New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EC2 instance is detroyed and created on every apply #15679

Closed
bryanheo opened this Issue Aug 1, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@bryanheo

bryanheo commented Aug 1, 2017

PROVIDER ISSUES

EC2 instance is detroyed and created on every apply. Please see the source below
As suggested on #7221, I am using vpc_security_group_ids rather than security_groups but it still destroy and create the EC2 instance on every apply


resource "aws_security_group" "bastion" {
  name        = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bastion-001"
  vpc_id      = "${var.vpc_id}"
  description = "Baston Host Security Group"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["91.208.239.0/24"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }

  tags {
    Name = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bastion-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "SecurityGroup"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }
}

resource "aws_security_group" "bomgar" {
  name        = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bomgar-001"
  vpc_id      = "${var.vpc_id}"
  description = "Bomgar Jump Server Security Group"

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"] 
  }
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "udp"
    cidr_blocks = ["0.0.0.0/0"] 
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }

  tags {
    Name = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bomgar-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "SecurityGroup"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }
}

resource "aws_security_group" "app" {
  name        = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-app-001"
  vpc_id      = "${var.vpc_id}"
  description = "Stibo Application Server Security Group"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    security_groups = ["${aws_security_group.alb.id}"]
  }

  ingress {
    from_port   = 1521
    to_port     = 1521
    protocol    = "tcp"
    security_groups = ["${aws_security_group.bastion.id}", "${aws_security_group.bomgar.id}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }


  tags {
    Name = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-app-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "SecurityGroup"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }

}

resource "aws_instance" "bastion" {
  ami                    = "ami-1e5d4378" 
  source_dest_check      = false
  instance_type          = "m4.large" 
  subnet_id              = "${var.instance_bastion_subnet}" 
  key_name               = "${var.key_name}"
  vpc_security_group_ids = ["${aws_security_group.bomgar.id}"]
  monitoring             = true


  root_block_device {
    iops = "150"
    volume_type = "gp2"
    volume_size = "100"
    delete_on_termination = "true"

  }


  ebs_block_device {
    device_name = "/dev/sdb"
    volume_type = "gp2"
    volume_size = "100"
    delete_on_termination = "true"
  }

  tags {
    Name = "ec2-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bastion-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "EC2"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }

}

resource "aws_instance" "app" {
  ami                    = "ami-f1978897" 
  source_dest_check      = false
  instance_type          = "m4.xlarge" 
  subnet_id              = "${var.instance_application_subnet}" 
  key_name               = "${var.key_name}"
  vpc_security_group_ids = ["${aws_security_group.app.id}"]
  monitoring             = true



  root_block_device {
    iops = "150"
    volume_type = "gp2"
    volume_size = "50"
    delete_on_termination = "true"
  }



  ebs_block_device {
    device_name = "/dev/sdb"
    volume_type = "gp2"
    volume_size = "100"
    delete_on_termination = "true"
  }

  tags {
    Name = "ec2-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-app-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "EC2"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }
}

PLEASE NOTE: Terraform has split out the builtin Providers into their own repositories. For any Provider issues, please open all issues and pull requests in the corresponding repository. An index of supported Providers can be found here:

All other issues (that appear to affect multiple or all providers) may be an issue with Terraform's core, and should be opened here.


Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.
$ terraform -v
Terraform v0.9.11

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

What should have happened?
EC3 dose not need to be destroyed and created on every apply

Actual Behavior

What actually happened?
EC2 instance detroyed and created on every apply

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

@jbardin

This comment has been minimized.

Contributor

jbardin commented Aug 1, 2017

Hi @bryanheo

Sorry you're having trouble with this configuration. Can you show the output of the plan command so we can see which instance is being replaced, and why?

@bryanheo

This comment has been minimized.

bryanheo commented Aug 2, 2017

Hi @jbardin

Thank you for your help
Please see the details below

aws_security_group.bastion: Refreshing state... (ID: sg-f8951180)
aws_security_group.bomgar: Refreshing state... (ID: sg-e396129b)
aws_security_group.alb: Refreshing state... (ID: sg-d28b0faa)
aws_instance.bastion: Refreshing state... (ID: i-068e0f65734043a8f)
aws_security_group.app: Refreshing state... (ID: sg-69941011)
aws_instance.app: Refreshing state... (ID: i-0151e65cb268514af)
aws_security_group.rds: Refreshing state... (ID: sg-6a941012)
aws_eip.bastion: Refreshing state... (ID: eipalloc-02045738)
The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

~ aws_eip.bastion
    instance: "i-068e0f65734043a8f" => "${aws_instance.bastion.id}"

-/+ aws_instance.bastion
    ami:                                               "ami-1e5d4378" => "ami-1e5d4378"
    associate_public_ip_address:                       "true" => "<computed>"
    availability_zone:                                 "eu-west-1a" => "<computed>"
    ebs_block_device.#:                                "1" => "1"
    ebs_block_device.1718943951.delete_on_termination: "true" => "true"
    ebs_block_device.1718943951.device_name:           "/dev/sdb" => "/dev/sdb"
    ebs_block_device.1718943951.encrypted:             "false" => "<computed>"
    ebs_block_device.1718943951.iops:                  "300" => "<computed>"
    ebs_block_device.1718943951.snapshot_id:           "" => "<computed>"
    ebs_block_device.1718943951.volume_size:           "100" => "100"
    ebs_block_device.1718943951.volume_type:           "gp2" => "gp2"
    ephemeral_block_device.#:                          "0" => "<computed>"
    instance_state:                                    "running" => "<computed>"
    instance_type:                                     "m4.large" => "m4.large"
    ipv6_address_count:                                "" => "<computed>"
    ipv6_addresses.#:                                  "0" => "<computed>"
    key_name:                                          "CLOUDPLATFORMTEAM" => "CLOUDPLATFORMTEAM"
    monitoring:                                        "true" => "true"
    network_interface.#:                               "0" => "<computed>"
    network_interface_id:                              "eni-333f3119" => "<computed>"
    placement_group:                                   "" => "<computed>"
    primary_network_interface_id:                      "eni-333f3119" => "<computed>"
    private_dns:                                       "ip-10-247-65-200.eu-west-1.compute.internal" => "<computed>"
    private_ip:                                        "10.247.65.200" => "<computed>"
    public_dns:                                        "ec2-52-214-130-141.eu-west-1.compute.amazonaws.com" => "<computed>"
    public_ip:                                         "52.214.130.141" => "<computed>"
    root_block_device.#:                               "1" => "1"
    root_block_device.0.delete_on_termination:         "true" => "true"
    root_block_device.0.iops:                          "300" => "150" (forces new resource)
    root_block_device.0.volume_size:                   "100" => "100"
    root_block_device.0.volume_type:                   "gp2" => "gp2"
    security_groups.#:                                 "0" => "<computed>"
    source_dest_check:                                 "false" => "false"
    subnet_id:                                         "subnet-a9fd40ce" => "subnet-a9fd40ce"
    tags.%:                                            "15" => "15"
    tags.ApplicationRole:                              "EC2" => "EC2"
    tags.ApplicationService:                           "shared" => "shared"
    tags.AutomationDateTime:                           "N/A" => "N/A"
    tags.AutomationOptinOptout:                        "n" => "n"
    tags.BuildDate:                                    "20170727" => "20170727"
    tags.BusinessUnit:                                 "commercial" => "commercial"
    tags.Cluster:                                      "n" => "n"
    tags.Compliance:                                   "PCI" => "PCI"
    tags.Confidentiality:                              "Highly Confidential" => "Highly Confidential"
    tags.Environment:                                  "n" => "n"
    tags.Name:                                         "ec2-euw1-n-commercial-vpc001-bastion-001" => "ec2-euw1-n-commercial-vpc001-bastion-001"
    tags.Owner:                                        "commercial" => "commercial"
    tags.Project:                                      "shared" => "shared"
    tags.Region:                                       "eu-west-1" => "eu-west-1"
    tags.Version:                                      "001" => "001"
    tenancy:                                           "default" => "<computed>"
    volume_tags.%:                                     "0" => "<computed>"
    vpc_security_group_ids.#:                          "1" => "1"
    vpc_security_group_ids.2112432572:                 "sg-e396129b" => "sg-e396129b"


Plan: 1 to add, 1 to change, 1 to destroy.
@ghost

This comment has been minimized.

ghost commented Aug 2, 2017

root_block_device.0.iops: "300" => "150" (forces new resource)

This is what's causing your resource to create again. With gp2 you can't set a custom iops value afaik. You need to use IO1 instead

so

root_block_device {
iops = "150"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = "true"
}

becomes

root_block_device {
volume_type = "gp2"
volume_size = "50"
delete_on_termination = "true"
}

@bryanheo

This comment has been minimized.

bryanheo commented Aug 2, 2017

Thank you for your help
As you mentioned, it is working fine without iops option.
Regards

@bryanheo bryanheo closed this Aug 2, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment