_rule.private_in1: Error updating security group sg-b1f0c8c1 rule description: InvalidParameterValue: When protocol is ALL, you cannot specify from-port.
    status code: 400, request id: 5091cd1c-25e7-479e-a06f-cec7e3d374ed

Note that terraform is trying to change the description wrongly. This sec group's description is actually empty.

@JoyPeterson

get the same error when I try to update an aws_security_group_rule in eu-west-1. I did not get this error in us-west-2 or us-east-1.

I _did_ get this error in us-west-2, and like you, an upgrade to 1.2 did not resolve the issue.

have same issue with terraform 0.10.8 in us-east-1 and provider version 1.3

This is on: Terraform v0.11 + provider.aws v1.5.0.

resource "aws_security_group_rule" "bastion-e01" {
  type              = "egress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
  ipv6_cidr_blocks  = ["::/0"]
  security_group_id = "${aws_security_group.bastion.id}"
  description       = "(TF) Allow all outbound"
}

I am seeing this in us-west-2 when trying to apply a change to a rule description:

Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_security_group_rule.bastion-e01
      description: "(TF) Allow all outbound IPv4" => "(TF) Allow all outbound"
...
aws_security_group_rule.bastion-e01: Modifying... (ID: sgrule-54367857)
  description: "(TF) Allow all outbound IPv4" => "(TF) Allow all outbound"
Error: Error applying plan:

1 error(s) occurred:

* aws_security_group_rule.bastion-e01: 1 error(s) occurred:

* aws_security_group_rule.bastion-e01: Error updating security group sg-4df77731 rule description: InvalidParameterValue: When protocol is ALL, you cannot specify from-port.
    status code: 400, request id: 5e5bf222-30a7-42f8-9453-f316969c8693

And removing the from_port fails immediately as TF says it is a required value:
Error: aws_security_group_rule.bastion-e01: "from_port": required field is not set

I encountered this issue when updating rule description.

oddly enough when updating from_port from 0 to "-1" with the new description it works out of the box, however when only updating the description we get the same error.

TLDR

resource "aws_security_group_rule" "cidr_rules" {
  type              = "egress"
  security_group_id = "${var.sg_id}"
  protocol  = "-1"
  from_port = 0
  to_port   = 0
  cidr_blocks = ["0.0.0.0/0"]
  description = "test"
}

If I only update the description:

resource "aws_security_group_rule" "cidr_rules" {
  type              = "egress"
  security_group_id = "${var.sg_id}"
  protocol  = "-1"
  from_port = 0
  to_port   = 0
  cidr_blocks = ["0.0.0.0/0"]
  description = "Allow outbound traffic"
}

Then I got:

terraform apply
aws_security_group_rule.cidr_rules: Refreshing state... (ID: sgrule-2137090651)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ aws_security_group_rule.cidr_rules
      description: "test" => "Allow outbound traffic"


Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_security_group_rule.cidr_rules: Modifying... (ID: sgrule-2137090651)
  description: "test" => "Allow outbound traffic"

Error: Error applying plan:

1 error(s) occurred:

* aws_security_group_rule.cidr_rules: 1 error(s) occurred:

* aws_security_group_rule.cidr_rules: Error updating security group sg-cf764ca9 rule description: InvalidParameterValue: When protocol is ALL, you cannot specify from-port.
    status code: 400, request id: b6b021c9-f562-4996-81ce-8ed77d18378a

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

However if I update from_port as well to become like this:

resource "aws_security_group_rule" "cidr_rules" {
  type              = "egress"
  security_group_id = "${var.sg_id}"
  protocol  = "-1"
  from_port = "-1"
  to_port   = 0
  cidr_blocks = ["0.0.0.0/0"]
  description = "Allow outbound traffic"
}

it got succeed 🎉

terraform apply
aws_security_group_rule.cidr_rules: Refreshing state... (ID: sgrule-2137090651)

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

-/+ aws_security_group_rule.cidr_rules (new resource required)
      id:                       "sgrule-2137090651" => <computed> (forces new resource)
      cidr_blocks.#:            "1" => "1"
      cidr_blocks.0:            "0.0.0.0/0" => "0.0.0.0/0"
      description:              "test" => "Allow outbound traffic"
      from_port:                "0" => "-1" (forces new resource)
      protocol:                 "-1" => "-1"
      security_group_id:        "sg-cf764ca9" => "sg-cf764ca9"
      self:                     "false" => "false"
      source_security_group_id: "" => <computed>
      to_port:                  "0" => "0"
      type:                     "egress" => "egress"


Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_security_group_rule.cidr_rules: Destroying... (ID: sgrule-2137090651)
aws_security_group_rule.cidr_rules: Destruction complete after 1s
aws_security_group_rule.cidr_rules: Creating...
  cidr_blocks.#:            "" => "1"
  cidr_blocks.0:            "" => "0.0.0.0/0"
  description:              "" => "Allow outbound traffic"
  from_port:                "" => "-1"
  protocol:                 "" => "-1"
  security_group_id:        "" => "sg-cf764ca9"
  self:                     "" => "false"
  source_security_group_id: "" => "<computed>"
  to_port:                  "" => "0"
  type:                     "" => "egress"
aws_security_group_rule.cidr_rules: Creation complete after 0s (ID: sgrule-2137090651)

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.

The number of bugs seen using TF to manage aws_security_group_rule and aws_security_group is completely ridiculous, this is just one more example. These silly workarounds shouldn't be necessary and even the workarounds only work once or twice without rhyme or reason. This makes management of SG's nearly impossible with Terraform.

Terraform v0.11.3
+ provider.aws v1.8.0

For what its worth, a large portion of these issues would likely go away if the EC2 API provided stable identifiers for security group rules. As it stands currently, we're dependent on identifying and modifying rules/descriptions using the EC2 data type IpPermissions (e.g. a combination of IPs, protocol, ports) along with converting between supported values that AWS will accept on input and normalized ones on their backend (e.g. -1 <=> ALL).

In this case (without diving into the code) seems we might be passing too much information to UpdateSecurityGroupRuleDescriptions(Ingress|Egress)

Does anyone fancy having a crack at a fix for this? I've had a quick scan of the AWS provider code but can't quite find the point where this error is thrown.

@andydix if you set TF_LOG=TRACE before the apply, you'll see the exact AWS API call being made that returns this error and from there you can deduce the location in the resource code

@rifelpet I did that and it spits out a 400 response object with the debug entry of: -
2018/03/09 09:10:06 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/UpdateSecurityGroupRuleDescriptionsEgress Details:

I've searched through all the AWS provider source but still can't pinpoint the area that throws back this response.

GO isn't a language I've used before so it's possibly me not understanding what to look for. I'm sure it'll be obvious if/when I find it :)

Given the above debug message, the code calls UpdateSecurityGroupRuleDescriptionsEgress() as seen here:

https://github.com/terraform-providers/terraform-provider-aws/blob/27802d3ba02e48c08c12612fdf52ac00da6a3505/aws/resource_aws_security_group_rule.go#L836

Given the error, seems like we need to prune out some input parameters based on the protocol (or better normalize them in Terraform beforehand).

Ran into this today. Pretty significant; US-EAST-1 for me.

Terraform 0.11.5
AWS Provider 1.13.

Same situation. Had to apply the workaround to make it work.

Hi,

Same issue with:

• Terraform v0.11.7
• provider.aws v1.14.1
• Region is EU-WEST-1

In order to apply the description I had to use "terraform destroy -target aws_security_group_rule.name" and then apply the config back.

Can't reproduce..

• Terraform v0.11.7
• provider.aws v1.24

Hint: I removed the default security group rule manually before...

provider "aws" {
  max_retries = 3
  region      = "eu-central-1"
  profile     = "devops"
}

data "aws_vpc" "default" {
  default = true
}

data "aws_security_group" "default" {
  vpc_id = "${data.aws_vpc.default.id}"
}

resource "aws_security_group_rule" "test" {
  security_group_id = "${data.aws_security_group.default.id}"
  type              = "egress"
  from_port         = 0
  to_port           = 0
  protocol          = -1
  cidr_blocks       = ["0.0.0.0/0"]
  description       = "all"
}

$  terraform apply
data.aws_ami.amzn2_base: Refreshing state...
data.aws_vpc.default: Refreshing state...
data.aws_security_group.default: Refreshing state...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  + aws_security_group_rule.test
      id:                       <computed>
      cidr_blocks.#:            "1"
      cidr_blocks.0:            "0.0.0.0/0"
      description:              "all"
      from_port:                "0"
      protocol:                 "-1"
      security_group_id:        "sg-7e92ac14"
      self:                     "false"
      source_security_group_id: <computed>
      to_port:                  "0"
      type:                     "egress"


Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_security_group_rule.test: Creating...
  cidr_blocks.#:            "" => "1"
  cidr_blocks.0:            "" => "0.0.0.0/0"
  description:              "" => "all"
  from_port:                "" => "0"
  protocol:                 "" => "-1"
  security_group_id:        "" => "sg-7e92ac14"
  self:                     "" => "false"
  source_security_group_id: "" => "<computed>"
  to_port:                  "" => "0"
  type:                     "" => "egress"
aws_security_group_rule.test: Creation complete after 2s (ID: sgrule-3315173682)

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

$ terraform apply
data.aws_ami.amzn2_base: Refreshing state...
data.aws_vpc.default: Refreshing state...
data.aws_security_group.default: Refreshing state...
aws_security_group_rule.test: Refreshing state... (ID: sgrule-3315173682)

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

@n3ph: the issue occurs on the update step only, not on an initial create.

I've run into the same issue, on update. I currently just create 3 different rules, one for each protocol. Would love to see this thing fixed.

Having the same issue:
terraform version: 0.11.7
region: eu-west-1

Same issue:
terraform version: 0.11.8
region: us-east-1

Same issue:
Terraform v0.11.7

• provider.aws v1.32.0

Same issue:

Terraform v0.11.8

• provider.aws: version = "~> 1.41"

Same here:

Terraform v0.11.8

• provider.aws v1.41.0

Same here,but i can successful apply with destroy and then create replacement

resource "aws_security_group_rule" "mgmt-sg-test-ingress-all" {
  type              = "ingress"
  from_port         = -1
  to_port           = -1
  protocol          = "-1"
  cidr_blocks       = ["13.57.165.0/24"]
  security_group_id = "${aws_security_group.mgmt-sg-test.id}"
}

Bug fix pull request submitted: #6407

The fix for this has been merged and will release with version 1.43.1 of the AWS provider, likely in the next hour or so. 👍

This has been released in version 1.43.1 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

Same here:

Terraform v0.11.10

provider.aws v1.45.0

Hi @MisderGAO 👋 Can you please open a new bug report with all the relevant details from the bug report template? This should've been fixed in the update mentioned above but maybe there are other unaccounted for cases.

Hi @MisderGAO 👋 Can you please open a new bug report with all the relevant details from the bug report template? This should've been fixed in the update mentioned above but maybe there are other unaccounted for cases.

Done, here is the link:
https://github.com/terraform-providers/terraform-provider-aws/issues/6496

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!