Terraform: aws_security_groups empty list of SecurityGroups

2 min read | by Jordi Prats

Update 10/02/2020: The new version 4.0 of the AWS provider have been released. At this point, all AWS provider plural data sources (like the aws_security_groups) that return an array of results will now return an empty list if zero results are found.

Prior to that, if when trying to use the aws_security_groups data source if the tags did not match any SecurityGroup, terraform would have returned an error instead of an empty list:

data "aws_security_groups" "eks-pod" {
  tags = {
     "NotAnActualTag" = "WontMatchAnything"
  }
}

If we try to run this code with a AWS provider version 3 (or lower), when trying to execute terraform plan or an terraform apply) it will cause an error similar to the following:

$ terraform plan 
Acquiring state lock. This may take a few moments...
(...)
╷
│ Error: Your query returned no results. Please change your search criteria and try again.
│ 
│   with module.pet2cattle.data.aws_security_groups.pet2cattle-by-tags,
│   on modules/pet2cattle/main.tf line 140, in data "aws_security_groups" "pet2cattle-by-tags":
│  140: data "aws_security_groups" "pet2cattle-by-tags" {
│ 
╵
Releasing state lock. This may take a few moments...

This is an specially annoying behavior since if we take a look at terraform's own provider design guidelines it explicitly states that for Plural Data Sources (like in aws_security_groups) it should return an empty list when appropriate:

These data sources are intended to return zero, one, or many results, (...)

Although on using this provider version there are other plural data sources that behave in the same exact way (like aws_vpcs or aws_vpc_peering_connections) I think it would make sense to allow to return empty sets instead of failing altogether. That's why I created this PR for aws_security_groups that was merged in the release 4 of the AWS provider

Posted on 21/10/2021