Terraform Issue | Conditionally Using New Resource

tf_0_main.tf

locals {
  project = "tfternarywtf"
  chosen_sg = "${var.security_groups}"
}

data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}

variable "security_groups" {
  type    = "list"
  default = ["sg-<existing_sg>"]
}

resource "aws_instance" "tfec2" {
  ami                    = "${data.aws_ami.ubuntu.id}"
  instance_type          = "t2.micro"
  vpc_security_group_ids = ["${local.chosen_sg}"]
  subnet_id              = "subnet-<existing_subnet>"

  tags = {
    Name = "${local.project}-ec2"
  }
}

output "ec2_instance_id" {
  value = "${aws_instance.tfec2.id}"
}

output "ec2_instance_security_groups" {
  value = "${aws_instance.tfec2.security_groups}"
}

tf_1_main.tf

locals {
  project = "tfternarywtf"
  some_condition = false
  chosen_sg = "${local.some_condition ? aws_security_group.sg.id : join(",", var.security_groups)}"
}

data "aws_ami" "ubuntu" {
  most_recent = true

  filter {
    name   = "name"
    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
  }

  filter {
    name   = "virtualization-type"
    values = ["hvm"]
  }

  owners = ["099720109477"] # Canonical
}

variable "security_groups" {
  type    = "list"
  default = ["sg-<existing-sg?"]
}

resource "aws_security_group" "sg" {
  name   = "${local.project}-${terraform.workspace}-sg"
  vpc_id = "vpc-<existing_vpc>"
}

resource "aws_instance" "tfec2" {
  ami                    = "${data.aws_ami.ubuntu.id}"
  instance_type          = "t2.micro"
  vpc_security_group_ids = ["${local.chosen_sg}"]
  subnet_id              = "subnet-<existing_subnet>"

  tags = {
    Name = "${local.project}-ec2"
  }
}

output "security_group_id" {
  value = "${aws_security_group.sg.id}"
}

output "ec2_instance_id" {
  value = "${aws_instance.tfec2.id}"
}

output "ec2_instance_security_groups" {
  value = "${aws_instance.tfec2.security_groups}"
}

tf_plan.txt

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.aws_ami.ubuntu: Refreshing state...
aws_instance.tfec2: Refreshing state... (ID: i-0d5c25643263bc7f1)

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

~ aws_instance.tfec2
      vpc_security_group_ids.#: "" => <computed>

  + aws_security_group.sg
      id:                       <computed>
      arn:                      <computed>
      description:              "Managed by Terraform"
      egress.#:                 <computed>
      ingress.#:                <computed>
      name:                     "tfternarywtf-prod-sg"
      owner_id:                 <computed>
      revoke_rules_on_delete:   "false"
      vpc_id:                   "vpc-004625fb654b7e5bd"
Plan: 1 to add, 1 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.