Upgrade from 1.x to 2.x creates ACL rules that already exist

[ekasprzyk]

Describe the Bug

Upgrading the version of the module from 1.0.0 to 2.4.2 and following the 1.x to 2.x migration guide results in the creation of ACL egress rules that already exist, causing the apply to fail.

Example config:

module "subnets" {
  source              = "cloudposse/dynamic-subnets/aws"
  version             = "2.4.2"
  namespace           = var.namespace
  environment         = var.environment
  name                = local.name
  availability_zones  = var.availability_zones
  vpc_id              = module.vpc.vpc_id
  igw_id              = [module.vpc.igw_id]
  ipv4_cidr_block     = [module.vpc.vpc_cidr_block]

  tags = local.tags
}

Resulting in plan:

16:02:22.476 STDOUT terraform: Terraform used the selected providers to generate the following execution
16:02:22.476 STDOUT terraform: plan. Resource actions are indicated with the following symbols:
16:02:22.476 STDOUT terraform:   + create
16:02:22.476 STDOUT terraform: Terraform will perform the following actions:
16:02:22.476 STDOUT terraform:   # module.subnets.aws_network_acl_rule.private4_egress[0] will be created
16:02:22.476 STDOUT terraform:   + resource "aws_network_acl_rule" "private4_egress" {
16:02:22.476 STDOUT terraform:       + cidr_block     = "0.0.0.0/0"
16:02:22.477 STDOUT terraform:       + egress         = true
16:02:22.477 STDOUT terraform:       + from_port      = 0
16:02:22.477 STDOUT terraform:       + id             = (known after apply)
16:02:22.477 STDOUT terraform:       + network_acl_id = "acl-000820c687910acd7"
16:02:22.477 STDOUT terraform:       + protocol       = "-1"
16:02:22.477 STDOUT terraform:       + rule_action    = "allow"
16:02:22.477 STDOUT terraform:       + rule_number    = 100
16:02:22.477 STDOUT terraform:       + to_port        = 0
16:02:22.477 STDOUT terraform:     }
16:02:22.477 STDOUT terraform:   # module.subnets.aws_network_acl_rule.private4_ingress[0] will be created
16:02:22.477 STDOUT terraform:   + resource "aws_network_acl_rule" "private4_ingress" {
16:02:22.477 STDOUT terraform:       + cidr_block     = "0.0.0.0/0"
16:02:22.477 STDOUT terraform:       + egress         = false
16:02:22.477 STDOUT terraform:       + from_port      = 0
16:02:22.477 STDOUT terraform:       + id             = (known after apply)
16:02:22.477 STDOUT terraform:       + network_acl_id = "acl-000820c687910acd7"
16:02:22.477 STDOUT terraform:       + protocol       = "-1"
16:02:22.477 STDOUT terraform:       + rule_action    = "allow"
16:02:22.477 STDOUT terraform:       + rule_number    = 100
16:02:22.477 STDOUT terraform:       + to_port        = 0
16:02:22.477 STDOUT terraform:     }
16:02:22.477 STDOUT terraform:   # module.subnets.aws_network_acl_rule.public4_egress[0] will be created
16:02:22.477 STDOUT terraform:   + resource "aws_network_acl_rule" "public4_egress" {
16:02:22.477 STDOUT terraform:       + cidr_block     = "0.0.0.0/0"
16:02:22.477 STDOUT terraform:       + egress         = true
16:02:22.477 STDOUT terraform:       + from_port      = 0
16:02:22.477 STDOUT terraform:       + id             = (known after apply)
16:02:22.477 STDOUT terraform:       + network_acl_id = "acl-0fd251e6c824d58f3"
16:02:22.477 STDOUT terraform:       + protocol       = "-1"
16:02:22.477 STDOUT terraform:       + rule_action    = "allow"
16:02:22.477 STDOUT terraform:       + rule_number    = 100
16:02:22.477 STDOUT terraform:       + to_port        = 0
16:02:22.477 STDOUT terraform:     }
16:02:22.477 STDOUT terraform:   # module.subnets.aws_network_acl_rule.public4_ingress[0] will be created
16:02:22.477 STDOUT terraform:   + resource "aws_network_acl_rule" "public4_ingress" {
16:02:22.477 STDOUT terraform:       + cidr_block     = "0.0.0.0/0"
16:02:22.478 STDOUT terraform:       + egress         = false
16:02:22.478 STDOUT terraform:       + from_port      = 0
16:02:22.478 STDOUT terraform:       + id             = (known after apply)
16:02:22.478 STDOUT terraform:       + network_acl_id = "acl-0fd251e6c824d58f3"
16:02:22.478 STDOUT terraform:       + protocol       = "-1"
16:02:22.478 STDOUT terraform:       + rule_action    = "allow"
16:02:22.478 STDOUT terraform:       + rule_number    = 100
16:02:22.478 STDOUT terraform:       + to_port        = 0
16:02:22.478 STDOUT terraform:     }
16:02:22.478 STDOUT terraform: Plan: 4 to add, 0 to change, 0 to destroy.

and error

16:02:29.839 STDERR terraform: │ Error: api error NetworkAclEntryAlreadyExists: EC2 Network ACL (acl-000820c687910acd7) Rule (egress: false)(100) already exists
16:02:29.839 STDERR terraform: │ 
16:02:29.839 STDERR terraform: │   with module.subnets.aws_network_acl_rule.private4_ingress[0],
16:02:29.839 STDERR terraform: │   on .terraform/modules/subnets/private.tf line 95, in resource "aws_network_acl_rule" "private4_ingress":
16:02:29.839 STDERR terraform: │   95: resource "aws_network_acl_rule" "private4_ingress" {
16:02:29.839 STDERR terraform: │ 
16:02:29.839 STDERR terraform: ╵
16:02:29.840 STDERR terraform: ╷
16:02:29.840 STDERR terraform: │ Error: api error NetworkAclEntryAlreadyExists: EC2 Network ACL (acl-000820c687910acd7) Rule (egress: true)(100) already exists
16:02:29.840 STDERR terraform: │ 
16:02:29.840 STDERR terraform: │   with module.subnets.aws_network_acl_rule.private4_egress[0],
16:02:29.840 STDERR terraform: │   on .terraform/modules/subnets/private.tf line 109, in resource "aws_network_acl_rule" "private4_egress":
16:02:29.841 STDERR terraform: │  109: resource "aws_network_acl_rule" "private4_egress" {
16:02:29.841 STDERR terraform: │ 
16:02:29.841 STDERR terraform: ╵
16:02:29.842 STDERR terraform: ╷
16:02:29.842 STDERR terraform: │ Error: api error NetworkAclEntryAlreadyExists: EC2 Network ACL (acl-0fd251e6c824d58f3) Rule (egress: false)(100) already exists
16:02:29.842 STDERR terraform: │ 
16:02:29.842 STDERR terraform: │   with module.subnets.aws_network_acl_rule.public4_ingress[0],
16:02:29.843 STDERR terraform: │   on .terraform/modules/subnets/public.tf line 106, in resource "aws_network_acl_rule" "public4_ingress":
16:02:29.843 STDERR terraform: │  106: resource "aws_network_acl_rule" "public4_ingress" {
16:02:29.843 STDERR terraform: │ 
16:02:29.843 STDERR terraform: ╵
16:02:29.844 STDERR terraform: ╷
16:02:29.844 STDERR terraform: │ Error: api error NetworkAclEntryAlreadyExists: EC2 Network ACL (acl-0fd251e6c824d58f3) Rule (egress: true)(100) already exists
16:02:29.844 STDERR terraform: │ 
16:02:29.844 STDERR terraform: │   with module.subnets.aws_network_acl_rule.public4_egress[0],
16:02:29.844 STDERR terraform: │   on .terraform/modules/subnets/public.tf line 120, in resource "aws_network_acl_rule" "public4_egress":
16:02:29.844 STDERR terraform: │  120: resource "aws_network_acl_rule" "public4_egress" {
16:02:29.844 STDERR terraform: │ 

May be documentation error as to why such a thing would be happening.

Expected Behavior

I'd expect the plan to either tear down and recreate the resources, or modify the existing resources, but not try to create resources that already exist.

Steps to Reproduce

Create a subnet using 1.x, then change the version to 2.x

Using the output of VPC created from cloudposse/vpc/aws

Screenshots

No response

Environment

• Mac OS
• Terraform 1.4.6
• AWS provider version 5

Additional Context

No response

[ekasprzyk]

Potential work-around. Deploy with:

  public_open_network_acl_enabled = false
  private_open_network_acl_enabled = false

and then remove them and redeploy