Always changes in aws_instance.vpc_security_group_ids list

[hashibot]

This issue was originally opened by @ruudk as hashicorp/terraform#16434. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Suddenly Terraform started to behave weird. All my aws_instances would give changes in the vpc_security_group_ids list. But I didn't make any changes.

It seems that Terraform thinks my instances don't have any security groups set-up, and thinks that it needs to add the ones in the configuration, while in fact, the servers already have those security groups set-up.

Terraform Version

Terraform v0.10.7

Terraform Configuration Files

resource "aws_security_group" "runscope-radar" {
  name   = "runscope-radar"
}

resource "aws_instance" "runscope-radar" {
  ami               = "${data.atlas_artifact.runscope-radar.metadata_full.region-eu-west-1}"
  instance_type     = "t2.nano"

  vpc_security_group_ids = [
    "${aws_security_group.allow-from-bastion.id}",
    "${aws_security_group.runscope-radar.id}",
  ]
}

Debug Output

Skipping for now because of sensitive data.

I checked the log and found that when it decribes the Runscope Radar AWS Instance the AWS API returns:

2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                     <groupSet>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                         <item>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                             <groupId>sg-f9ebbc9e</groupId>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                             <groupName>runscope-radar</groupName>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                         </item>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                         <item>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                             <groupId>sg-ee0f4489</groupId>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                             <groupName>allow-from-bastion</groupName>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                         </item>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                     </groupSet>

so it does see the changes from AWS. But it ignores them somehow.

Crash Output

No crash

Expected Behavior

No changes

Actual Behavior

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

  ~ aws_instance.runscope-radar
      vpc_security_group_ids.#:          "0" => "2"
      vpc_security_group_ids.201236855:  "" => "sg-ee0f4489"
      vpc_security_group_ids.882138630:  "" => "sg-f9ebbc9e"

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform will perform the following actions:

Steps to Reproduce

On every Plan it has the same changes, when I apply them, they succeed.

Important Factoids

Running on Atlas

[ruudk]

Duplicate of #2034
Can be closed

[ploxiln]

I think the earlier issue is #1799 and potential fix is #2338

[bflad]

Hi everyone! Sorry you have been having trouble with this aws_instance bug relating to vpc_security_group_ids. It turns out this has been reported and discussed in quite a few separate issues (#1445, #1799, #1993, #2034, #2036, #2319). In order to consolidate efforts, I am closing everything except #1993 which seems to have the most thorough information at the moment. I would suggest voting on and following that issue for future updates.

Due to the high volume of reports surrounding this, the maintainers will be looking into this sometime in the near future (including the already open PRs: #1911, #2338). There are some nuances around this configuration that make it harder than a quick fix and we certainly do not want to make the situation worse. We'll keep you updated.

As a friendly reminder: voting with 👍 reactions on the original issue/PR comment is the best way to get our attention.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!