EC2-Classic Retirement

[breathingdust]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

On August 15, 2022 AWS will retire EC2-Classic Networking

• https://aws.amazon.com/blogs/aws/ec2-classic-is-retiring-heres-how-to-prepare/

The provider has always supported EC2-Classic, but inline with this retirement we will remove for support for it in v5.0 of the provider. At this time we have no date for this next major version, but we expect it to land sometime in 2023.

In order to ensure that users are well aware of this change, we will add deprecation notices to resources/attributes which configure elements of EC2-Classic Networking and over time remove the EC2-Classic-specific functionality from the codebase.

New or Affected Resource(s)

• aws_eip
• aws_eip_association
• aws_security_group
• aws_default_security_group
• aws_vpc
• aws_vpc_peering_connection
• aws_vpc_peering_connection_accepter
• aws_vpc_peering_connection_options
• aws_launch_configuration
• aws_db_instance
• aws_db_security_group
• aws_reshift_cluster
• aws_redshift_security_group
• aws_elasticache_cluster
• aws_elasticache_security_group
• aws_opsworks_stack

References

• https://aws.amazon.com/blogs/aws/ec2-classic-is-retiring-heres-how-to-prepare/

Phases

This work will be done in a phased approach with a number of PRs submitted.

Phase 1 - Resource and attribute deprecation

• EC2-Classic retirement phase 1: Resource and attribute deprecation #26427

In this phase those resources and attributes which apply only to EC2-Classic functionality will be marked as deprecated, following documented best practices.

Add DeprecationMessage to these resources’ schemas (and document):

• aws_db_security_group
• aws_elasticache_security_group
• aws_redshift_security_group

Add Deprecated to these resource attributes:

• aws_db_instance.security_group_names
• aws_elasticache_cluster.security_group_names
• aws_redshift_cluster.cluster_security_groups
• aws_launch_configuration.vpc_classic_link_id
• aws_launch_configuration.vpc_classic_link_security_groups
• aws_vpc.enable_classiclink
• aws_vpc.enable_classiclink_dns_support
• aws_vpc_peering_connection.allow_classic_link_to_remote_vpc
• aws_vpc_peering_connection.allow_vpc_to_remote_classic_link
• aws_vpc_peering_connection_accepter.allow_classic_link_to_remote_vpc
• aws_vpc_peering_connection_accepter.allow_vpc_to_remote_classic_link
• aws_vpc_peering_connection_options.allow_classic_link_to_remote_vpc
• aws_vpc_peering_connection_options.allow_vpc_to_remote_classic_link

Phase 2 - Prevent creation of new EC2-Classic resources

• EC2-Classic retirement phase 2: Prevent creation of new EC2-Classic resources #26525

In this phase attempting to create new EC2-Classic resources will result in an error during terraform apply. Existing EC2-Classic resources can be read, updated and deleted.

No new instances of these resources can be created:

• aws_db_security_group
• aws_elasticache_security_group
• aws_redshift_security_group

Creation/update of these resources will be modified:

• aws_eip - Error if vpc is false
  Reverted via resource/aws_eip: Default to default domain when vpc not set #26716.
• aws_security_group - Error if vpc_id is not configured
  Reverted via resource/aws_security_group: Use default VPC when no VPC ID passed #26697.
• aws_vpc - Error if enable_classiclink or enable_classiclink_dns_support is true
• aws_vpc_peering_connection - Error if allow_classic_link_to_remote_vpc or allow_vpc_to_remote_classic_link is true
• aws_vpc_peering_connection_accepter - Error if allow_classic_link_to_remote_vpc or allow_vpc_to_remote_classic_link is true
• aws_vpc_peering_connection_options - Error if allow_classic_link_to_remote_vpc or allow_vpc_to_remote_classic_link is true
• aws_launch_configuration - Error if vpc_classic_link_id or vpc_classic_link_security_groups is configured
• aws_db_instance - Error if security_group_names is configured
• aws_redshift_cluster - Error if cluster_security_groups is configured
• aws_elasticache_cluster - Error if security_group_names is configured
• aws_opsworks_stack - Error if vpc_id or default_subnet_id is not configured
  Reverted via resource/aws_opsworks_stack: Use Default VPC when no VPC ID passed #26711.

Phase 3 - Remove acceptance testing infrastructure

• EC2-Classic retirement phase 3: Remove acceptance test configurations #26786

[brikis98]

My apologies if I'm missing some context, but isn't Phase 2 a massively backward incompatible change? For example, with all Terraform versions so far, it was possible to create a security group with the following code:

resource "aws_security_group" "instance" {
  name = "example"
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Now, with AWS provider 4.29.0, this suddenly produces an error:

╷
│ Error: with the retirement of EC2-Classic no new Security Groups can be created without referencing a VPC
│
│   with aws_security_group.instance,
│   on main.tf line 5, in resource "aws_security_group" "instance":
│    5: resource "aws_security_group" "instance" {
│
╵

That feels like a major breaking change, so shouldn't it be in AWS provider v5 only? Or some other way to indicate that end-users are now going to do a huge refactor to many, many resources?

[brikis98]

One thought: instead of this breaking change, would it be possible to update those resources to automatically use the Default VPC if vpc_id isn't specified? At least in v4 of the provider? And then in v5, you can do the breaking change where vpc_id is required?

[brikis98]

I've decided to file this as a new issue to ensure it gets visibility and isn't lost in a comment thread here: #26666

[ewbankkit]

@brikis98 Thanks for raising a separate issue.
For those resources where we are now failing to create new resources without a configured vpc_id, but use of the AWS Region's default VPC in fact occurs (and is (or was) undocumented in the API 😄), we will revert the changes and accept no configured vpc_id.

[brikis98]

@brikis98 Thanks for raising a separate issue. For those resources where we are now failing to create new resources without a configured vpc_id, but use of the AWS Region's default VPC in fact occurs (and is (or was) undocumented in the API 😄), we will revert the changes and accept no configured vpc_id.

Woohoo! I just tried it out with provider 4.30.0, and it seems to work just fine. Thank you 👍

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.