aws_db_instance doesn't apply security group changes in EC2 Classic RDS

[Chili-Man]

I'm provisioning a postgres database from a snapshot in EC2 classic, but it never applies the security group changes on it. By default, after the database comes up it is set to the default security group, but I want it to be in the integration security group. Here is the configuration I use:

{
  "provider": {
    "aws": {
      "region": "us-west-2"
    }
  },
  "resource": {
    "aws_db_instance": {
      "ninja": {
        "apply_immediately": true,
        "identifier": "integration-fe200a-ninja-2016-02-02-2135",
        "instance_class": "db.r3.large",
        "skip_final_snapshot": true,
        "availability_zone": "us-west-2a",
        "backup_retention_period": 1,
        "security_group_names": [
          "integration"
        ],
        "auto_minor_version_upgrade": false,
        "publicly_accessible": false,
        "username": "root",
        "password": "some magical password,
        "snapshot_identifier": "cron-test8ing-ninja-2016-02-02"
      }
    }
  }
}

terraform plan

+ aws_db_instance.ninja
    address:                         "" => "<computed>"
    allocated_storage:               "" => "<computed>"
    apply_immediately:               "" => "1"
    arn:                             "" => "<computed>"
    auto_minor_version_upgrade:      "" => "0"
    availability_zone:               "" => "us-west-2a"
    backup_retention_period:         "" => "1"
    backup_window:                   "" => "<computed>"
    copy_tags_to_snapshot:           "" => "0"
    db_subnet_group_name:            "" => "<computed>"
    endpoint:                        "" => "<computed>"
    engine:                          "" => "<computed>"
    engine_version:                  "" => "<computed>"
    identifier:                      "" => "integration-fe200a-ninja-2016-02-02-2135"
    instance_class:                  "" => "db.m3.large"
    license_model:                   "" => "<computed>"
    maintenance_window:              "" => "<computed>"
    multi_az:                        "" => "<computed>"
    name:                            "" => "<computed>"
    parameter_group_name:            "" => "<computed>"
    password:                        "" => "some magical password"
    port:                            "" => "<computed>"
    publicly_accessible:             "" => "0"
    replicas.#:                      "" => "<computed>"
    security_group_names.#:          "" => "1"
    security_group_names.4259933595: "" => "integration"
    skip_final_snapshot:             "" => "1"
    snapshot_identifier:             "" => "cron-testing-ninja-2016-02-02"
    status:                          "" => "<computed>"
    storage_type:                    "" => "<computed>"
    username:                        "" => "root"
    vpc_security_group_ids.#:        "" => "<computed>"


Plan: 1 to add, 0 to change, 0 to destroy.

terraform apply

aws_db_instance.delphius: Creating...
  address:                         "" => "<computed>"
  allocated_storage:               "" => "<computed>"
  apply_immediately:               "" => "1"
  arn:                             "" => "<computed>"
  auto_minor_version_upgrade:      "" => "0"
  availability_zone:               "" => "us-west-2a"
  backup_retention_period:         "" => "1"
  backup_window:                   "" => "<computed>"
  copy_tags_to_snapshot:           "" => "0"
  db_subnet_group_name:            "" => "<computed>"
  endpoint:                        "" => "<computed>"
  engine:                          "" => "<computed>"
  engine_version:                  "" => "<computed>"
  identifier:                      "" => "integration-fe200a-ninja-2016-02-02-2135"
  instance_class:                  "" => "db.r3.large"
  license_model:                   "" => "<computed>"
  maintenance_window:              "" => "<computed>"
  multi_az:                        "" => "<computed>"
  name:                            "" => "<computed>"
  parameter_group_name:            "" => "<computed>"
  password:                        "" => "some magical password"
  port:                            "" => "<computed>"
  publicly_accessible:             "" => "0"
  replicas.#:                      "" => "<computed>"
  security_group_names.#:          "" => "1"
  security_group_names.4259933595: "" => "integration"
  skip_final_snapshot:             "" => "1"
  snapshot_identifier:             "" => "cron-testing-ninja-2016-02-02"
  status:                          "" => "<computed>"
  storage_type:                    "" => "<computed>"
  username:                        "" => "root"
  vpc_security_group_ids.#:        "" => "<computed>"
aws_db_instance.delphius: Creation complete

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

However after applying, when I perform a terraform plan:

Refreshing Terraform state prior to plan...

aws_db_instance.delphius: Refreshing state... (ID: integration-fe200a-delphius-2016-02-02-2135)

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

~ aws_db_instance.delphius
    backup_retention_period:         "7" => "1"
    security_group_names.3814588639: "default" => ""
    security_group_names.4259933595: "" => "integration"


Plan: 0 to add, 1 to change, 0 to destroy.

You can see that it still needs to change the security groups and the backup retention period.
However, performing another terraform apply and then terraform plan, it will still show that the security groups have not changed to their desired state:

Refreshing Terraform state prior to plan...

aws_db_instance.delphius: Refreshing state... (ID: integration-fe200a-delphius-2016-02-02-2135)

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

~ aws_db_instance.delphius
    security_group_names.3814588639: "default" => ""
    security_group_names.4259933595: "" => "integration"


Plan: 0 to add, 1 to change, 0 to destroy.

No matter how many times I do terraform apply , it never changes the security group.

I'm using terraform 0.6.11 on Ubuntu 15.10.

[Chili-Man]

I think the issue may lie here:
https://github.com/hashicorp/terraform/blob/v0.6.11/builtin/providers/aws/resource_aws_db_instance.go#L778-L787

it seems that requestUpdate = true can not occur for changes of security_group_names with out having a change in vpc_security_group_ids. I'm not sure why that is the case.

[Chili-Man]

I made a pr to fix this issue here: #4969

[catsby]

#4969 was merged, thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.