I'm sure this one is an easy fix. I'm working with Terraform in AWS, deploying a VPC, Subnets, a Security Group (this looks like the issue) along with a single EC2 instance.
Symptoms
When deploying using terraform apply the first time everything creates as expected, however, immediately following up with another terraform apply or terraform plan shows that there are changes to the EC2 instance that required a redeploy of the EC2 instances. There are no changes to the underlying Terraform Code.
Upon applying again the EC2 instance is redeployed as reported by a terraform plan.
I would like this to not re-deploy every EC2 instance when running additional terraform apply commands. I'm not sure if it's possible, but I'm sure if it is it's something easy I'm just missing in the documentation.
Terraform files
vpc.tf
# Create a VPC
resource "aws_vpc" "vpcSandbox" {
cidr_block = var.vpcSandboxCIDR
tags = {
Name = "vpcSandbox"
Terraform = "True"
}
}
# Create DHCP Options for VPC
resource "aws_vpc_dhcp_options" "dhcpOptSandbox" {
domain_name = var.searchDomain
domain_name_servers = ["208.67.220.220", "208.67.222.222"]
tags = {
Name = "dhcpOptSandbox"
Terraform = "True"
}
}
# Associated DHCP Options for VPC
resource "aws_vpc_dhcp_options_association" "dhcpOptAssocSandbox" {
vpc_id = aws_vpc.vpcSandbox.id
dhcp_options_id = aws_vpc_dhcp_options.dhcpOptSandbox.id
}
# Create all Subnets
resource "aws_subnet" "sub-sandbox1a" {
vpc_id = aws_vpc.vpcSandbox.id
availability_zone = "us-east-1a"
cidr_block = "10.11.1.0/24"
tags = {
Terraform = "True"
}
}
resource "aws_subnet" "sub-sandbox1b" {
vpc_id = aws_vpc.vpcSandbox.id
availability_zone = "us-east-1b"
cidr_block = "10.11.2.0/24"
tags = {
Terraform = "True"
}
}
resource "aws_subnet" "sub-sandbox1c" {
vpc_id = aws_vpc.vpcSandbox.id
availability_zone = "us-east-1c"
cidr_block = "10.11.3.0/24"
tags = {
Terraform = "True"
}
}
resource "aws_subnet" "sub-sandbox1d" {
vpc_id = aws_vpc.vpcSandbox.id
availability_zone = "us-east-1d"
cidr_block = "10.11.4.0/24"
tags = {
Terraform = "True"
}
}
resource "aws_subnet" "sub-sandbox1e" {
vpc_id = aws_vpc.vpcSandbox.id
availability_zone = "us-east-1e"
cidr_block = "10.11.5.0/24"
tags = {
Terraform = "True"
}
}
resource "aws_subnet" "sub-sandbox1f" {
vpc_id = aws_vpc.vpcSandbox.id
availability_zone = "us-east-1f"
cidr_block = "10.11.6.0/24"
tags = {
Terraform = "True"
}
}
# Create Internet Gateway for VPC
resource "aws_internet_gateway" "gwSandbox" {
vpc_id = aws_vpc.vpcSandbox.id
tags = {
Name = "gwSandbox"
Terraform = "True"
}
}
# Adding some routes to the sandbox VPC
resource "aws_route" "default-v4-sandbox" {
route_table_id = aws_vpc.vpcSandbox.default_route_table_id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gwSandbox.id
}
resource "aws_route" "default-v6-sandbox" {
route_table_id = aws_vpc.vpcSandbox.default_route_table_id
destination_ipv6_cidr_block = "::/0"
gateway_id = aws_internet_gateway.gwSandbox.id
}
securitygroup.tf
# Create security groups for test server
resource "aws_security_group" "sandbox" {
name = "sandbox"
description = "Allow SSH inbound traffic from Trusted Internet Addresses and all Outbound Traffic"
vpc_id = aws_vpc.vpcSandbox.id
tags = {
Name = "sandbox"
Terraform = "True"
}
}
resource "aws_security_group_rule" "workHQOfficeInbound" {
type = "ingress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [var.workOfficeWAN]
security_group_id = aws_security_group.sandbox.id
}
resource "aws_security_group_rule" "tgs_office_inbound" {
type = "ingress"
from_port = 0
to_port = 65535
protocol = "-1"
cidr_blocks = [var.devOfficeWAN]
security_group_id = aws_security_group.sandbox.id
}
resource "aws_security_group_rule" "alloutbound" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
security_group_id = aws_security_group.sandbox.id
}
ec2.tf
## Adding a test server
# Create a new Keypair
resource "aws_key_pair" "deployer" {
key_name = "deployer-key"
public_key = var.certDeployerPub
tags = {
Name = "deployer"
Terraform = "True"
}
}
# Creating an interface for the test server
resource "aws_network_interface" "int-tc-amazlinux" {
subnet_id = aws_subnet.sub-sandbox1a.id
# private_ips = ["172.16.10.100"]
tags = {
Name = "int-tc-amazlinux"
Terraform = "True"
}
}
# Adding a test Server
resource "aws_instance" "tc-amazlinux01" {
ami = "ami-0e341fcaad89c3650"
instance_type = "t4g.small"
key_name = aws_key_pair.deployer.key_name
subnet_id = aws_subnet.sub-sandbox1a.id
associate_public_ip_address = "true"
security_groups = [
aws_security_group.sandbox.id
]
tags = {
Name = "tc-amazlinux01"
Terraform = "True"
}
}
Output
The following is an output example from running a terraform apply immediately followed by another terraform plan without any modification to the terraform files.
For length sake, it's here: https://pastebin.com/raw/2Ly0NmVr
CodePudding user response:
This probably happens because your security groups are incorrect.
So it should be:
resource "aws_instance" "tc-amazlinux01" {
ami = "ami-0e341fcaad89c3650"
instance_type = "t4g.small"
key_name = aws_key_pair.deployer.key_name
subnet_id = aws_subnet.sub-sandbox1a.id
associate_public_ip_address = "true"
vpc_security_group_ids = [
aws_security_group.sandbox.id
]
tags = {
Name = "tc-amazlinux01"
Terraform = "True"
}
}