Terraform-provider-aws: Using security_groups instead of the correct vpc_security_group_ids on an instance within VPC results in instance recreation on each apply

Created on 17 Aug 2017 · 3Comments · Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.10.2

Affected Resource(s)

Please list the resources as a list, for example:

aws_instance
aws_security_group

Terraform Configuration Files

provider "aws" {
  profile                 = "[profile_name]"
  shared_credentials_file = "[path to].aws/credentials"
  region                  = "eu-west-1"
}

resource "aws_vpc" "example_vpc" {
  cidr_block = "10.1.0.0/16"
}

resource "aws_subnet" "example_subnet" {
  vpc_id                  = "${aws_vpc.example_vpc.id}"
  cidr_block              = "10.1.0.0/24"
  availability_zone = "eu-west-1a"
  map_public_ip_on_launch = false
}

resource "aws_instance" "example_instance" {
  ami                         = "ami-33776655"
  associate_public_ip_address = false
  availability_zone           = "eu-west-1a"
  instance_type               = "t2.micro"
  security_groups = ["${aws_security_group.example_1.id}"]
  subnet_id         = "${aws_subnet.example_subnet.id}"
}

resource "aws_security_group" "example_1" {
  vpc_id="${aws_vpc.example_vpc.id}"
  name = "access-https"
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Debug Output

This dumps a load of PII from the AWS Provider. If it is really needed I can provide a redacted version

Panic Output

N/A

Expected Behavior

Error on the first apply for using security_groups with an aws_instance assigned to an aws_subnet within an aws_vpc

Carry on being kind and figure out that the intention was to attach the vpc_security_group_ids as done on first apply. Maybe output a warning that the wrong argument is being used.

Actual Behavior

On first terraform apply the VPC security groups are linked to the instance within the VPC subnet. Running terraform apply a second time (with no changes) results in the instance being recreated

Steps to Reproduce

terraform apply
terraform apply

Important Factoids

N/A

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:
Similar to this: https://github.com/hashicorp/terraform/issues/14416

bug servicec2

Source

andywirv

Most helpful comment

Hi everyone! Sorry you have been having trouble with this aws_instance bug relating to vpc_security_group_ids. It turns out this has been reported and discussed in quite a few separate issues (#1445, #1799, #1993, #2034, #2036, #2319). In order to consolidate efforts, I am closing everything except #1993 which seems to have the most thorough information at the moment. I would suggest voting on and following that issue for future updates.

Due to the high volume of reports surrounding this, the maintainers will be looking into this sometime in the near future (including the already open PRs: #1911, #2338). There are some nuances around this configuration that make it harder than a quick fix and we certainly do not want to make the situation worse. We'll keep you updated.

As a friendly reminder: voting with 👍 reactions on the original issue/PR comment is the best way to get our attention.