diff --git a/builtin/providers/aws/resource_aws_security_group.go b/builtin/providers/aws/resource_aws_security_group.go
index 5e8242d3c0..bb3a8cfffc 100644
--- a/builtin/providers/aws/resource_aws_security_group.go
+++ b/builtin/providers/aws/resource_aws_security_group.go
@@ -3,6 +3,7 @@ package aws
 import (
 	"bytes"
 	"fmt"
+	"sort"
 	"log"
 	"time"
 
@@ -89,14 +90,30 @@ func resourceAwsSecurityGroupIngressHash(v interface{}) int {
 	buf.WriteString(fmt.Sprintf("%d-", m["to_port"].(int)))
 	buf.WriteString(fmt.Sprintf("%d-", m["protocol"].(string)))
 
+	// We need to make sure to sort the strings below so that we always
+	// generate the same hash code no matter what is in the set.
 	if v, ok := m["cidr_blocks"]; ok {
-		for _, raw := range v.([]interface{}) {
-			buf.WriteString(fmt.Sprintf("%s-", raw.(string)))
+		vs := v.([]interface{})
+		s := make([]string, len(vs))
+		for i, raw := range vs {
+			s[i] = raw.(string)
+		}
+		sort.Strings(s)
+
+		for _, v := range s {
+			buf.WriteString(fmt.Sprintf("%s-", v))
 		}
 	}
 	if v, ok := m["security_groups"]; ok {
-		for _, raw := range v.([]interface{}) {
-			buf.WriteString(fmt.Sprintf("%s-", raw.(string)))
+		vs := v.([]interface{})
+		s := make([]string, len(vs))
+		for i, raw := range vs {
+			s[i] = raw.(string)
+		}
+		sort.Strings(s)
+
+		for _, v := range s {
+			buf.WriteString(fmt.Sprintf("%s-", v))
 		}
 	}