Provider plugin crashes with empty string for prefix_list_ids in aws_security_group_rule resource

[svanschie]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

$ terraform -v
Terraform v1.2.6
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v4.25.0

Affected Resource(s)

• aws_security_group_rule

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "aws_vpc" "this" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_security_group" "this" {
  name   = "test"
  vpc_id = aws_vpc.this.id
}

resource "aws_security_group_rule" "this" {
  type              = "egress"
  from_port         = 443
  to_port           = 443
  protocol          = "TCP"
  prefix_list_ids   = [""]
  security_group_id = aws_security_group.this.id
}

Panic Output

See https://gist.github.com/svanschie/ec67a078cc91a79aed3daa1d504f7913

Expected Behavior

It should either handle the error more gracefully or (try to) push the change to AWS (resulting in an error from AWS side, which does have a clear description of the error),

Actual Behavior

The AWS provider plugin crashes

Steps to Reproduce

1. terraform apply

Important Factoids

The aws_security_group resource with in-line rules handles this issue properly. It will still error out on AWS end but that's to be expected:

│ Error: updating Security Group (sg-0591bcd1c86e28a81) egress rules: authorizing Security Group (egress) rules: InvalidPrefixListID.NotFound: The prefix list ID '' does not exist
│ 	status code: 400, request id: 061d2fd4-beaf-407f-ac8d-d56cbb1572be
│
│   with aws_security_group.this,
│   on main.tf line 5, in resource "aws_security_group" "this":
│    5: resource "aws_security_group" "this" {

[ewbankkit]

Stack trace from the terraform-provider-aws_v4.25.0_x5 plugin:

panic: interface conversion: interface {} is nil, not string

goroutine 515 [running]:
github.com/hashicorp/terraform-provider-aws/internal/service/ec2.expandIpPermission(0x0?, 0xc002c59030)
	github.com/hashicorp/terraform-provider-aws/internal/service/ec2/vpc_security_group_rule.go:718 +0xf25
github.com/hashicorp/terraform-provider-aws/internal/service/ec2.resourceSecurityGroupRuleCreate(0x0?, {0x94e5e00?, 0xc001796a80?})
	github.com/hashicorp/terraform-provider-aws/internal/service/ec2/vpc_security_group_rule.go:155 +0x227
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0xb7c92d0?, {0xb7c92d0?, 0xc0032403f0?}, 0xd?, {0x94e5e00?, 0xc001796a80?})
	github.com/hashicorp/terraform-plugin-sdk/v2@v2.20.0/helper/schema/resource.go:695 +0x178
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000823180, {0xb7c92d0, 0xc0032403f0}, 0xc002f6f1e0, 0xc002de7d00, {0x94e5e00, 0xc001796a80})
	github.com/hashicorp/terraform-plugin-sdk/v2@v2.20.0/helper/schema/resource.go:837 +0xa7a
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc0006586c0, {0xb7c92d0?, 0xc0032402d0?}, 0xc002c57810)
	github.com/hashicorp/terraform-plugin-sdk/v2@v2.20.0/helper/schema/grpc_provider.go:1021 +0xe3c
github.com/hashicorp/terraform-plugin-mux/tf5muxserver.muxServer.ApplyResourceChange({0xc001c1e540, 0xc001c1e5a0, {0xc001ca2b80, 0x2, 0x2}, 0xc001c1e570, 0xc000e46b30, 0xc001d57710, 0xc001c1e5d0}, {0xb7c92d0, ...}, ...)
	github.com/hashicorp/terraform-plugin-mux@v0.7.0/tf5muxserver/mux_server_ApplyResourceChange.go:27 +0x142
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc0009e4140, {0xb7c92d0?, 0xc003201a40?}, 0xc002c58620)
	github.com/hashicorp/terraform-plugin-go@v0.13.0/tfprotov5/tf5server/server.go:813 +0x4fc
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0xa759040?, 0xc0009e4140}, {0xb7c92d0, 0xc003201a40}, 0xc002c585b0, 0x0)
	github.com/hashicorp/terraform-plugin-go@v0.13.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0000001e0, {0xb7ce838, 0xc0021431e0}, 0xc002f77440, 0xc0022d37d0, 0x10de21a0, 0x0)
	google.golang.org/grpc@v1.48.0/server.go:1295 +0xb0b
google.golang.org/grpc.(*Server).handleStream(0xc0000001e0, {0xb7ce838, 0xc0021431e0}, 0xc002f77440, 0x0)
	google.golang.org/grpc@v1.48.0/server.go:1636 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	google.golang.org/grpc@v1.48.0/server.go:932 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/grpc@v1.48.0/server.go:930 +0x28a

Error: The terraform-provider-aws_v4.25.0_x5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.