Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Always changes in aws_instance.vpc_security_group_ids list #2036

Closed
hashibot opened this issue Oct 24, 2017 · 4 comments
Closed

Always changes in aws_instance.vpc_security_group_ids list #2036

hashibot opened this issue Oct 24, 2017 · 4 comments
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.

Comments

@hashibot
Copy link

This issue was originally opened by @ruudk as hashicorp/terraform#16434. It was migrated here as a result of the provider split. The original body of the issue is below.


Suddenly Terraform started to behave weird. All my aws_instances would give changes in the vpc_security_group_ids list. But I didn't make any changes.

It seems that Terraform thinks my instances don't have any security groups set-up, and thinks that it needs to add the ones in the configuration, while in fact, the servers already have those security groups set-up.

Terraform Version

Terraform v0.10.7

Terraform Configuration Files

resource "aws_security_group" "runscope-radar" {
  name   = "runscope-radar"
}

resource "aws_instance" "runscope-radar" {
  ami               = "${data.atlas_artifact.runscope-radar.metadata_full.region-eu-west-1}"
  instance_type     = "t2.nano"

  vpc_security_group_ids = [
    "${aws_security_group.allow-from-bastion.id}",
    "${aws_security_group.runscope-radar.id}",
  ]
}

Debug Output

Skipping for now because of sensitive data.

I checked the log and found that when it decribes the Runscope Radar AWS Instance the AWS API returns:

2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                     <groupSet>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                         <item>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                             <groupId>sg-f9ebbc9e</groupId>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                             <groupName>runscope-radar</groupName>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                         </item>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                         <item>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                             <groupId>sg-ee0f4489</groupId>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                             <groupName>allow-from-bastion</groupName>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                         </item>
2017-10-24T09:57:53.829Z [DEBUG] plugin.terraform-provider-aws_v1.1.0_x4:                     </groupSet>

so it does see the changes from AWS. But it ignores them somehow.

Crash Output

No crash

Expected Behavior

No changes

Actual Behavior

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place
-/+ destroy and then create replacement

  ~ aws_instance.runscope-radar
      vpc_security_group_ids.#:          "0" => "2"
      vpc_security_group_ids.201236855:  "" => "sg-ee0f4489"
      vpc_security_group_ids.882138630:  "" => "sg-f9ebbc9e"

Plan: 0 to add, 1 to change, 0 to destroy.

Terraform will perform the following actions:

Steps to Reproduce

On every Plan it has the same changes, when I apply them, they succeed.

Important Factoids

Running on Atlas

@hashibot hashibot added the bug Addresses a defect in current functionality. label Oct 24, 2017
@ruudk
Copy link

ruudk commented Oct 25, 2017

Duplicate of #2034
Can be closed

@ploxiln
Copy link

ploxiln commented Dec 6, 2017

I think the earlier issue is #1799 and potential fix is #2338

@bflad
Copy link
Contributor

bflad commented Jan 17, 2018

Hi everyone! Sorry you have been having trouble with this aws_instance bug relating to vpc_security_group_ids. It turns out this has been reported and discussed in quite a few separate issues (#1445, #1799, #1993, #2034, #2036, #2319). In order to consolidate efforts, I am closing everything except #1993 which seems to have the most thorough information at the moment. I would suggest voting on and following that issue for future updates.

Due to the high volume of reports surrounding this, the maintainers will be looking into this sometime in the near future (including the already open PRs: #1911, #2338). There are some nuances around this configuration that make it harder than a quick fix and we certainly do not want to make the situation worse. We'll keep you updated.

As a friendly reminder: voting with 👍 reactions on the original issue/PR comment is the best way to get our attention.

@ghost
Copy link

ghost commented Apr 8, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Development

No branches or pull requests

4 participants