There are a couple of somewhat unique behaviors of the aws_db_instance which might come into play here:
Changes to a DB instance can occur when you manually change a parameter, such as allocated_storage, and are reflected in the next maintenance window. Because of this, Terraform may report a difference in its planning phase because a modification has not yet taken place. You can use the apply_immediately flag to instruct the service to apply the change immediately (see documentation below).
So it would seem that changes to the sec group/parameter group might not be instantaneous depending on the configured "maintenance window".
Also, there's this:
security_group_names - (Optional/Deprecated) List of DB Security Groups to associate. Only used for DB Instances on the EC2-Classic Platform.
Can you confirm that:
- You are indeed using vpc_security_group_ids and not using security_group_names?
- Are not trying to deploy into EC2 Classic?
Additionally, are you destroying + re-creating the resource before each run or are you "mutating" a previously deployed resource? I've noticed that some parts of the AWS API do not allow changes to configured Security Groups without a destroy/re-create but the API does not warn of this behavior. :\
Some things to try:
- destroy existing resources
- try plan + apply using apply_immediately
- validate results
- with previously deployed resources
- try plan + apply with apply_immediately
- validate results
- with previsously deployed resources
- try plan + apply specifying a maintenance window in the very near future
- after maintenance window, validate results