Terraform: Terraform incorrectly says elastic beanstalk environment has changed

Created on 5 Jan 2017 · 5Comments · Source: hashicorp/terraform

TF version: 0.8.2
Resources affected: aws_elastic_beanstalk_environment

When an _aws_elastic_beanstalk_environment_ has the setting _aws:autoscaling:launchconfiguration:SecurityGroups_ set with multiple security groups, the security groups get reordered during a terraform plan, causing the resource to incorrectly be marked as changed.

resource "aws_elastic_beanstalk_environment" "prod" {
  name = "prod"
  application = "${aws_elastic_beanstalk_application.prod.name}"
  solution_stack_name = "64bit Amazon Linux 2016.03 v2.1.6 running Docker 1.11.2"

 setting {
    namespace = "aws:autoscaling:launchconfiguration"
    name = "SecurityGroups"
    value = "${aws_security_group.my_group1.id},${aws_security_group.my_group2.id},${aws_security_group.mygroup3.id}"
  }
}

From looking through issues it seems that the underlying AWS APIs sometimes reorder things. Possibly related to https://github.com/hashicorp/terraform/issues/6642

bug provideaws

Source

danhaller

👍5

Most helpful comment

Terraform version: 0.8.8

Same issue with several settings:
~ module.eb_environment.aws_elastic_beanstalk_environment.eb_environment
setting.#: "80" => "81"
setting.1314173431.name: "" => "LoadBalancerHTTPSPort"
setting.1314173431.namespace: "" => "aws:elb:loadbalancer"
setting.1314173431.value: "" => "443"
setting.1793913724.value: "subnet-xxx,subnet-yyy,subnet-zzz" => "subnet-yyy,subnet-xxx,subnet-zzz"
setting.1980484061.name: "" => "MonitoringInterval"
setting.1980484061.namespace: "" => "aws:autoscaling:launchconfiguration"
setting.1980484061.value: "" => "1"
setting.2577330927.name: "SecurityGroups" => ""
setting.2577330927.namespace: "aws:elb:loadbalancer" => ""
setting.2577330927.resource: "" => ""
setting.2577330927.value: "sg-aaa,sg-bbb" => ""
setting.2739602430.value: "subnet-xxx,subnet-yyy,subnet-zzz" => "subnet-yyy,subnet-zzz,subnet-xxx"
setting.2840067226.name: "" => "SecurityGroups"
setting.2840067226.namespace: "" => "aws:elb:loadbalancer"
setting.2840067226.value: "" => "sg-aaa, sg-bbb"
setting.2912896423.name: "LoadBalancerHTTPPort" => ""
setting.2912896423.namespace: "aws:elb:loadbalancer" => ""
setting.2912896423.resource: "" => ""
setting.2912896423.value: "OFF" => ""
setting.3438018982.name: "MonitoringInterval" => ""
setting.3438018982.namespace: "aws:autoscaling:launchconfiguration" => ""
setting.3438018982.resource: "" => ""
setting.3438018982.value: "5 minute" => ""
setting.3458818787.name: "" => "Notification"
setting.3458818787.namespace: "" => "aws:elasticbeanstalk:sns:topics"
setting.3458818787.value: "" => "email"
setting.3908556986.name: "" => "SSLCertificateId"
setting.3908556986.namespace: "" => "aws:elb:loadbalancer"
setting.3908556986.value: "" => "arn:aws:iam::xxx:server-certificate/blablabla"
setting.3961867433.name: "SSLCertificateId" => ""
setting.3961867433.namespace: "aws:elb:loadbalancer" => ""
setting.3961867433.resource: "" => ""
setting.3961867433.value: "" => ""
setting.731293825.name: "LoadBalancerHTTPSPort" => ""
setting.731293825.namespace: "aws:elb:loadbalancer" => ""
setting.731293825.resource: "" => ""
setting.731293825.value: "OFF" => ""
setting.784312882.name: "" => "LoadBalancerHTTPPort"
setting.784312882.namespace: "" => "aws:elb:loadbalancer"
setting.784312882.value: "" => "80"

Is there a way to ignore such "fake changes"? For instance, if I want to ignore all the changes of all the settings I can do like this:
lifecycle {
ignore_changes = ["setting"]
}

But how can I ignore a certain setting?

ltartarini90 on 6 Apr 2017

👍4

All 5 comments

Can confirm we're getting the same problem. In our case it is subnet order:

"subnet-24736xxx,subnet-7bc0axxx,subnet-9e527xxx" => "subnet-9e527xxx,subnet-7bc0axxx,subnet-24736xxx"

beanaroo on 14 Feb 2017

Another reason for this happening:

We use a module for creating both web server and queue worker elastic beanstalk environments.
When not specifying the WorkerQueueURL for a web server, terraform still wants to send the setting.

    setting.2148602440.name:      "" => "WorkerQueueURL"
    setting.2148602440.namespace: "" => "aws:elasticbeanstalk:sqsd"
    setting.2148602440.resource:  "" => ""
    setting.2148602440.value:     "" => ""

beanaroo on 14 Feb 2017

Same problem with the subnet order, the pull request #5207 would make this kind of issue easier to troubleshoot.

Similar issues: #12222 #8950

Techbrunch on 22 Mar 2017

Terraform version: 0.8.8

Is there a way to ignore such "fake changes"? For instance, if I want to ignore all the changes of all the settings I can do like this:
lifecycle {
ignore_changes = ["setting"]
}

But how can I ignore a certain setting?

ltartarini90 on 6 Apr 2017

👍4

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.