EC2: ModifySecurityGroupRules, InvalidGroupId.Malformed: Invalid id: "<aws-account-id>/<sg-id>"

[yambottle]

Describe what happened

I'm able to create this security group rule with cross-account security group reference(under the context of VPC Peering, here, root account sg needs to add an ingress rule to reference a member account's sg_id by <aws-account-id>/<sg-id>):

root_allow_proj_sg = aws.vpc.SecurityGroupIngressRule(
        "root_allow_pcx_sg",
        security_group_id=root_sg_id,
        referenced_security_group_id=sg.id.apply(lambda id: f"{account_id}/{id}"),
        ip_protocol="-1",
        opts=pulumi.ResourceOptions(provider=root_provider),
    )

But having this unexpected error when update this rule to add a description:

root_allow_proj_sg = aws.vpc.SecurityGroupIngressRule(
        "root_allow_pcx_sg",
        security_group_id=root_sg_id,
        referenced_security_group_id=sg.id.apply(lambda id: f"{account_id}/{id}"),
        ip_protocol="-1",
        description=f"Allow pcx from {org_name}_{project_name}", # adding this line
        opts=pulumi.ResourceOptions(provider=root_provider),
    )

Error:

error: updating VPC Security Group Rule (sgr-03c18a4b93862b5eb): operation error EC2: ModifySecurityGroupRules, https response error StatusCode: 400, RequestID: 7a7cc0fb-c763-4b7c-bf20-ca15f338dd38, api error InvalidGroupId.Malformed: Invalid id: "<aws-account-id>/<sg-id>"

I spent a little bit time to trace down to this issue, root cause might be an AWS API issue:
AuthorizeSecurityGroupIngress -> IpPermission -> UserIdGroupPair allows ingress rule creation to reference cross-account security group id. However, ModifySecurityGroupRules doesn't seem to support this reference???

I also thought about work around using delete_before_replace, the idea is to force the update action to delete the rule first and then recreate in order to update, but I got the same error.

root_allow_proj_sg = aws.vpc.SecurityGroupIngressRule(
        "root_allow_pcx_sg",
        security_group_id=root_sg_id,
        referenced_security_group_id=sg.id.apply(lambda id: f"{account_id}/{id}"),
        ip_protocol="-1",
        description=f"pcx from {org_name}_{project_name}",
        opts=pulumi.ResourceOptions(provider=root_provider, delete_before_replace=True),
    )

Is there any work-around?

Sample program

# needs to have two aws accounts: root account and member account
# needs to setup VPC Peering

# then create a cross-account sg id referenced ingress rule
root_allow_proj_sg = aws.vpc.SecurityGroupIngressRule(
        "root_allow_pcx_sg",
        security_group_id=root_sg_id,
        referenced_security_group_id=sg.id.apply(lambda id: f"{account_id}/{id}"),
        ip_protocol="-1",
        opts=pulumi.ResourceOptions(provider=root_provider),
    )

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI          
Version      3.138.0
Go Version   go1.23.2
Go Compiler  gc

Plugins
KIND      NAME      VERSION
resource  aws       6.56.1
language  python    unknown

Host     
OS       debian
Version  bookworm/sid
Arch     x86_64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[flostadler]

Sorry you're running into this @yambottle!

This seems to be caused by a bug in the upstream terraform provider: hashicorp/terraform-provider-aws#30664

You mentioned that you tried using the deleteBeforeReplace resource option as a workaround, but that alone is not enough here. Changing the description won't cause a replace, so it's still trying to update the security group in-place.
What you can do is combining this with the replaceOnChanges resource option. By setting that one to ["*"] every property change will result in a replacement.
Could you please confirm whether combining those two resource options acts as a workaround?