Terraform-provider-aws: vpc security group and vpc instance trigger recreate when there are no template changes

Created on 24 Oct 2017  ·  6Comments  ·  Source: hashicorp/terraform-provider-aws

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Terraform v0.10.7

Affected Resource(s)

Please list the resources as a list, for example:

  • aws_security_group
  • aws_instance

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

provider "aws" {
  region  = "us-east-1"
  version = "~> 1.1"
}

variable "keypair" {}
variable "vpc_id" {}
variable "subnet_id" {}

data "aws_ami" "selected" {
  most_recent = true

  filter {
    name   = "owner-alias"
    values = ["amazon"]
  }

  filter {
    name   = "name"
    values = ["amzn-ami-hvm-2017.09.*"]
  }

  filter {
    name   = "architecture"
    values = ["x86_64"]
  }

  filter {
    name   = "root-device-type"
    values = ["ebs"]
  }

  filter {
    name   = "block-device-mapping.volume-type"
    values = ["gp2"]
  }
}

output "selected_aws_ami_id" {
  value = "${ data.aws_ami.selected.id }"
}

resource "aws_security_group" "repro" {
  name   = "TestIssue1993Repro"
  vpc_id = "${ var.vpc_id }"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = ["10.10.10.10/32"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags {
    Name = "TestIssue1993Repro"
  }

  lifecycle {
    create_before_destroy = true
  }
}

output "repro_aws_security_group_id" {
  value = "${ aws_security_group.repro.id }"
}

resource "aws_instance" "repro" {
  subnet_id       = "${ var.subnet_id }"
  instance_type   = "t2.micro"
  ami             = "${ data.aws_ami.selected.id }"
  security_groups = ["${ aws_security_group.repro.id }"]
  key_name        = "${ var.keypair }"

  tags = {
    Name = "TestIssue1993Repro"
  }
}

output "repro_aws_instance_id" {
  value = "${ aws_instance.repro.id }"
}

Debug Output

https://gist.github.com/marklap/b814c8a91cd711e9d2c0d78d75fd7785
(Note: not debug output but should be enough support the issue and enable repro)

Panic Output

N/A

Expected Behavior

Nothing has changed in the template therefore terraform plan should return No changes. Infrastructure is up-to-date..

Actual Behavior

Nothing has changed in the template yet terraform plan plans to delete the instance and recreate it because it detects that security groups have changed.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
  2. terraform plan

Important Factoids

$ terraform providers
.
└── provider.aws ~> 1.1

Repro was done in a VPC that is not the region default VPC.

It seems like when you create an aws_security_group with a vpc_id and then create an aws_instance with a security_group param (instead of the vpc_security_group_ids param), the aws_instance finds the VPC security group and assigns it as expected. However it's stored in the state file under vpc_security_group_ids so that on the next run, only the security_groups key is looked up to determine if a change needs to be made.

References

  • #1993 - I believe this is the same exact issue but didn't want to litter the comments of #1993 with my repro steps.
bug servicec2
Source
picture marklap
👍9

Most helpful comment

Same here. Terraform 0.11 and AWS Provider 1.3.1

picture gaui on 27 Nov 2017
👍4

All 6 comments

I have the exact problem :(
(didn't see this report, so my report is a duplicate: https://github.com/terraform-providers/terraform-provider-aws/issues/2034)

ruudk picture ruudk on 25 Oct 2017

Looks like I am running into this very same issue.

benjixx picture benjixx on 2 Nov 2017

Looks like i've got exactly the same issue. Please investigate

queeno picture queeno on 23 Nov 2017
👍1

Same here. Terraform 0.11 and AWS Provider 1.3.1

gaui picture gaui on 27 Nov 2017
👍4

Hi everyone! Sorry you have been having trouble with this aws_instance bug relating to vpc_security_group_ids. It turns out this has been reported and discussed in quite a few separate issues (#1445, #1799, #1993, #2034, #2036, #2319). In order to consolidate efforts, I am closing everything except #1993 which seems to have the most thorough information at the moment. I would suggest voting on and following that issue for future updates.

Due to the high volume of reports surrounding this, the maintainers will be looking into this sometime in the near future (including the already open PRs: #1911, #2338). There are some nuances around this configuration that make it harder than a quick fix and we certainly do not want to make the situation worse. We'll keep you updated.

As a friendly reminder: voting with 👍 reactions on the original issue/PR comment is the best way to get our attention.

bflad picture bflad on 17 Jan 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

hashibot[bot] picture hashibot[bot] on 8 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

hashibot picture hashibot  ·  3Comments
hashibot picture hashibot  ·  3Comments
carmas picture carmas  ·  3Comments
joelittlejohn picture joelittlejohn  ·  3Comments
ghost picture ghost  ·  3Comments