I have a terraform file, which is responsible for creation of an ec2 instance as well as the security groups.
resource "aws_instance" "ec2" {
ami = "ami-06791f9213cbb608b"
instance_type = "t2.micro"
key_name = "terraform-key"
depends_on = [aws_security_group.ssh_group]
security_groups = [aws_security_group.ssh_group.name]
}
resource "aws_security_group" "ssh_group" {
name = "ssh_group"
description = "SSH Security Group"
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
Running this, creates a security group and an ec2 instance.
Now if I create another security group and attach the group to it, it leads to replacement of the ec2 instance, i.e. the instance first gets destroyed and a new instance gets created.
resource "aws_instance" "ec2" {
ami = "ami-06791f9213cbb608b"
instance_type = "t2.micro"
key_name = "terraform-key"
depends_on = [aws_security_group.ssh_group, aws_security_group.https_group]
security_groups = [aws_security_group.ssh_group.name, aws_security_group.https_group.name]
}
resource "aws_security_group" "ssh_group" {
name = "ssh_group"
description = "SSH Security Group"
ingress {
description = "SSH"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_security_group" "https_group" {
name = "https_group"
description = "HTTPs Security Group"
ingress {
description = "HTTPs"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
Doing the same activity on aws console, simply attaches the new group to the instance, which means that an update API must be present. Why is the behavior of terraform not consistent with the aws console? Am I missing something? Is there a way to ensure an inplace update happens, when instance type is changed!
2
Answers
You should be using vpc_security_group_ids, not
security_groups
.To associate a list of security groups to an
aws_instance
usesecurity_groups
(orvpc_security_group_ids
if you are creating instances in a VPC):(see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#security_groups)
This way Terraform will take care of the dependencies and know that it doesn’t need to destroy the instance if the security groups list changes.
What you do not need: