cloudfoundry_space_asgs resource not applying security groups

[rahearn]

When I apply an ASG using the cloudfoundry_space_asgs resource, the security group appears to only half apply.

Code:

data "cloudfoundry_asg" "asgs" {
  for_each = var.asg_names
  name     = each.key
}

locals {
  asg_ids = [for asg in data.cloudfoundry_asg.asgs : asg.id]
}

resource "cloudfoundry_space_asgs" "running_security_groups" {
  space        = cloudfoundry_space.space.id
  running_asgs = local.asg_ids
}

After apply, cf space SPACE_NAME shows the appropriate running security groups:

running security groups: dns, public_networks_egress

But the actual traffic rules associated with the public_networks_egress security group are not applied to my apps running in that space, even after a restart.

Running cf bind-security-group public_networks_egress ORG_NAME --space SPACE_NAME results in no change to the output of cf space SPACE_NAME but does let my apps send traffic that should be allowed by that group.

Expected behavior:

• security groups applied with cloudfoundry_space_asgs have an effect on the traffic allowed from my app, consistent with the behavior of cf bind-security-group
• security groups that are not consistent with cf bind-security-group do not appear in the output of cf space SPACE_NAME