Security group name change forces the replacement but it fails if there are linked interfaces

[speller]

Piece of my configuration:

resource "aws_instance" "control" {
  ami = data.aws_ami.control.id
  instance_type = "t2.nano"
  subnet_id = module.vpc.public1_subnet_id
  associate_public_ip_address = true
  vpc_security_group_ids = [
    aws_security_group.control.id
  ]
}

resource "aws_security_group" "control" {
  name = "${local.infra_name_hyphen}-bastion-proxy"
  vpc_id = module.vpc.vpc_id
}

When I change the security group name, it is going to be replaced:

Terraform will perform the following actions:
  # aws_instance.control will be updated in-place
  ~ resource "aws_instance" "control" {
        id                                   = "id"
      ~ vpc_security_group_ids               = [
          - "sg-0b3b4f192869b74db",
        ] -> (known after apply)
        # (27 unchanged attributes hidden)
        # (5 unchanged blocks hidden)
    }
  # aws_security_group.control must be replaced
-/+ resource "aws_security_group" "control" {
      ~ arn                    = "arn:aws:ec2:" -> (known after apply)
      ~ id                     = "sg-0b3b4f192869b74db" -> (known after apply)
      ~ name                   = "review-dev-control-proxy" -> "review-dev-bastion-proxy" # forces replacement
      + name_prefix            = (known after apply)
        # (3 unchanged attributes hidden)
    }

...

aws_security_group.control: Still destroying... [id=sg-0b3b4f192869b74db, 11m50s elapsed]
aws_security_group.control: Still destroying... [id=sg-0b3b4f192869b74db, 12m0s elapsed]
aws_security_group.control: Still destroying... [id=sg-0b3b4f192869b74db, 12m10s elapsed]
aws_security_group.control: Still destroying... [id=sg-0b3b4f192869b74db, 12m20s elapsed]
Error: Error deleting security group: DependencyViolation: resource sg-0b3b4f192869b74db has a dependent object
	status code: 400, request id: 0fb51d70-0632-44f1-ba62-dafd14459175

But changes are failing because the EC2 instance's network interface is linked to the security group.

Such situations should be handled properly.

[ewbankkit]

@speller Thanks for raising this issue.
The create_before_destroy lifecycle meta-argument added to your aws_security_group resource should help here.

[speller]

Yes, it helps.
I think it would be nice to add some info regarding this to the error output or to the docuemtnation.

[github-actions]

This functionality has been released in v4.29.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.