Terraform-provider-aws: instances always need vpc_security_group_ids updated

Created on 3 Oct 2017 · 9Comments · Source: hashicorp/terraform-provider-aws

Terraform Version

Terraform v0.10.6
AWS plugin: aws_v1.0.0_x4

Affected Resource(s)

aws_instance.vpc_security_group_ids

Terraform Configuration Files

resource "aws_security_group" "portal_apptier_dev" {
  name        = "portal_apptier_dev"
  description = "Portal app security group"
  vpc_id      = "${data.aws_vpc.target.id}"
}

resource "aws_instance" "portal_dev1" {

  ami = "${data.aws_ami.ubuntu_20170811.id}"
  instance_type = "t2.micro"

  count = 1

  vpc_security_group_ids = ["${aws_security_group.portal_apptier_dev.id}"]

  iam_instance_profile = "${aws_iam_instance_profile.portal_dev1_instance_profile.name}"
  associate_public_ip_address = true
  key_name = "rich"

  root_block_device {
    volume_type = "gp2"
    volume_size = "32"
  }

  tags {
    Name = "portal${count.index + 1}.dev1"
  }
}

Debug Output

https://gist.github.com/clippermadness/7993969b9b8bdda2883f89fdf9c9456a

Steps to Reproduce

terraform plan - shows vpc_security_group_ids to update
terraform apply - changes the vpc_security_group_ids
terraform plan - still shows vpc_security_group_ids need to be updated

bug servicec2

Source

clippermadness

👍11

Most helpful comment

Hi everyone! Sorry you have been having trouble with this aws_instance bug relating to vpc_security_group_ids. It turns out this has been reported and discussed in quite a few separate issues (#1445, #1799, #1993, #2034, #2036, #2319). In order to consolidate efforts, I am closing everything except #1993 which seems to have the most thorough information at the moment. I would suggest voting on and following that issue for future updates.

Due to the high volume of reports surrounding this, the maintainers will be looking into this sometime in the near future (including the already open PRs: #1911, #2338). There are some nuances around this configuration that make it harder than a quick fix and we certainly do not want to make the situation worse. We'll keep you updated.

As a friendly reminder: voting with 👍 reactions on the original issue/PR comment is the best way to get our attention.

bflad on 17 Jan 2018

👍2

All 9 comments

Upgraded TF from 0.9.11 to 0.10.7.
Getting the same for every instance:

  ~ aws_instance.XXX
      vpc_security_group_ids.#:          "0" => "1"
      vpc_security_group_ids.852560208:  "" => "sg-YYY"

Always shown as to be updated.

roman-vynar on 3 Oct 2017

I still have the issue after upgrading to Terraform 0.10.7.

clippermadness on 3 Oct 2017

ran into the same issue today with Terraform v0.10.7

andrewchen5678 on 10 Oct 2017

Same issue here.

aerinblue on 11 Oct 2017

Same issue here. #1911 definitely fixes it! Hope it gets merged soon.

klaus993 on 20 Oct 2017

Same issue exists in v0.11.1.

ikuwow on 1 Jan 2018

As a friendly reminder: voting with 👍 reactions on the original issue/PR comment is the best way to get our attention.

bflad on 17 Jan 2018

👍2

This has been released in terraform-provider-aws version 1.9.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

bflad on 9 Feb 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] on 8 Apr 2020

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Adding custom cognito user pool attribute forces new resource

jayanderson · 44Comments

Feature Request: Managed Streaming for Kafka

gazoakley · 40Comments

Client VPN Endpoint - Add Ingress Authorisation

Bwanabanana · 46Comments

Feature Request: Add support for CreateVPCAssociationAuthorization AWS API

hashibot · 45Comments

terraform try to recreate ecs service with default launch_type

loivis · 41Comments