Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

instances always need vpc_security_group_ids updated #1799

Closed
clippermadness opened this issue Oct 3, 2017 · 9 comments · Fixed by #2338
Closed

instances always need vpc_security_group_ids updated #1799

clippermadness opened this issue Oct 3, 2017 · 9 comments · Fixed by #2338
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.

Comments

@clippermadness
Copy link

clippermadness commented Oct 3, 2017
edited by Ninir

Terraform Version

Terraform v0.10.6
AWS plugin: aws_v1.0.0_x4

Affected Resource(s)

  • aws_instance.vpc_security_group_ids

Terraform Configuration Files

resource "aws_security_group" "portal_apptier_dev" {
  name        = "portal_apptier_dev"
  description = "Portal app security group"
  vpc_id      = "${data.aws_vpc.target.id}"
}

resource "aws_instance" "portal_dev1" {

  ami = "${data.aws_ami.ubuntu_20170811.id}"
  instance_type = "t2.micro"

  count = 1

  vpc_security_group_ids = ["${aws_security_group.portal_apptier_dev.id}"]

  iam_instance_profile = "${aws_iam_instance_profile.portal_dev1_instance_profile.name}"
  associate_public_ip_address = true
  key_name = "rich"

  root_block_device {
    volume_type = "gp2"
    volume_size = "32"
  }

  tags {
    Name = "portal${count.index + 1}.dev1"
  }
}

Debug Output

https://gist.github.com/clippermadness/7993969b9b8bdda2883f89fdf9c9456a

Steps to Reproduce

  1. terraform plan - shows vpc_security_group_ids to update
  2. terraform apply - changes the vpc_security_group_ids
  3. terraform plan - still shows vpc_security_group_ids need to be updated
@roman-vynar
Copy link

Upgraded TF from 0.9.11 to 0.10.7.
Getting the same for every instance:

  ~ aws_instance.XXX
      vpc_security_group_ids.#:          "0" => "1"
      vpc_security_group_ids.852560208:  "" => "sg-YYY"

Always shown as to be updated.

@clippermadness
Copy link
Author

I still have the issue after upgrading to Terraform 0.10.7.

@andrewchen5678
Copy link

ran into the same issue today with Terraform v0.10.7

@Ninir Ninir added the bug Addresses a defect in current functionality. label Oct 11, 2017
@gracebrownecodes
Copy link

Same issue here.

@darkowlzz darkowlzz mentioned this issue Oct 16, 2017
Closed
@klaus993
Copy link

Same issue here. #1911 definitely fixes it! Hope it gets merged soon.

This was referenced Oct 22, 2017
Closed
Closed
@Yuxael Yuxael mentioned this issue Nov 2, 2017
Closed
idubinskiy added a commit to idubinskiy/terraform-provider-aws that referenced this issue Nov 17, 2017
@idubinskiy
r/aws_instance: Fix dirty plan on default VPC instances using vpc_sec…
966e1ef 
…urity_group_ids

Unlike instances launched into a default VPC are allowed to refer to their security groups by ID, like other VPCs, or by name, like EC2-Classic. The current implementation of the function that reads instance security group data assumes that instances in a default VPC refer to their security groups by name. This causes an instance resource that is launched in a default VPC but using the `vpc_security_group_ids` parameter (instead of the `security_groups` parameter) to always have a diff in plans post-creation showing that the security groups need to be added to it.

This commit changes the behavior of the function that reads instance security data to be able to store BOTH the security group names and IDs in the case of an instance in a default VPC. Because both the `security_groups` and `vpc_security_group_ids` parameters are marked as "computed", it's valid to provide either in the resource configuration even though both will end up in state.

This commit also adds a failing test for the case of using `vpc_security_group_ids` with a default VPC, and ensures that both default VPC import tests are run in a region with a default VPC (which specifically must _not_ be an EC2-Classic region).

Fixes hashicorp#1799
Fixes hashicorp#1993
@idubinskiy idubinskiy mentioned this issue Nov 17, 2017
Merged
@ploxiln ploxiln mentioned this issue Dec 6, 2017
Closed
@ikuwow
Copy link

ikuwow commented Jan 1, 2018

Same issue exists in v0.11.1.

@dhinus dhinus mentioned this issue Jan 16, 2018
Closed
@bflad bflad added the service/ec2 Issues and PRs that pertain to the ec2 service. label Jan 16, 2018
@bflad bflad mentioned this issue Jan 17, 2018
Closed
@bflad
Copy link
Member

bflad commented Jan 17, 2018

Hi everyone! Sorry you have been having trouble with this aws_instance bug relating to vpc_security_group_ids. It turns out this has been reported and discussed in quite a few separate issues (#1445, #1799, #1993, #2034, #2036, #2319). In order to consolidate efforts, I am closing everything except #1993 which seems to have the most thorough information at the moment. I would suggest voting on and following that issue for future updates.

Due to the high volume of reports surrounding this, the maintainers will be looking into this sometime in the near future (including the already open PRs: #1911, #2338). There are some nuances around this configuration that make it harder than a quick fix and we certainly do not want to make the situation worse. We'll keep you updated.

As a friendly reminder: voting with 👍 reactions on the original issue/PR comment is the best way to get our attention.

@bflad bflad closed this as completed Jan 17, 2018
@bflad bflad mentioned this issue Jan 17, 2018
Closed
@bflad
Copy link
Member

bflad commented Feb 9, 2018

This has been released in terraform-provider-aws version 1.9.0. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link

ghost commented Apr 8, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
No milestone
8 participants
@bflad @Ninir @clippermadness @andrewchen5678 @roman-vynar @gracebrownecodes @ikuwow @klaus993