I am building a aws vpc with the following module:
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "4.0.1"
name = "k8-vpc"
cidr = var.vpc_cidr
azs = var.availability_zones
private_subnets = var.private_subnets
public_subnets = var.public_subnets
enable_nat_gateway = true
single_nat_gateway = true
create_igw = true
map_public_ip_on_launch = true
tags = {
Terraform = "true"
Environment = "dev"
}
}
and create an instance with this code:
#Bastion
resource "aws_instance" "bastion" {
depends_on = [module.vpc]
ami = var.ami_id
instance_type = "t2.micro"
subnet_id = module.vpc.public_subnets[0]
associate_public_ip_address = "true"
security_groups = [aws_security_group.allow_ssh.id]
key_name = aws_key_pair.k8_ssh.key_name
tags = {
Name = "Bastion"
}
}
When performing an apply directly after another apply (no changes made, in theory nothing to do) I am getting the following message
~ secondary_private_ips = [] -> (known after apply)
~ security_groups = [ # forces replacement
+ "sg-0cbcca0d4fef3ecf2",
]
tags = {
"Name" = "Bastion"}
...
Plan: 1 to add, 0 to change, 1 to destroy.
It appears the security group is triggering a rebuild. I have had depends_on aws_security_group.allow_ssh, and module.vpc and neither changes the behavior... I have verified when an instance gets rebuild, the same security group is on the old instance and new instance in the console. Any ideas how to prevent a needless rebuild?
You should be using
vpc_security_group_ids, instead ofsecurity_groups. The latter is only for default VPC and EC2-Classic.