Terraform doesn't handle basic dependencies

[ghost]

This issue was originally opened by @fabricetriboix as hashicorp/terraform#23203. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Terraform v0.12.12

Terraform Configuration Files

Before:

provider "aws" {
  region = "us-east-1"
}

resource "aws_security_group" "test" {
  name_prefix = "test-"

  ingress {
    protocol = "tcp"
    from_port = 22
    to_port = 22
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_instance" "test" {
  ami = "ami-0b69ea66ff7391e80"
  instance_type = "t2.micro"
  vpc_security_group_ids = [aws_security_group.test.id]
}

After:

provider "aws" {
  region = "us-east-1"
}

resource "aws_security_group" "test" {
#  name_prefix = "test-"
  name = "test"

  ingress {
    protocol = "tcp"
    from_port = 22
    to_port = 22
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_instance" "test" {
  ami = "ami-0b69ea66ff7391e80"
  instance_type = "t2.micro"
  vpc_security_group_ids = [aws_security_group.test.id]
}

Debug Output

aws_security_group.test: Destroying... [id=sg-09873ef7aeaddb8ef]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 10s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 20s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 30s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 40s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 50s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 1m0s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 1m10s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 1m20s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 1m30s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 1m40s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 1m50s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 2m0s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 2m10s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 2m20s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 2m30s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 2m40s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 2m50s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 3m0s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 3m10s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 3m20s elapsed]
aws_security_group.test: Still destroying... [id=sg-09873ef7aeaddb8ef, 3m30s elapsed]

Crash Output

Expected Behavior

Terraform needs to replace the security group, no problem here. What Terraform should do is to detect that this security group is used by the EC2 instance and thus do something to break that dependency before trying to delete the security group, eg: detach the security group from the instance.

Actual Behavior

Terraform blindly tries to delete the security group, which can't possibly succeed because it is used by the EC2 instance.

Steps to Reproduce

Save the "before" configuration to toy.tf file.

terraform init
terraform apply
vim toy.tf  # Delete the `name_prefix` line and add a `name=` line
terraform apply

Additional Context

References

[fabricetriboix]

Anyone?

[eriksw]

This is #2445. Years old with no sign of any intent to fix. :(

[fabricetriboix]

Thanks for your comment @eriksw. Really a shame the Terraform guys won't do anything about it...

[justinretzolk]

Hey @fabricetriboix 👋 Thank you for taking the time to file this issue! Given that there's been a number of Terraform and AWS provider releases since you initially filed it, can you confirm whether you're still experiencing this behavior?

[fabricetriboix]

@justinretzolk I just tried again and I have exactly the same problem. Here the versions for terraform and the AWS provider:

$ terraform version
Terraform v1.1.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.68.0

[laygir]

I have been hearing from people that Terraform is the way to go rather than CloudFormation.
So I decided to give it a try and I ended up in similar Github issues for the last few days where Terraform also gets stuck just as bad as CloudFormation. I am really unable to see the point of Terraform in my own situation. Perhaps I shouldn't have invested the time and stick with my CloudFormation.. Naively I thought Terraform is actually able to resolve those dependencies and manage to detach/delete necessary resources in a sane order to replace them.. Apparently not..

Seeing how old the original issue is (2019) and where we are today (2023) I am guessing things will not magically turn around. I think I'll be going back to my CloudFormation setup 👋