Skip to content

Module tgw_gwlb: the launch template gets updated at every plan when enable_cloudwatch is false #15

New issue
New issue
Open
Open
Module tgw_gwlb: the launch template gets updated at every plan when enable_cloudwatch is false#15
@igordust

Description

@igordust
igordust
opened on Sep 15, 2025

As per the subject, I'm seeing that the launch template gets updated at every run.

This my configuration:

Terraform version: 1.9.8
AWS Provider version: 5.20.1

`
module "cloudguar-tgw-gwlb" {
source = "CheckPointSW/cloudguard-network-security/aws//modules/tgw_gwlb"
version = "1.0.2"

...
enable_cloudwatch = false
...
}
`

After the first successful apply, at every subsequent plan+apply, the launch template gets updated, here follows the plan output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the
following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.cloudguar-tgw-gwlb.module.gwlb.module.autoscale_gwlb.aws_autoscaling_group.asg will be updated in-place
  ~ resource "aws_autoscaling_group" "asg" {
        id                               = "Check-Point-ASG-tf20250915074326591900000006"
        name                             = "Check-Point-ASG-tf20250915074326591900000006"
        # (31 unchanged attributes hidden)

      ~ launch_template {
            id      = "lt-xxxxxxxxxxxxxxxxx"
            name    = "Check-Point-ASG-tf20250915074326304700000004"
          ~ version = "2" -> (known after apply)
        }

        # (5 unchanged blocks hidden)
    }

  # module.cloudguar-tgw-gwlb.module.gwlb.module.autoscale_gwlb.aws_launch_template.asg_launch_template will be updated in-place
  ~ resource "aws_launch_template" "asg_launch_template" {
        id                                   = "lt-xxxxxxxxxxxxxxx"
      ~ latest_version                       = 2 -> (known after apply)
        name                                 = "Check-Point-ASG-tf20250915074326304700000004"
        tags                                 = {}
        # (17 unchanged attributes hidden)

      + iam_instance_profile {
            name = null
        }

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

The culprit is how the iam_instance_profile is set in modules/autoscale_gwlb/main.tf:

  iam_instance_profile {
    name = ( var.enable_cloudwatch ? aws_iam_instance_profile.instance_profile[0].name : "")
  }

Since the name is empty, the iam_instance_profile doesn't get set, and the AWS API is returning "null" for it, while the terraform tries to create an object:

 iam_instance_profile {
  name = ""
}

To avoid this, you should change the definition as follows:

  dynamic "iam_instance_profile" {
    for_each = var.enable_cloudwatch ? [1] : []
    content {
      name = aws_iam_instance_profile.instance_profile[0].name
    }
  }

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions