Terraform: security_groups forces new resource in non default VPC in aws_instance
In the terraform.tfstate file it looks like security_groups.#: is set to 0 and vpc_security_group_ids.# is set to 1. Here is the relevant snippet:
"aws_instance.pritunl": {
"type": "aws_instance",
"depends_on": [
"aws_iam_instance_profile.pritunl_profile",
"aws_key_pair.infra",
"aws_security_group.pritunl",
"aws_subnet.public_us-west-2a"
],
"primary": {
"id": "i-e611f320",
"attributes": {
"ami": "ami-f0091d91",
"associate_public_ip_address": "true",
"availability_zone": "us-west-2a",
"disable_api_termination": "false",
"ebs_block_device.#": "0",
"ebs_optimized": "false",
"ephemeral_block_device.#": "0",
"iam_instance_profile": "pritunl_profile",
"id": "i-e611f320",
"instance_state": "running",
"instance_type": "m3.medium",
"key_name": "infra",
"monitoring": "false",
"private_dns": "ip-10-62-240-144.us-west-2.compute.internal",
"private_ip": "10.62.240.144",
"public_dns": "",
"public_ip": "52.39.6.119",
"root_block_device.#": "1",
"root_block_device.0.delete_on_termination": "true",
"root_block_device.0.iops": "0",
"root_block_device.0.volume_size": "40",
"root_block_device.0.volume_type": "standard",
"security_groups.#": "0",
"source_dest_check": "true",
"subnet_id": "subnet-7ac53e1e",
"tags.#": "3",
"tags.Name": "pritunl",
"tags.team": "opsauto",
"tags.tf_stack": "vpc",
"tenancy": "default",
"user_data": "dc329b0e9a5e2da2e4960547d9fe9199ed46e8a6",
"vpc_security_group_ids.#": "1",
"vpc_security_group_ids.4023412840": "sg-e47bf983"
},
"meta": {
"schema_version": "1"
}
}
},
For some reason when I run "terraform plan" I get this output:
-/+ aws_instance.pritunl
ami: "ami-f0091d91" => "ami-f0091d91"
associate_public_ip_address: "true" => "1"
availability_zone: "us-west-2a" => "<computed>"
ebs_block_device.#: "0" => "<computed>"
ephemeral_block_device.#: "0" => "<computed>"
iam_instance_profile: "pritunl_profile" => "pritunl_profile"
instance_state: "running" => "<computed>"
instance_type: "m3.medium" => "m3.medium"
key_name: "infra" => "infra"
placement_group: "" => "<computed>"
private_dns: "ip-10-62-240-144.us-west-2.compute.internal" => "<computed>"
private_ip: "10.62.240.144" => "<computed>"
public_dns: "" => "<computed>"
public_ip: "52.39.6.119" => "<computed>"
root_block_device.#: "1" => "1"
root_block_device.0.delete_on_termination: "true" => "1"
root_block_device.0.iops: "0" => "<computed>"
root_block_device.0.volume_size: "40" => "40"
root_block_device.0.volume_type: "standard" => "<computed>"
security_groups.#: "0" => "1" (forces new resource)
security_groups.4023412840: "" => "sg-e47bf983" (forces new resource)
source_dest_check: "true" => "1"
subnet_id: "subnet-7ac53e1e" => "subnet-7ac53e1e"
tags.#: "3" => "3"
tags.Name: "pritunl" => "pritunl"
tags.team: "opsauto" => "opsauto"
tags.tf_stack: "vpc" => "vpc"
tenancy: "default" => "<computed>"
user_data: "dc329b0e9a5e2da2e4960547d9fe9199ed46e8a6" => "dc329b0e9a5e2da2e4960547d9fe9199ed46e8a6"
vpc_security_group_ids.#: "1" => "<computed>"
Why is terraform now setting security_groups when it wasn't before? I am not using a default VPC so, according to the documentation, it should be just using vpc_security_group_ids. Now it's trying to set both security_groups and vpc_security_group_ids and wanting to force a new ec2 instance.
Terraform Version
Terraform v0.6.15
Affected Resource(s)
- aws_instance
mschurenko
All 5 comments
I can confirm this, this has happened ever since v0.6.15. Planning to investigate over the next few days... need to diff the changes to see whats happened.
richardbowden
on 10 May 2016
Hi folks. Sorry for the frustration with this... it's been a pretty common report since 0.6.15 went out.
The quick workaround is to change from using security_groups to vpc_security_group_ids in your configuration, after which Terraform will stop seeing this as a diff.
The cause of this problem is that when reading back the state from AWS Terraform is noticing that it got a VPC security group id and updating the local state to include it in vpc_security_group_ids instead of security_groups. We'll need to find a more robust way of handling this in the long run.
apparentlymart
on 10 May 2016
This issue was reported a few times, so I'm going to close this one to consolidate the discussion in #6416.
apparentlymart
on 10 May 2016
i can confirm this is the same behaviour in Terraform v0.6.16 as well
-/+ aws_instance.dev_1
ami: "ami-2b3b6041" => "ami-2b3b6041"
availability_zone: "us-east-1a" => "us-east-1a"
ebs_block_device.#: "1" => "<computed>"
ephemeral_block_device.#: "0" => "<computed>"
iam_instance_profile: "fvpc_ecs_instance_profile" => "fvpc_ecs_instance_profile"
instance_state: "running" => "<computed>"
instance_type: "t2.nano" => "t2.nano"
key_name: "HAKey" => "HAKey"
placement_group: "" => "<computed>"
private_dns: "ip-10-85-242-62.ec2.internal" => "<computed>"
private_ip: "10.85.242.62" => "<computed>"
public_dns: "" => "<computed>"
public_ip: "" => "<computed>"
root_block_device.#: "1" => "<computed>"
security_groups.#: "0" => "1" (forces new resource)
security_groups.3659208492: "" => "sg-201ad25b" (forces new resource)
source_dest_check: "true" => "true"
subnet_id: "subnet-60aaf116" => "subnet-60aaf116"
tags.#: "2" => "2"
tags.Environment: "POC" => "POC"
tags.Name: "dev-private-inst-1" => "dev-private-inst-1"
tenancy: "default" => "<computed>"
user_data: "718f12215ba92fc07a59711549ad0f3486a77e85" => "718f12215ba92fc07a59711549ad0f3486a77e85"
vpc_security_group_ids.#: "1" => "<computed>"
-/+ aws_instance.dev_2
ami: "ami-2b3b6041" => "ami-2b3b6041"
availability_zone: "us-east-1d" => "us-east-1d"
ebs_block_device.#: "1" => "<computed>"
ephemeral_block_device.#: "0" => "<computed>"
iam_instance_profile: "fvpc_ecs_instance_profile" => "fvpc_ecs_instance_profile"
instance_state: "running" => "<computed>"
instance_type: "t2.nano" => "t2.nano"
key_name: "HAKey" => "HAKey"
placement_group: "" => "<computed>"
private_dns: "ip-10-85-243-98.ec2.internal" => "<computed>"
private_ip: "10.85.243.98" => "<computed>"
public_dns: "" => "<computed>"
public_ip: "" => "<computed>"
root_block_device.#: "1" => "<computed>"
security_groups.#: "0" => "1" (forces new resource)
security_groups.3659208492: "" => "sg-201ad25b" (forces new resource)
source_dest_check: "true" => "true"
subnet_id: "subnet-68462e42" => "subnet-68462e42"
tags.#: "2" => "2"
tags.Environment: "POC" => "POC"
tags.Name: "dev-private-inst-2" => "dev-private-inst-2"
tenancy: "default" => "<computed>"
user_data: "718f12215ba92fc07a59711549ad0f3486a77e85" => "718f12215ba92fc07a59711549ad0f3486a77e85"
serkanh
on 13 May 2016
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 25 Apr 2020
Related issues
shanmugakarna
ยท
3Comments
darron
ยท
3Comments
rjinski
ยท
3Comments
Seraf
ยท
3Comments
zeninfinity
ยท
3Comments
Most helpful comment
Hi folks. Sorry for the frustration with this... it's been a pretty common report since 0.6.15 went out.
The quick workaround is to change from using
security_groupstovpc_security_group_idsin your configuration, after which Terraform will stop seeing this as a diff.The cause of this problem is that when reading back the state from AWS Terraform is noticing that it got a VPC security group id and updating the local state to include it in
vpc_security_group_idsinstead ofsecurity_groups. We'll need to find a more robust way of handling this in the long run.