Can't forward HTTP and HTTPS traffic to the same container port

[rzimmerman]

I'm running into an issue when I try to forward both HTTP and HTTPS to the same container port. As an example:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
}

provider "aws" {
  region = "us-west-1"
}


module "base-network" {
  source                                      = "cn-terraform/networking/aws"
  version                                     = "2.0.13"
  name_prefix                                 = "test-networking"
  vpc_cidr_block                              = "192.168.0.0/16"
  availability_zones                          = ["us-west-1a", "us-west-1b"]
  public_subnets_cidrs_per_availability_zone  = ["192.168.0.0/19", "192.168.32.0/19"]
  private_subnets_cidrs_per_availability_zone = ["192.168.128.0/19", "192.168.160.0/19"]
}


module "ecs-fargate" {
  source  = "cn-terraform/ecs-fargate/aws"
  version = "2.0.28"
  
  name_prefix = "demo-http-https-port"

  assign_public_ip = false

  container_image = "mendhak/http-https-echo:23"
  container_name = "demo-http-https-port"

  vpc_id = module.base-network.vpc_id
  private_subnets_ids = module.base-network.private_subnets_ids
  public_subnets_ids = module.base-network.public_subnets_ids


  environment = [
    {
      name = "HTTP_PORT"
      value = "3000"
    }
  ]

  port_mappings = [
    {
      containerPort = 3000
      hostPort = 3000
      protocol = "tcp"
    }
  ]

  lb_http_ports = {
    default_http = {
      listener_port     = 80
      target_group_port = 3000
    }
  }

  lb_https_ports = {
    default_https = {
      listener_port     = 443
      target_group_port = 3000
    }
  }
  default_certificate_arn = "MY_CERT_ARN"

}

When I apply this configuration, I see:

│ Error: [WARN] A duplicate Security Group rule was found on (sg-xxxxxxxxxx). This may be
│ a side effect of a now-fixed Terraform issue causing two security groups with
│ identical attributes but different source_security_group_ids to overwrite each
│ other in the state. See https://github.com/hashicorp/terraform/pull/2376 for more
│ information and instructions for recovery. Error: InvalidPermission.Duplicate: the specified rule "peer: sg-xxxxxxxxxx, TCP, from port: 3000, to port: 3000, ALLOW" already exists
│ 	status code: 400, request id: xxxxxxxxx
│
│   with module.ecs-fargate.module.ecs-fargate-service.aws_security_group_rule.ingress_through_https["3000"],
│   on .terraform/modules/ecs-fargate.ecs-fargate-service/main.tf line 161, in resource "aws_security_group_rule" "ingress_through_https":
│  161: resource "aws_security_group_rule" "ingress_through_https" {
│

I believe this is because this module creates an ingress rule for HTTP and HTTPS traffic (one each) that wind up being identical (main.tf:116):

resource "aws_security_group_rule" "ingress_through_http" {
  for_each          = var.http_ports
  security_group_id = aws_security_group.lb_access_sg.id
  type              = "ingress"
  from_port         = each.value.listener_port
  to_port           = each.value.listener_port
  protocol          = "tcp"
  cidr_blocks       = var.http_ingress_cidr_blocks
  prefix_list_ids   = var.http_ingress_prefix_list_ids
}

resource "aws_security_group_rule" "ingress_through_https" {
  for_each          = var.https_ports
  security_group_id = aws_security_group.lb_access_sg.id
  type              = "ingress"
  from_port         = each.value.listener_port
  to_port           = each.value.listener_port
  protocol          = "tcp"
  cidr_blocks       = var.https_ingress_cidr_blocks
  prefix_list_ids   = var.https_ingress_prefix_list_ids
}

There might be some way to deduplicate these rules or make them different in some semantic way to allow both rules to exist.