Question 279365 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Terraform – Addition of security group to aws_instance leads to replacement of the instance

I have a terraform file, which is responsible for creation of an ec2 instance as well as the security groups.

resource "aws_instance" "ec2" {
  ami             = "ami-06791f9213cbb608b"
  instance_type   = "t2.micro"
  key_name        = "terraform-key"
  depends_on      = [aws_security_group.ssh_group]
  security_groups = [aws_security_group.ssh_group.name]
}

resource "aws_security_group" "ssh_group" {

  name        = "ssh_group"
  description = "SSH Security Group"

  ingress {
    description = "SSH"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Running this, creates a security group and an ec2 instance.

Now if I create another security group and attach the group to it, it leads to replacement of the ec2 instance, i.e. the instance first gets destroyed and a new instance gets created.

resource "aws_instance" "ec2" {
  ami             = "ami-06791f9213cbb608b"
  instance_type   = "t2.micro"
  key_name        = "terraform-key"
  depends_on      = [aws_security_group.ssh_group, aws_security_group.https_group]
  security_groups = [aws_security_group.ssh_group.name, aws_security_group.https_group.name]
}

resource "aws_security_group" "ssh_group" {

  name        = "ssh_group"
  description = "SSH Security Group"

  ingress {
    description = "SSH"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_security_group" "https_group" {

  name        = "https_group"
  description = "HTTPs Security Group"

  ingress {
    description = "HTTPs"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Doing the same activity on aws console, simply attaches the new group to the instance, which means that an update API must be present. Why is the behavior of terraform not consistent with the aws console? Am I missing something? Is there a way to ensure an inplace update happens, when instance type is changed!

Tags:

2

Answers


  1. 0

    You should be using vpc_security_group_ids, not security_groups.

    Login or Signup to reply.
  2. 0

    To associate a list of security groups to an aws_instance use security_groups (or vpc_security_group_ids if you are creating instances in a VPC):

    resource "aws_instance" "ec2" {
  ami             = "ami-06791f9213cbb608b"
  instance_type   = "t2.micro"
  key_name        = "terraform-key"
  security_groups = [aws_security_group.ssh_group.name, aws_security_group.https_group.name]
}

    (see https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance#security_groups)

    This way Terraform will take care of the dependencies and know that it doesn’t need to destroy the instance if the security groups list changes.

    What you do not need:

    depends_on      = [aws_security_group.ssh_group, aws_security_group.https_group]
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search