Terraform: Existing aws_instance security groups problem in 0.6.16

Created on 12 May 2016 · 4Comments · Source: hashicorp/terraform

There seems to be an issue with security groups on

Terraform Version

0.6.16

Affected Resource(s)

aws_instance

Terraform Configuration Files

resource "aws_instance" "admin" {
  ami = "${lookup(var.admin_ami, var.aws_region)}"
  instance_type = "${var.admin_instance_type}"
  subnet_id = "${var.aws_subnet_public_primary_id}"
  security_groups = ["${var.aws_security_group_default_id}","${var.aws_security_group_web_id}"]
  iam_instance_profile = "instance-access-role"
  key_name = "${var.aws_key_pair_deployer_key_name}"
  source_dest_check = false
  lifecycle = {
    create_before_destroy = true
  }
}

Expected Behavior

Since my change was not to my aws_instance, I would expect the change to take place without modifying the instance. Please note the security group was also not changed.

Actual Behavior

Terraform thinks it needs to replace the instance.

    ami:                        "ami-79bb5414" => "ami-79bb5414"
    availability_zone:          "us-east-1a" => "<computed>"
    ebs_block_device.#:         "0" => "<computed>"
    ephemeral_block_device.#:   "0" => "<computed>"
    iam_instance_profile:       "instance-access-role" => "instance-access-role"
    instance_state:             "running" => "<computed>"
    instance_type:              "t2.small" => "t2.small"
    key_name:                   "deployer-key" => "deployer-key"
    placement_group:            "" => "<computed>"
    private_dns:                "ip-10-128-0-187.ec2.internal" => "<computed>"
    private_ip:                 "10.128.0.187" => "<computed>"
    public_dns:                 "[REDACTED]" => "<computed>"
    public_ip:                  "[REDACTED]" => "<computed>"
    root_block_device.#:        "1" => "<computed>"
    security_groups.#:          "0" => "2" (forces new resource)
    security_groups.4271967426: "" => "sg-30a68c54" (forces new resource)
    security_groups.802240480:  "" => "sg-31a68c55" (forces new resource)
    source_dest_check:          "false" => "false"
    subnet_id:                  "subnet-38593d61" => "subnet-38593d61"
    tags.#:                     "1" => "1"
    tags.Name:                  "Admin" => "Admin"
    tenancy:                    "default" => "<computed>"
    vpc_security_group_ids.#:   "2" => "<computed>"

Yet, here is the instance in my tfstate:

               "aws_instance.nhds-admin": {
                    "type": "aws_instance",
                    "primary": {
                        "id": "i-cd06c857",
                        "attributes": {
                            "ami": "ami-79bb5414",
                            "availability_zone": "us-east-1a",
                            "disable_api_termination": "false",
                            "ebs_block_device.#": "0",
                            "ebs_optimized": "false",
                            "ephemeral_block_device.#": "0",
                            "iam_instance_profile": "instance-access-role",
                            "id": "[REDACTED]",
                            "instance_state": "running",
                            "instance_type": "t2.small",
                            "key_name": "deployer-key",
                            "monitoring": "false",
                            "private_dns": "ip-10-128-0-187.ec2.internal",
                            "private_ip": "10.128.0.187",
                            "public_dns": "[REDACTED]",
                            "public_ip": "[REDACTED]",
                            "root_block_device.#": "1",
                            "root_block_device.0.delete_on_termination": "true",
                            "root_block_device.0.iops": "30",
                            "root_block_device.0.volume_size": "10",
                            "root_block_device.0.volume_type": "gp2",
                            "security_groups.#": "0",
                            "source_dest_check": "false",
                            "subnet_id": "subnet-38593d61",
                            "tags.#": "1",
                            "tags.Name": "Admin",
                            "tenancy": "default",
                            "vpc_security_group_ids.#": "2",
                            "vpc_security_group_ids.4271967426": "sg-30a68c54",
                            "vpc_security_group_ids.802240480": "sg-31a68c55"
                        },
                        "meta": {
                            "schema_version": "1"
                        }
                    }
                }

As you can see, the security groups are there and assigned. Note that I also just built this instance yesterday with Terraform 0.6.16, so this didn't just crop up due to an upgrade though the same problem occurs on instances created with earlier versions of Terraform.

Steps to Reproduce

terraform plan on a project with an existing EC2 instance assigned to security groups.

I am able to produce this on any existing Terraform project with an EC2 instance with security group assignments.

bug provideaws

Source

michaelgrosser

Most helpful comment

I believe I ran into the same issue. It occurs in 0.6.15 as well. Assuming this instance is in a non-default VPC, you now need to set vpc_security_group_ids instead of security_groups in your aws_instance resource definition.

aflury on 13 May 2016

👍2

All 4 comments

aflury on 13 May 2016

👍2

We are seeing the same behavior, thanks @aflury for the recommendation, it is clear from the diff now that that's what Terraform is expecting.

rgabo on 13 May 2016

Hey all – I'm going to close this and fold it into https://github.com/hashicorp/terraform/issues/6416 .. I'll post updates there

catsby on 13 May 2016

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.