DependencyViolation on changing aws_alb security group

[ghost]

This issue was originally opened by @fomichevmi as hashicorp/terraform#24863. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.12.20

Terraform AWS Provider Version

v2.57.0

Terraform Configuration Files

TF 1:

resource "aws_alb" "test_aws_alb" {
  drop_invalid_header_fields = false
  enable_deletion_protection = false
  enable_http2               = true
  idle_timeout               = 300
  internal                   = true
  ip_address_type            = "ipv4"
  load_balancer_type         = "application"
  name                       = "test-aws-load-balancer"
  security_groups            = [
    aws_security_group.test_aws_sg.id
  ]
 ...
}
resource "aws_security_group" "test_aws_sg" {
    egress {
       ...
    }
    ingress {
       ...
    }
    name                   = "test-aws-security-group"
    revoke_rules_on_delete = false
    vpc_id                 = "vpc-1"
  }

TF 2

resource "aws_alb" "test_aws_alb" {
  drop_invalid_header_fields = false
  enable_deletion_protection = false
  enable_http2               = true
  idle_timeout               = 300
  internal                   = true
  ip_address_type            = "ipv4"
  load_balancer_type         = "application"
  name                       = "test-aws-load-balancer"
  security_groups            = [
    aws_security_group.test_aws_sg_2.id
  ]
 ...
}
resource "aws_security_group" "test_aws_sg_2" {
    egress {
       ...
    }
    ingress {
       ...
    }
    name                   = "test-aws-security-group-2"
    revoke_rules_on_delete = false
    vpc_id                 = "vpc-1"
  }

Debug Output

aws_security_group.test_aws_sg: Destroying... [id=sg-1]
aws_security_group.test_aws_sg_2: Creating...
aws_security_group.test_aws_sg_2: Creation complete after 4s [id=sg-2]
[TRACE] Executing graph transform terraform.TransitiveReductionTransformer
[TRACE] Completed graph transform terraform.TransitiveReductionTransformer with new graph:
aws_alb.test_aws_alb - terraform.NodeApplyableResourceInstance
aws_alb.test_aws_alb (prepare state) - terraform.NodeApplyableResource
aws_security_group.test_aws_sg (destroy) - terraform.NodeDestroyResourceInstance
aws_security_group.test_aws_sg_2 - terraform.NodeApplyableResourceInstance
aws_alb.test_aws_alb (prepare state) - terraform.NodeApplyableResource
provider.aws - terraform.NodeApplyableProvider
aws_security_group.test_aws_sg (clean up state) - terraform.NodeDestroyResource
aws_security_group.test_aws_sg (destroy) - terraform.NodeDestroyResourceInstance
aws_security_group.test_aws_sg (destroy) - terraform.NodeDestroyResourceInstance
provider.aws - terraform.NodeApplyableProvider
aws_security_group.test_aws_sg_2 - terraform.NodeApplyableResourceInstance
aws_security_group.test_aws_sg_2 (prepare state) - terraform.NodeApplyableResource
aws_security_group.test_aws_sg_2 (prepare state) - terraform.NodeApplyableResource
provider.aws - terraform.NodeApplyableProvider
meta.count-boundary (EachMode fixup) - terraform.NodeCountBoundary
aws_alb.test_aws_alb - terraform.NodeApplyableResourceInstance
aws_security_group.test_aws_sg (clean up state) - *terraform.NodeDestroyResource
provider.aws - terraform.NodeApplyableProvider
provider.aws (close) - terraform.graphNodeCloseProvider
aws_alb.test_aws_alb - terraform.NodeApplyableResourceInstance
root - terraform.graphNodeRoot
meta.count-boundary (EachMode fixup) - terraform.NodeCountBoundary
provider.aws (close) - terraform.graphNodeCloseProvider

aws_security_group.test_aws_sg: Still destroying... [id=sg-1, 19m20s elapsed]
[TRACE] dag/walk: vertex "aws_alb.test_aws_alb" is waiting for "aws_security_group.test_aws_sg (destroy)"
[TRACE] dag/walk: vertex "aws_alb.test_aws_alb" is waiting for "aws_security_group.test_aws_sg (destroy)"
[TRACE] dag/walk: vertex "provider.aws (close)" is waiting for "aws_alb.test_aws_alb"
[TRACE] dag/walk: vertex "aws_security_group.test_aws_sg (clean up state)" is waiting for "aws_security_group.test_aws_sg (destroy)"
[TRACE] dag/walk: vertex "root" is waiting for "meta.count-boundary (EachMode fixup)"
2020/05/05 13:32:51 [TRACE] vertex "aws_security_group.test_aws_sg (destroy)": visit complete
[TRACE] dag/walk: upstream of "aws_alb.test_aws_alb" errored, so skipping
[TRACE] dag/walk: upstream of "aws_security_group.test_aws_sg (clean up state)" errored, so skipping

Error: Error deleting security group: DependencyViolation: resource sg-1 has a dependent object
status code: 400, request id: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeffffffff

Expected Behavior

1. SG-2 is created
2. ALB security groups are refreshed
3. SG-1 is deleted

Actual Behavior

1. SG-2 is created
2. SG-1 is being deleted... and fails

Steps to Reproduce

1. Terraform init with TF 1
2. Apply TF 1
3. Apply TF 2

Description

When I try to change security group related to aws_alb old SG is tried to be deleted before unbind from aws_alb. So instead of refreshing aws_alb I'm receiving DependencyViolation exception

[justinretzolk]

Hey @fomichevmi 👋 Thank you for taking the time to file this issue. Given that there's been a few Terraform and AWS Provider releases since you initially filed it, can you confirm whether you're still experiencing this?

[github-actions]

This functionality has been released in v4.29.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.