Terraform: EC2 Recreates on every apply
Terraform Version
Terraform v0.9.2
Affected Resource(s)
- aws_instance
Terraform Configuration Files
# A security group for the EB so it is accessible via the web
resource "aws_security_group" "ec2_security_group" {
name = "ec2_security_group"
vpc_id = "${aws_vpc.app.id}"
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["someip"]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# outbound internet access
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "app_production" {
instance_type = "t2.micro"
ami = "ami-f4cc1de2"
subnet_id = "${aws_subnet.subnet_1.id}" // <-- made in other file
key_name = "${var.application_info["key_pair"]}"
security_groups = [ "${aws_security_group.ec2_security_group.id}" ]
associate_public_ip_address = true
tags {
Name = "Vukets Production Craft"
}
}
Every time I run plan it says it will recreate my instance
-/+ aws_instance.app_production
ami: "ami-f4cc1de2" => "ami-f4cc1de2"
associate_public_ip_address: "true" => "true"
availability_zone: "us-east-1a" => "<computed>"
ebs_block_device.#: "0" => "<computed>"
ephemeral_block_device.#: "0" => "<computed>"
instance_state: "running" => "<computed>"
instance_type: "t2.micro" => "t2.micro"
ipv6_addresses.#: "0" => "<computed>"
key_name: "vukets" => "vukets"
network_interface_id: "eni-75017497" => "<computed>"
placement_group: "" => "<computed>"
private_dns: "ip-172-32-3-86.ec2.internal" => "<computed>"
private_ip: "172.32.3.86" => "<computed>"
public_dns: "ec2-54-237-237-8.compute-1.amazonaws.com" => "<computed>"
public_ip: "54.237.237.8" => "<computed>"
root_block_device.#: "1" => "<computed>"
security_groups.#: "0" => "1" (forces new resource)
security_groups.3474039466: "" => "sg-0cc85b73" (forces new resource)
source_dest_check: "true" => "true"
subnet_id: "subnet-66a96c2e" => "subnet-66a96c2e"
tags.%: "1" => "1"
tags.Name: "Vukets Production Craft" => "Vukets Production Craft"
tenancy: "default" => "<computed>"
vpc_security_group_ids.#: "1" => "<computed>"
Expected Behavior
That the EC2 Instance doesn't re-create.
Actual Behavior
The ec2 instance is forcing a new resource on apply.
Steps to Reproduce
terraform apply
References
I have found similar issues:
https://github.com/hashicorp/terraform/issues/6569
https://github.com/hashicorp/terraform/issues/6416
It said that the bug was fixed in 0.7.1 of the tool, but I'm still experiencing the bug.
Spittal
👍3
All 5 comments
Hi @Spittal! Sorry for the weird diffs here.
As noted in the comment that closed #6416, this behavior is expected although admittedly counter-intuitive. Since you are using VPC security group ids (rather than EC2-Classic security group ids) it's necessary to specify them using the vpc_security_group_ids attribute rather than the security_groups attribute.
apparentlymart
on 5 Apr 2017
👍5
I use vpc_security_group_ids and each run it shows resource recreating...
alter
on 16 Nov 2017
👍2
I am able to reproduce the issue with vpc_security_group_ids with
terraform version
Terraform v0.11.8
+ provider.aws v1.35.0
data "aws_subnet_ids" "subnets" {
vpc_id = "${aws_vpc.main.id}"
}
resource "aws_instance" "pritunl" {
ami = "ami-d8d5d7a2"
instance_type = "t2.small"
subnet_id = "${sort(data.aws_subnet_ids.subnets.ids)[0]}"
key_name = "${aws_key_pair.deploy.key_name}"
vpc_security_group_ids = [
"${aws_security_group.allow-http.id}",
"${aws_security_group.allow-egress-all.id}",
"${aws_security_group.allow-ssh-all.id}",
]
source_dest_check = False
credit_specification {
cpu_credits = "unlimited"
}
root_block_device {
volume_size = 20
}
tags {
Name = "pritunl"
Env = "prod"
}
}
output
-/+ module.network.aws_instance.pritunl (new resource required)
id: "i-0ad0e54285045b829" => <computed> (forces new resource)
ami: "ami-d8d5d7a2" => "ami-d8d5d7a2"
arn: "arn:aws:ec2:us-east-1:105698524794:instance/i-0ad0e54285045b829" => <computed>
associate_public_ip_address: "true" => <computed>
availability_zone: "us-east-1b" => <computed>
cpu_core_count: "1" => <computed>
cpu_threads_per_core: "1" => <computed>
credit_specification.#: "1" => "1"
credit_specification.0.cpu_credits: "unlimited" => "unlimited"
ebs_block_device.#: "0" => <computed>
ephemeral_block_device.#: "0" => <computed>
get_password_data: "false" => "false"
instance_state: "running" => <computed>
instance_type: "t2.small" => "t2.small"
ipv6_address_count: "" => <computed>
ipv6_addresses.#: "0" => <computed>
key_name: "deploy-key" => "deploy-key"
network_interface.#: "0" => <computed>
network_interface_id: "eni-059c93bd76798eb31" => <computed>
password_data: "" => <computed>
placement_group: "" => <computed>
primary_network_interface_id: "eni-059c93bd76798eb31" => <computed>
private_dns: "ip-10-0-2-52.ec2.internal" => <computed>
private_ip: "10.0.2.52" => <computed>
public_dns: "ec2-54-88-68-225.compute-1.amazonaws.com" => <computed>
public_ip: "54.88.68.225" => <computed>
root_block_device.#: "1" => "1"
root_block_device.0.delete_on_termination: "true" => "true"
root_block_device.0.volume_id: "vol-013e34972f4300f5a" => <computed>
root_block_device.0.volume_size: "20" => "20"
root_block_device.0.volume_type: "standard" => <computed>
security_groups.#: "0" => "3" (forces new resource)
security_groups.1752455685: "" => "sg-096ee59c2dc245e08" (forces new resource)
security_groups.2509956110: "" => "sg-0f113ca2961041405" (forces new resource)
security_groups.3199317841: "" => "sg-022abe54c2b80f489" (forces new resource)
source_dest_check: "true" => "true"
subnet_id: "subnet-0f484a5a88e841afb" => "subnet-0f484a5a88e841afb"
tags.%: "2" => "2"
tags.Env: "prod" => "prod"
tags.Name: "pritunl" => "pritunl"
tenancy: "default" => <computed>
volume_tags.%: "0" => <computed>
vpc_security_group_ids.#: "3" => <computed>
mastrolinux
on 11 Sep 2018
Interestingly, the same setup but moving the the interface out of the instance gives the same result
data "aws_subnet_ids" "subnets" {
vpc_id = "${aws_vpc.main.id}"
}
resource "aws_network_interface" "pritunl-interface" {
subnet_id = "${sort(data.aws_subnet_ids.subnets.ids)[0]}"
private_ips = ["10.0.0.100"]
tags {
Name = "pritunl-primary-network-interface"
}
vpc_security_group_ids = [
"${aws_security_group.allow-http.id}",
"${aws_security_group.allow-egress-all.id}",
"${aws_security_group.allow-ssh-all.id}",
]
source_dest_check = False
}
resource "aws_instance" "pritunl" {
ami = "ami-d8d5d7a2"
instance_type = "t2.small"
key_name = "${aws_key_pair.deploy.key_name}"
network_interface {
network_interface_id = "${aws_network_interface.pritunl-interface.id}"
device_index = 0
}
credit_specification {
cpu_credits = "unlimited"
}
root_block_device {
volume_size = 20
}
tags {
Name = "pritunl"
Env = "prod"
}
}
-/+ module.network.aws_instance.pritunl (new resource required)
id: "i-0f780871ddf4609f5" => <computed> (forces new resource)
ami: "ami-d8d5d7a2" => "ami-d8d5d7a2"
arn: "arn:aws:ec2:us-east-1:123456789999:instance/i-0f780871ddf4609f5" => <computed>
associate_public_ip_address: "true" => <computed>
availability_zone: "us-east-1b" => <computed>
cpu_core_count: "1" => <computed>
cpu_threads_per_core: "1" => <computed>
credit_specification.#: "1" => "1"
credit_specification.0.cpu_credits: "unlimited" => "unlimited"
ebs_block_device.#: "0" => <computed>
ephemeral_block_device.#: "0" => <computed>
get_password_data: "false" => "false"
instance_state: "running" => <computed>
instance_type: "t2.small" => "t2.small"
ipv6_address_count: "" => <computed>
ipv6_addresses.#: "0" => <computed>
key_name: "deploy-key" => "deploy-key"
network_interface.#: "0" => <computed>
network_interface_id: "eni-094dd38e81d882927" => <computed>
password_data: "" => <computed>
placement_group: "" => <computed>
primary_network_interface_id: "eni-094dd38e81d882927" => <computed>
private_dns: "ip-10-0-2-152.ec2.internal" => <computed>
private_ip: "10.0.2.152" => <computed>
public_dns: "ec2-x-x-x-x.compute-1.amazonaws.com" => <computed>
public_ip: "x.x.x.x" => <computed>
root_block_device.#: "1" => "1"
root_block_device.0.delete_on_termination: "true" => "true"
root_block_device.0.volume_id: "vol-05c7947e5f7813a43" => <computed>
root_block_device.0.volume_size: "20" => "20"
root_block_device.0.volume_type: "standard" => <computed>
security_groups.#: "0" => "3" (forces new resource)
security_groups.1752455685: "" => "sg-096ee59c2dc245e08" (forces new resource)
security_groups.2509956110: "" => "sg-0f113ca2961041405" (forces new resource)
security_groups.3199317841: "" => "sg-022abe54c2b80f489" (forces new resource)
source_dest_check: "true" => "true"
subnet_id: "subnet-0f484a5a88e841afb" => "subnet-0f484a5a88e841afb"
tags.%: "2" => "2"
tags.Env: "prod" => "prod"
tags.Name: "pritunl" => "pritunl"
tenancy: "default" => <computed>
volume_tags.%: "0" => <computed>
vpc_security_group_ids.#: "3" => <computed>
Plan: 1 to add, 0 to change, 1 to destroy.
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 2 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
ronnix
ยท
3Comments
darron
ยท
3Comments
rnowosielski
ยท
3Comments
shanmugakarna
ยท
3Comments
rjinski
ยท
3Comments
Most helpful comment
Hi @Spittal! Sorry for the weird diffs here.
As noted in the comment that closed #6416, this behavior is expected although admittedly counter-intuitive. Since you are using VPC security group ids (rather than EC2-Classic security group ids) it's necessary to specify them using the
vpc_security_group_idsattribute rather than thesecurity_groupsattribute.