Instance tags are not applied to new AWS instances in Gov & China #14535
Assignees
Labels
Comments
joelittlejohn
changed the title
|
This is a serious one I think. Terraform completes its operations and runs successfully but leaves instances untagged. Any discovery mechanism that relies on tags will not work, but of course terraform may have destroyed a working configuration as part of its operations. Any orchestration tools using terraform will assume that a single call to I'm happy to provide more info if anyone is having trouble replicating this. Thanks! |
|
So, I have spent some time looking into this. From what I can see, we now use a different API call when we initially create instances with Terraform and create tags. This is part of the new TagSpecifications when running instances. We can see this is the case as when you apply terraform a second time, it creates the tags. Tag updates are controlled via a different part of the AWS API Can you give me some idea of what the IAM user policy you are running looks like? I suspect that this is an IAM policy issue but want to confirm this is the case Thanks Paul |
|
Yeah, it's a little surprising but my guess was that this was either a problem in the way the TagSpecification was built, or that this was an actual bug in the AWS Go SDK (at least the version of it that Terraform is using). I'm running terraform as an admin, that is, I'm using the IAM managed policy 'AdministratorAccess' that gives full access to all services. |
|
So it's not a bug IMO - we have a lot of tests running for this right now that pass each night. I will continue to look into it Paul |
|
One other thing I'm going to look into tonight: So far I've only been seeing this in cn-north-1. Haven't actually tried this in a more typical region like eu-west-1. |
|
@joelittlejohn yes, this will not work in china or gov - we have a note listed in the last changelog about this exact thing :( |
|
I think this is reasonable for instance volume tagging - doing this during
creation is a new feature and the fact that this is not available in CN as
per the note in the changelog is fine. For instance tags though, I consider
this a serious regression, no?
If this cant be supported in CN and Gov but is still desirable elsewhere,
then I think Terraform must use the old strategy for CN and Gov. Without
using that approach, tagging configuration that worked in the past is now
broken.
…On 17 May 2017 6:22 pm, "Paul Stack" ***@***.***> wrote:
@joelittlejohn <https://github.com/joelittlejohn> yes, this will not work
in china or gov - we have a note listed in the last changelog about this
exact thing :(
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#14535 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAp5MIu-yI3bTXHXYadOgnYThvzjCzUZks5r6yy_gaJpZM4NcJ8Y>
.
|
stack72
added a commit
that referenced
this issue
May 18, 2017
…China Fixes: #14535 When in a `restricted` cloud, we should fall back to the old method of tagging. Before this change we saw the following: ``` % terraform apply ✭ aws_instance.foo: Creating... ami: "" => "ami-0fa3c42c" associate_public_ip_address: "" => "<computed>" availability_zone: "" => "<computed>" ebs_block_device.#: "" => "<computed>" ephemeral_block_device.#: "" => "<computed>" instance_state: "" => "<computed>" instance_type: "" => "m1.small" ipv6_address_count: "" => "<computed>" ipv6_addresses.#: "" => "<computed>" key_name: "" => "<computed>" network_interface.#: "" => "<computed>" network_interface_id: "" => "<computed>" placement_group: "" => "<computed>" primary_network_interface_id: "" => "<computed>" private_dns: "" => "<computed>" private_ip: "" => "<computed>" public_dns: "" => "<computed>" public_ip: "" => "<computed>" root_block_device.#: "" => "<computed>" security_groups.#: "" => "<computed>" source_dest_check: "" => "true" subnet_id: "" => "<computed>" tags.%: "" => "1" tags.foo: "" => "bar" tenancy: "" => "<computed>" volume_tags.%: "" => "<computed>" vpc_security_group_ids.#: "" => "<computed>" aws_instance.foo: Creation complete (ID: i-0009f227ae24791b9) Apply complete! Resources: 1 added, 0 changed, 0 destroyed. % terraform plan ✭ Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. aws_instance.foo: Refreshing state... (ID: i-0009f227ae24791b9) The Terraform execution plan has been generated and is shown below. Resources are shown in alphabetical order for quick scanning. Green resources will be created (or destroyed and then created if an existing resource exists), yellow resources are being changed in-place, and red resources will be destroyed. Cyan entries are data sources to be read. Note: You didn't specify an "-out" parameter to save this plan, so when "apply" is called, Terraform can't guarantee this is what will execute. ~ aws_instance.foo tags.%: "0" => "1" tags.foo: "" => "bar" Plan: 0 to add, 1 to change, 0 to destroy. ``` After this patch, we see the following: ``` % terraform apply ✹ ✭ [WARN] /Users/stacko/Code/go/bin/terraform-provider-aws overrides an internal plugin for aws-provider. If you did not expect to see this message you will need to remove the old plugin. See https://www.terraform.io/docs/internals/internal-plugins.html aws_instance.foo: Creating... ami: "" => "ami-0fa3c42c" associate_public_ip_address: "" => "<computed>" availability_zone: "" => "<computed>" ebs_block_device.#: "" => "<computed>" ephemeral_block_device.#: "" => "<computed>" instance_state: "" => "<computed>" instance_type: "" => "m1.small" ipv6_address_count: "" => "<computed>" ipv6_addresses.#: "" => "<computed>" key_name: "" => "<computed>" network_interface.#: "" => "<computed>" network_interface_id: "" => "<computed>" placement_group: "" => "<computed>" primary_network_interface_id: "" => "<computed>" private_dns: "" => "<computed>" private_ip: "" => "<computed>" public_dns: "" => "<computed>" public_ip: "" => "<computed>" root_block_device.#: "" => "<computed>" security_groups.#: "" => "<computed>" source_dest_check: "" => "true" subnet_id: "" => "<computed>" tags.%: "" => "1" tags.foo: "" => "bar" tenancy: "" => "<computed>" volume_tags.%: "" => "<computed>" vpc_security_group_ids.#: "" => "<computed>" aws_instance.foo: Creation complete (ID: i-04cd122e28f167a14) Apply complete! Resources: 1 added, 0 changed, 0 destroyed. % terraform plan ✹ ✭ [WARN] /Users/stacko/Code/go/bin/terraform-provider-aws overrides an internal plugin for aws-provider. If you did not expect to see this message you will need to remove the old plugin. See https://www.terraform.io/docs/internals/internal-plugins.html Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. aws_instance.foo: Refreshing state... (ID: i-04cd122e28f167a14) No changes. Infrastructure is up-to-date. This means that Terraform did not detect any differences between your configuration and real physical resources that exist. As a result, Terraform doesn't need to do anything. ```
|
Using our Gov cloud account, I found the bug - patch incoming :) Paul |
stack72
added a commit
that referenced
this issue
May 18, 2017
…China (#14627) Fixes: #14535 When in a `restricted` cloud, we should fall back to the old method of tagging. Before this change we saw the following: ``` % terraform apply ✭ aws_instance.foo: Creating... ami: "" => "ami-0fa3c42c" associate_public_ip_address: "" => "<computed>" availability_zone: "" => "<computed>" ebs_block_device.#: "" => "<computed>" ephemeral_block_device.#: "" => "<computed>" instance_state: "" => "<computed>" instance_type: "" => "m1.small" ipv6_address_count: "" => "<computed>" ipv6_addresses.#: "" => "<computed>" key_name: "" => "<computed>" network_interface.#: "" => "<computed>" network_interface_id: "" => "<computed>" placement_group: "" => "<computed>" primary_network_interface_id: "" => "<computed>" private_dns: "" => "<computed>" private_ip: "" => "<computed>" public_dns: "" => "<computed>" public_ip: "" => "<computed>" root_block_device.#: "" => "<computed>" security_groups.#: "" => "<computed>" source_dest_check: "" => "true" subnet_id: "" => "<computed>" tags.%: "" => "1" tags.foo: "" => "bar" tenancy: "" => "<computed>" volume_tags.%: "" => "<computed>" vpc_security_group_ids.#: "" => "<computed>" aws_instance.foo: Creation complete (ID: i-0009f227ae24791b9) Apply complete! Resources: 1 added, 0 changed, 0 destroyed. % terraform plan ✭ Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. aws_instance.foo: Refreshing state... (ID: i-0009f227ae24791b9) The Terraform execution plan has been generated and is shown below. Resources are shown in alphabetical order for quick scanning. Green resources will be created (or destroyed and then created if an existing resource exists), yellow resources are being changed in-place, and red resources will be destroyed. Cyan entries are data sources to be read. Note: You didn't specify an "-out" parameter to save this plan, so when "apply" is called, Terraform can't guarantee this is what will execute. ~ aws_instance.foo tags.%: "0" => "1" tags.foo: "" => "bar" Plan: 0 to add, 1 to change, 0 to destroy. ``` After this patch, we see the following: ``` % terraform apply ✹ ✭ [WARN] /Users/stacko/Code/go/bin/terraform-provider-aws overrides an internal plugin for aws-provider. If you did not expect to see this message you will need to remove the old plugin. See https://www.terraform.io/docs/internals/internal-plugins.html aws_instance.foo: Creating... ami: "" => "ami-0fa3c42c" associate_public_ip_address: "" => "<computed>" availability_zone: "" => "<computed>" ebs_block_device.#: "" => "<computed>" ephemeral_block_device.#: "" => "<computed>" instance_state: "" => "<computed>" instance_type: "" => "m1.small" ipv6_address_count: "" => "<computed>" ipv6_addresses.#: "" => "<computed>" key_name: "" => "<computed>" network_interface.#: "" => "<computed>" network_interface_id: "" => "<computed>" placement_group: "" => "<computed>" primary_network_interface_id: "" => "<computed>" private_dns: "" => "<computed>" private_ip: "" => "<computed>" public_dns: "" => "<computed>" public_ip: "" => "<computed>" root_block_device.#: "" => "<computed>" security_groups.#: "" => "<computed>" source_dest_check: "" => "true" subnet_id: "" => "<computed>" tags.%: "" => "1" tags.foo: "" => "bar" tenancy: "" => "<computed>" volume_tags.%: "" => "<computed>" vpc_security_group_ids.#: "" => "<computed>" aws_instance.foo: Creation complete (ID: i-04cd122e28f167a14) Apply complete! Resources: 1 added, 0 changed, 0 destroyed. % terraform plan ✹ ✭ [WARN] /Users/stacko/Code/go/bin/terraform-provider-aws overrides an internal plugin for aws-provider. If you did not expect to see this message you will need to remove the old plugin. See https://www.terraform.io/docs/internals/internal-plugins.html Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. aws_instance.foo: Refreshing state... (ID: i-04cd122e28f167a14) No changes. Infrastructure is up-to-date. This means that Terraform did not detect any differences between your configuration and real physical resources that exist. As a result, Terraform doesn't need to do anything. ```
|
@stack72 Wow, fantastic! Thanks for jumping on this so quickly. |
joelittlejohn
changed the title
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Terraform Version
0.9.5
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Instance should have been created with 2 tags, as shown in the configuration.
Actual Behavior
The instance was created with no tags.
terraform planthen showed that these three tags needed to be added, and a secondterraform applyadded the tags. So in short, I had to runterraform applytwice to end up with an instance that was tagged correctly.Steps to Reproduce
terraform apply -target module.mymodule- notice that the tags are not presentterraform plan -target module.mymodule- notice that the tag changes are shownterraform apply -target module.mymodule- notice that the tags are now presentReferences
I suspect this may have something to do with #13173 and/or #14019.
The text was updated successfully, but these errors were encountered: