New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform apply fails when renaming aws_security_group #3341
Comments
As you can see there's several other open issues that may be related to this bug. |
What's going on here is if an EC2 instance has only this security group that you're trying to rename (delete) AWS doesn't allow it to be delated. Terraform needs to:
|
It would also be acceptable, but hardly ideal, to just recreate the
|
By "instance" I mean EC2 instance. Destroying and recreating an EC2 instance to change a SG name would not be acceptable for my case. |
Well if your under ec2 classic you'd have no choice. Should classic be
|
I'd think classic should be supported until it doesnt exist. That said, VPC should be supported too - and the behavior of some of these is different between the two so clearly both paths should work. :) |
Hello all! First, thank you for the example repo that demonstrates this issue! That made looking into this 3x as fast and easy 😄 AWS will not allow us to destroy the SG while an Instance is using it. The instance itself can have it's security group(s) updated without termination, if you're on a VPC. As noted, if you're running on Classic, then the instance itself must be replaced with the change of the security group. Here we're seeing Terraform wanting to destroy, then recreate the Security group. To enable this in Terraform, you need to add a provider "aws" {
region = "us-west-2"
}
resource "aws_vpc" "default" {
cidr_block = "10.0.0.0/16"
tags {
Name = "tftesting"
}
}
resource "aws_security_group" "onefish" {
name = "bluefish"
description = "This reproduces a bug in terraform."
lifecycle {
create_before_destroy = true
}
}
resource "aws_instance" "twofish" {
# Debian Jessie.
# us-west
ami = "ami-818eb7b1"
instance_type = "t2.micro"
security_groups = ["${aws_security_group.onefish.name}"]
root_block_device {
volume_type = "gp2"
}
} With this configuration, you can rename the security group with no issue. Terraform will create the new security group, update the instance, and then destroy the old security group. This works in Classic as well, however, the instance is replaced instead of updated. I'm going to close this issue for now. Thanks for opening it, I'll be reviewing the linked issues as well. Thanks! |
Thanks catsby for the information on the workaround! |
@catsby Thanks for the information but it doesn't seem to work for me! Without the lifecycle block:
And with the lifecycle block:
|
Hey @johnhamelink the second error shouldn't be happening, do you have a configuration that shows the lifecycle block but still gets that error? |
@catsby https://gist.github.com/johnhamelink/74b34e2a1f3cf73f5272 I discovered this issue when attempting to rename the description of the security group. JH |
This issue is still present. I used to name my security groups like When updating the security group by editing the
|
I hit this error today, after trying to rename the "only" security group attached to an instance.
|
Also ran into this. After setting create_before_destroy had the renaming issue. Took @kitforbes suggestion, removed |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Issue #2117 was closed as unreproducible. I'm able to reproduce this bug and I run into it extremely frequently in 0.6.3.
To reproduce, clone this repo:
https://github.com/paul-gitseed/terraformbug
Run: reproduce.bash
Output:
The text was updated successfully, but these errors were encountered: