Terraform: aws_instance security_groups forces new resource

Created on 18 Apr 2017 · 3Comments · Source: hashicorp/terraform

Terraform Version

./terraform -v
Terraform v0.9.3

Also confirmed with Terraform v0.9.2

Affected Resource(s)

Please list the resources as a list, for example:

aws_instance

Terraform Configuration Files

provider "aws" {
  region = "ca-central-1"
}
resource "aws_vpc" "vpc" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_subnet" "test_subnet" {
  vpc_id = "${aws_vpc.vpc.id}"
  cidr_block = "10.0.1.0/24"
  availability_zone = "ca-central-1b"
}

resource "aws_security_group" "ssh_from_office" {
  name = "ssh_from_office"
  description = "Allow ssh from office"
  vpc_id = "${aws_vpc.vpc.id}"

  ingress {
    from_port = 22
    to_port = 22
    protocol = "tcp"
    cidr_blocks = ["127.0.0.1/32"] 
  }

  egress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}
resource "aws_security_group" "http_https_from_office" {
  name = "http_https_from_office-"
  description = "Allow http and https from office"
  vpc_id = "${aws_vpc.vpc.id}"

  ingress {
    from_port = 80
    to_port = 80
    protocol = "tcp"
    cidr_blocks = ["127.0.0.1/32"]
  }
  ingress {
    from_port = 443
    to_port = 443
    protocol = "tcp"
    cidr_blocks = ["127.0.0.1/32"]
  }

  egress {
    from_port = 0
    to_port = 0
    protocol = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_instance" "test" {
  security_groups = ["${aws_security_group.ssh_from_office.id}", "${aws_security_group.http_https_from_office.id}"]
  instance_type = "t2.micro"
  ami = "ami-b3d965d7"
  subnet_id = "${aws_subnet.test_subnet.id}"
}

Expected Behavior

Terraform code that does not change should not force new resources.

Actual Behavior

Terraform thinks that the security groups have changed and will destroy the existing instance and create a new one.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

terraform plan
terraform apply
terraform plan
terraform apply

Important Factoids

If security_groups is omitted from aws_instance the issues described does not occur.

Source

BGnoinski

Most helpful comment

This was my fault, I did not read the documentation for security_groups which clearly states
"If you are creating Instances in a VPC, use vpc_security_group_ids instead."

After using vpc_security_group_ids, resource no longer destroys and re-creates itself on each plan.

BGnoinski on 18 Apr 2017

👍23

All 3 comments

This was my fault, I did not read the documentation for security_groups which clearly states
"If you are creating Instances in a VPC, use vpc_security_group_ids instead."

After using vpc_security_group_ids, resource no longer destroys and re-creates itself on each plan.

BGnoinski on 18 Apr 2017

👍23

Using vpc_security_group_ids instead of security_groups when EC2 creating solved the problem.

sanjeewadr on 15 Jan 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.