Every-time apply is invoked updates security groups in place using modules

[nodesocket]

Every-time I invoke terraform apply the security groups that are returned from a module are causing an update in place change:

MacBook-Pro ➜  dev git:(master) ✗ terraform apply

...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ module.api.aws_instance.api
      vpc_security_group_ids.#:          "0" => "2"
      vpc_security_group_ids.1446360512: "" => "sg-e9e8e595"
      vpc_security_group_ids.1998748934: "" => "sg-e0eae79c"

  ~ module.logstash.aws_instance.logstash
      vpc_security_group_ids.#:          "0" => "1"
      vpc_security_group_ids.1446360512: "" => "sg-e9e8e595"


Plan: 0 to add, 2 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.logstash.aws_instance.logstash: Modifying... (ID: i-08ecb49e83e9fa4c9)
  vpc_security_group_ids.#:          "0" => "1"
  vpc_security_group_ids.1446360512: "" => "sg-e9e8e595"
module.api.aws_instance.api: Modifying... (ID: i-024a0231aac993fb5)
  vpc_security_group_ids.#:          "0" => "2"
  vpc_security_group_ids.1446360512: "" => "sg-e9e8e595"
  vpc_security_group_ids.1998748934: "" => "sg-e0eae79c"
module.logstash.aws_instance.logstash: Modifications complete after 5s (ID: i-08ecb49e83e9fa4c9)
module.api.aws_instance.api: Modifications complete after 5s (ID: i-024a0231aac993fb5)

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.
MacBook-Pro ➜  dev git:(master) ✗ terraform apply

...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  ~ module.api.aws_instance.api
      vpc_security_group_ids.#:          "0" => "2"
      vpc_security_group_ids.1446360512: "" => "sg-e9e8e595"
      vpc_security_group_ids.1998748934: "" => "sg-e0eae79c"

  ~ module.logstash.aws_instance.logstash
      vpc_security_group_ids.#:          "0" => "1"
      vpc_security_group_ids.1446360512: "" => "sg-e9e8e595"


Plan: 0 to add, 2 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

The security groups module simply uses output like:

output "api_security_group" {
    value = "${aws_security_group.api.id}"
}

Then in the AWS instance module:

variable "security_groups" {
    type = "list"
    description = "A list of security groups for the instance"
}

...
    vpc_security_group_ids = [
        "${var.security_groups}"
    ]

Finally when instantiating the module:

module "api" {
    source = "../../modules/api"
    name = "api1"
    security_groups = "${
        list(
            module.security_groups.base_security_group,
            module.security_groups.api_security_group
        )
    }"
}

[bflad]

@nodesocket apologies you are having trouble! You are likely running into an already reported bug in the AWS provider relating to aws_instance.vpc_security_group_ids: hashicorp/terraform-provider-aws#1445

It has large number of duplicates (which we'll be consolidating them shortly):

• instances always need vpc_security_group_ids updated terraform-provider-aws#1799
• resource/aws_instance: vpc_security_group_ids always showing update terraform-provider-aws#1993 (most thorough details)
• vpc security group and vpc instance trigger recreate when there are no template changes terraform-provider-aws#2034
• Always changes in aws_instance.vpc_security_group_ids list terraform-provider-aws#2036
• 0.10.8 vpc security group recreating terraform-provider-aws#2319

[nodesocket]

@bflad thanks for the quick reply. Hopefully it can get fixed soon.

[apparentlymart]

Thanks for pointing out that link, @bflad. I'm going to close this one to consolidate the discussion in hashicorp/terraform-provider-aws#1993.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.