EC2 instance is detroyed and created on every apply

[bryanheo]

PROVIDER ISSUES

EC2 instance is detroyed and created on every apply. Please see the source below
As suggested on #7221, I am using vpc_security_group_ids rather than security_groups but it still destroy and create the EC2 instance on every apply

resource "aws_security_group" "bastion" {
  name        = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bastion-001"
  vpc_id      = "${var.vpc_id}"
  description = "Baston Host Security Group"

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["91.208.239.0/24"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }

  tags {
    Name = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bastion-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "SecurityGroup"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }
}

resource "aws_security_group" "bomgar" {
  name        = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bomgar-001"
  vpc_id      = "${var.vpc_id}"
  description = "Bomgar Jump Server Security Group"

  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"] 
  }
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "udp"
    cidr_blocks = ["0.0.0.0/0"] 
  }
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }

  tags {
    Name = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bomgar-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "SecurityGroup"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }
}

resource "aws_security_group" "app" {
  name        = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-app-001"
  vpc_id      = "${var.vpc_id}"
  description = "Stibo Application Server Security Group"

  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    security_groups = ["${aws_security_group.alb.id}"]
  }

  ingress {
    from_port   = 1521
    to_port     = 1521
    protocol    = "tcp"
    security_groups = ["${aws_security_group.bastion.id}", "${aws_security_group.bomgar.id}"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = -1
    cidr_blocks = ["0.0.0.0/0"]
  }

  lifecycle {
    create_before_destroy = true
  }


  tags {
    Name = "sgr-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-app-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "SecurityGroup"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }

}

resource "aws_instance" "bastion" {
  ami                    = "ami-1e5d4378" 
  source_dest_check      = false
  instance_type          = "m4.large" 
  subnet_id              = "${var.instance_bastion_subnet}" 
  key_name               = "${var.key_name}"
  vpc_security_group_ids = ["${aws_security_group.bomgar.id}"]
  monitoring             = true


  root_block_device {
    iops = "150"
    volume_type = "gp2"
    volume_size = "100"
    delete_on_termination = "true"

  }


  ebs_block_device {
    device_name = "/dev/sdb"
    volume_type = "gp2"
    volume_size = "100"
    delete_on_termination = "true"
  }

  tags {
    Name = "ec2-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-bastion-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "EC2"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }

}

resource "aws_instance" "app" {
  ami                    = "ami-f1978897" 
  source_dest_check      = false
  instance_type          = "m4.xlarge" 
  subnet_id              = "${var.instance_application_subnet}" 
  key_name               = "${var.key_name}"
  vpc_security_group_ids = ["${aws_security_group.app.id}"]
  monitoring             = true



  root_block_device {
    iops = "150"
    volume_type = "gp2"
    volume_size = "50"
    delete_on_termination = "true"
  }



  ebs_block_device {
    device_name = "/dev/sdb"
    volume_type = "gp2"
    volume_size = "100"
    delete_on_termination = "true"
  }

  tags {
    Name = "ec2-${var.region_id}-${var.environment}-${var.name}-vpc${var.vpc_no}-app-001"
    ApplicationService = "${var.application_service}"
    ApplicationRole = "EC2"
    Cluster = "n"
    Environment = "${var.environment}"
    Version = "001"
    BuildDate = "${var.build_date}"
    AutomationDateTime = "N/A"
    AutomationOptinOptout = "n"
    Owner = "${var.name}"
    BusinessUnit = "${var.name}"
    Project = "${var.project}"
    Region = "${var.region}"
    Confidentiality = "Highly Confidential"
    Compliance = "PCI"
  }
}

PLEASE NOTE: Terraform has split out the builtin Providers into their own repositories. For any Provider issues, please open all issues and pull requests in the corresponding repository. An index of supported Providers can be found here:

• https://github.com/terraform-providers

All other issues (that appear to affect multiple or all providers) may be an issue with Terraform's core, and should be opened here.

---

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.
$ terraform -v
Terraform v0.9.11

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

What should have happened?
EC3 dose not need to be destroyed and created on every apply

Actual Behavior

What actually happened?
EC2 instance detroyed and created on every apply

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• provider/aws: Fix issue when changing map-public-ip in Subnets #1234
  -ec2 instance detroyed and created on every apply #7221
  -EC2 instances with EBS volumes destroyed & recreated on each apply #5006

[jbardin]

Hi @bryanheo

Sorry you're having trouble with this configuration. Can you show the output of the plan command so we can see which instance is being replaced, and why?

[bryanheo]

Hi @jbardin

Thank you for your help
Please see the details below

aws_security_group.bastion: Refreshing state... (ID: sg-f8951180)
aws_security_group.bomgar: Refreshing state... (ID: sg-e396129b)
aws_security_group.alb: Refreshing state... (ID: sg-d28b0faa)
aws_instance.bastion: Refreshing state... (ID: i-068e0f65734043a8f)
aws_security_group.app: Refreshing state... (ID: sg-69941011)
aws_instance.app: Refreshing state... (ID: i-0151e65cb268514af)
aws_security_group.rds: Refreshing state... (ID: sg-6a941012)
aws_eip.bastion: Refreshing state... (ID: eipalloc-02045738)
The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

~ aws_eip.bastion
    instance: "i-068e0f65734043a8f" => "${aws_instance.bastion.id}"

-/+ aws_instance.bastion
    ami:                                               "ami-1e5d4378" => "ami-1e5d4378"
    associate_public_ip_address:                       "true" => "<computed>"
    availability_zone:                                 "eu-west-1a" => "<computed>"
    ebs_block_device.#:                                "1" => "1"
    ebs_block_device.1718943951.delete_on_termination: "true" => "true"
    ebs_block_device.1718943951.device_name:           "/dev/sdb" => "/dev/sdb"
    ebs_block_device.1718943951.encrypted:             "false" => "<computed>"
    ebs_block_device.1718943951.iops:                  "300" => "<computed>"
    ebs_block_device.1718943951.snapshot_id:           "" => "<computed>"
    ebs_block_device.1718943951.volume_size:           "100" => "100"
    ebs_block_device.1718943951.volume_type:           "gp2" => "gp2"
    ephemeral_block_device.#:                          "0" => "<computed>"
    instance_state:                                    "running" => "<computed>"
    instance_type:                                     "m4.large" => "m4.large"
    ipv6_address_count:                                "" => "<computed>"
    ipv6_addresses.#:                                  "0" => "<computed>"
    key_name:                                          "CLOUDPLATFORMTEAM" => "CLOUDPLATFORMTEAM"
    monitoring:                                        "true" => "true"
    network_interface.#:                               "0" => "<computed>"
    network_interface_id:                              "eni-333f3119" => "<computed>"
    placement_group:                                   "" => "<computed>"
    primary_network_interface_id:                      "eni-333f3119" => "<computed>"
    private_dns:                                       "ip-10-247-65-200.eu-west-1.compute.internal" => "<computed>"
    private_ip:                                        "10.247.65.200" => "<computed>"
    public_dns:                                        "ec2-52-214-130-141.eu-west-1.compute.amazonaws.com" => "<computed>"
    public_ip:                                         "52.214.130.141" => "<computed>"
    root_block_device.#:                               "1" => "1"
    root_block_device.0.delete_on_termination:         "true" => "true"
    root_block_device.0.iops:                          "300" => "150" (forces new resource)
    root_block_device.0.volume_size:                   "100" => "100"
    root_block_device.0.volume_type:                   "gp2" => "gp2"
    security_groups.#:                                 "0" => "<computed>"
    source_dest_check:                                 "false" => "false"
    subnet_id:                                         "subnet-a9fd40ce" => "subnet-a9fd40ce"
    tags.%:                                            "15" => "15"
    tags.ApplicationRole:                              "EC2" => "EC2"
    tags.ApplicationService:                           "shared" => "shared"
    tags.AutomationDateTime:                           "N/A" => "N/A"
    tags.AutomationOptinOptout:                        "n" => "n"
    tags.BuildDate:                                    "20170727" => "20170727"
    tags.BusinessUnit:                                 "commercial" => "commercial"
    tags.Cluster:                                      "n" => "n"
    tags.Compliance:                                   "PCI" => "PCI"
    tags.Confidentiality:                              "Highly Confidential" => "Highly Confidential"
    tags.Environment:                                  "n" => "n"
    tags.Name:                                         "ec2-euw1-n-commercial-vpc001-bastion-001" => "ec2-euw1-n-commercial-vpc001-bastion-001"
    tags.Owner:                                        "commercial" => "commercial"
    tags.Project:                                      "shared" => "shared"
    tags.Region:                                       "eu-west-1" => "eu-west-1"
    tags.Version:                                      "001" => "001"
    tenancy:                                           "default" => "<computed>"
    volume_tags.%:                                     "0" => "<computed>"
    vpc_security_group_ids.#:                          "1" => "1"
    vpc_security_group_ids.2112432572:                 "sg-e396129b" => "sg-e396129b"


Plan: 1 to add, 1 to change, 1 to destroy.

[ghost]

root_block_device.0.iops: "300" => "150" (forces new resource)

This is what's causing your resource to create again. With gp2 you can't set a custom iops value afaik. You need to use IO1 instead

so

root_block_device {
iops = "150"
volume_type = "gp2"
volume_size = "50"
delete_on_termination = "true"
}

becomes

root_block_device {
volume_type = "gp2"
volume_size = "50"
delete_on_termination = "true"
}

[bryanheo]

Thank you for your help
As you mentioned, it is working fine without iops option.
Regards

[Aabhusan]

i am also facing the following same type of issue but above solution donot solve my issue .
my source code is :

resource "aws_instance" "lms-ec2-apache" {
ami ="${var.aws_ami}"
instance_type ="${var.instance_type}"
key_name ="${aws_key_pair.lms-ec2-apache.id}"
subnet_id ="${var.subnet_id}"

security_groups =["${aws_security_group.lms-ec2-apache.id}"]
tags = {
Name = "lms-ec2-apache"
key_name ="${aws_key_pair.lms-ec2-apache.id}"
}
}

terraform plan gives:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

module.ec2-apache.aws_instance.lms-ec2-apache must be replaced
-/+ resource "aws_instance" "lms-ec2-apache" {
ami = "ami-0c5204531f799e0c6"
~ arn = "arn:aws:ec2:us-west-2:157369949994:instance/i-0e327fcf07c83bcce" -> (known after apply)
~ associate_public_ip_address = true -> (known after apply)
~ availability_zone = "us-west-2b" -> (known after apply)
~ cpu_core_count = 1 -> (known after apply)
~ cpu_threads_per_core = 1 -> (known after apply)

• disable_api_termination = false -> null
• ebs_optimized = false -> null
  get_password_data = false

• host_id = (known after apply)
  ~ id = "i-0e327fcf07c83bcce" -> (known after apply)
  ~ instance_state = "running" -> (known after apply)
  instance_type = "t2.micro"
  ~ ipv6_address_count = 0 -> (known after apply)
  ~ ipv6_addresses = [] -> (known after apply)
  key_name = "lms_apache_key"

• monitoring = false -> null

• network_interface_id = (known after apply)
• password_data = (known after apply)
• placement_group = (known after apply)
  ~ primary_network_interface_id = "eni-04c6bb59dcbfa1ef0" -> (known after apply)
  ~ private_dns = "ip-10-0-0-247.us-west-2.compute.internal" -> (known after apply)
  ~ private_ip = "10.0.0.247" -> (known after apply)
• public_dns = (known after apply)
  ~ public_ip = "54.186.141.77" -> (known after apply)
  ~ security_groups = [ # forces replacement
• "sg-0a2d2571db088d018",
  ]
  source_dest_check = true
  subnet_id = "subnet-0529e3e3e3fa9c434"
  tags = {
  "Name" = "lms-ec2-apache"
  "key_name" = "lms_apache_key"
  }
  ~ tenancy = "default" -> (known after apply)
  ~ volume_tags = {} -> (known after apply)
  ~ vpc_security_group_ids = [

• "sg-0a2d2571db088d018",
  ] -> (known after apply)

  • credit_specification {
    • cpu_credits = "standard" -> null
      }
  • ebs_block_device {
    • delete_on_termination = true
    • device_name = "/dev/sdb"
    • encrypted = (known after apply)
    • iops = (known after apply)
    • kms_key_id = (known after apply)
    • snapshot_id = (known after apply)
    • volume_id = (known after apply)
    • volume_size = 100
    • volume_type = "gp2"
      }
  • ebs_block_device {
    • delete_on_termination = true -> null
    • device_name = "/dev/sdb" -> null
    • encrypted = false -> null
    • iops = 300 -> null
    • volume_id = "vol-0e69f47369af4489b" -> null
    • volume_size = 100 -> null
    • volume_type = "gp2" -> null
      }

  • ephemeral_block_device {

    • device_name = (known after apply)
    • no_device = (known after apply)
    • virtual_name = (known after apply)
      }

  • network_interface {

    • delete_on_termination = (known after apply)
    • device_index = (known after apply)
    • network_interface_id = (known after apply)
      }

  ~ root_block_device {
  delete_on_termination = true
  ~ encrypted = false -> (known after apply)
  ~ iops = 150 -> (known after apply)
  + kms_key_id = (known after apply)
  ~ volume_id = "vol-001ebe82b2b50619f" -> (known after apply)
  volume_size = 50
  volume_type = "gp2"
  }
  }
  Plan: 1 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: no

Apply cancelled.
Releasing state lock. This may take a few moments...

anyone please help me asap

[Aabhusan]

i am also facing the following same type of issue but above solution donot solve my issue .
my source code is :

resource "aws_instance" "lms-ec2-apache" {
ami ="${var.aws_ami}"
instance_type ="${var.instance_type}"
key_name ="${aws_key_pair.lms-ec2-apache.id}"
subnet_id ="${var.subnet_id}"

security_groups =["${aws_security_group.lms-ec2-apache.id}"]
tags = {
Name = "lms-ec2-apache"
key_name ="${aws_key_pair.lms-ec2-apache.id}"
}
}

terraform plan gives:

Terraform will perform the following actions:

module.ec2-apache.aws_instance.lms-ec2-apache must be replaced

-/+ resource "aws_instance" "lms-ec2-apache" {
ami = "ami-0c5204531f799e0c6"
~ arn = "arn:aws:ec2:us-west-2:157369949994:instance/i-0e327fcf07c83bcce" -> (known after apply)
~ associate_public_ip_address = true -> (known after apply)
~ availability_zone = "us-west-2b" -> (known after apply)
~ cpu_core_count = 1 -> (known after apply)
~ cpu_threads_per_core = 1 -> (known after apply)
- disable_api_termination = false -> null
- ebs_optimized = false -> null
get_password_data = false
+ host_id = (known after apply)
~ id = "i-0e327fcf07c83bcce" -> (known after apply)
~ instance_state = "running" -> (known after apply)
instance_type = "t2.micro"
~ ipv6_address_count = 0 -> (known after apply)
~ ipv6_addresses = [] -> (known after apply)
key_name = "lms_apache_key"
- monitoring = false -> null
+ network_interface_id = (known after apply)
+ password_data = (known after apply)
+ placement_group = (known after apply)
~ primary_network_interface_id = "eni-04c6bb59dcbfa1ef0" -> (known after apply)
~ private_dns = "ip-10-0-0-247.us-west-2.compute.internal" -> (known after apply)
~ private_ip = "10.0.0.247" -> (known after apply)
+ public_dns = (known after apply)
~ public_ip = "54.186.141.77" -> (known after apply)
~ security_groups = [ # forces replacement
+ "sg-0a2d2571db088d018",
]
source_dest_check = true
subnet_id = "subnet-0529e3e3e3fa9c434"
tags = {
"Name" = "lms-ec2-apache"
"key_name" = "lms_apache_key"
}
~ tenancy = "default" -> (known after apply)
~ volume_tags = {} -> (known after apply)
~ vpc_security_group_ids = [
- "sg-0a2d2571db088d018",
] -> (known after apply)

  - credit_specification {
      - cpu_credits = "standard" -> null
    }

  + ebs_block_device {
      + delete_on_termination = (known after apply)
      + device_name           = (known after apply)
      + encrypted             = (known after apply)
      + iops                  = (known after apply)
      + kms_key_id            = (known after apply)
      + snapshot_id           = (known after apply)
      + volume_id             = (known after apply)
      + volume_size           = (known after apply)
      + volume_type           = (known after apply)
    }
  - ebs_block_device {
      - delete_on_termination = true -> null
      - device_name           = "/dev/sdb" -> null
      - encrypted             = false -> null
      - iops                  = 300 -> null
      - volume_id             = "vol-0e69f47369af4489b" -> null
      - volume_size           = 100 -> null
      - volume_type           = "gp2" -> null
    }

  + ephemeral_block_device {
      + device_name  = (known after apply)
      + no_device    = (known after apply)
      + virtual_name = (known after apply)
    }

  + network_interface {
      + delete_on_termination = (known after apply)
      + device_index          = (known after apply)
      + network_interface_id  = (known after apply)
    }

  ~ root_block_device {
      ~ delete_on_termination = true -> (known after apply)
      ~ encrypted             = false -> (known after apply)
      ~ iops                  = 150 -> (known after apply)
      + kms_key_id            = (known after apply)
      ~ volume_id             = "vol-001ebe82b2b50619f" -> (known after apply)
      ~ volume_size           = 50 -> (known after apply)
      ~ volume_type           = "gp2" -> (known after apply)
    }
}

Plan: 1 to add, 0 to change, 1 to destroy.

anyone please help asap .

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.