-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug: Terraform attempts to delete security groups before dependent EC2 instances #8617
Comments
@hydroxide I don't experience this problem with 0.7.0; do you have any other useful information such as a debug log (gist link) or other information? I use this dependency quite extensively in a lot of plans and haven't run into this unless something is modifying the SGs outside of management. |
I am facing a similar issue with terraform 0.7.3, when conditionally adding an extra security group. The terraform plan shows that both the extra security group will be deleted and disassociated from the EC2 instances:
Yet applying the changes attemps to remove the extra security group before it is removed from the dependent EC2 instance.
Here is a simplified version of my terraform config. variables.tf
security_group.tf
nodes.tf
zone_instances/main.tf
|
This is happening to me, too. In my case, I'm trying to rename a security group, which requires that Terraform destroy the group and recreate it. However, all instances have to be removed from the group and all references to the group must be removed before it can be destroyed. Terraform doesn't remove instances from the group or remove references to the group before it tries to destroy it. Error message:
|
I believe the answer is in explicit dependencies:
Emphasis mine. Sadly, this doesn't seem to work for me (though I'm mentioning a few resources and only needing to destroy a couple). |
Same issue here with latest version (v0.10.8). |
Ran into this issue on 0.10.8 as well. |
A combination of resource "aws_security_group" "example" {
name_prefix = "example-"
// other stuff
lifecycle {
create_before_destroy = true
}
}
resource "aws_instance" "example" {
vpc_security_group_ids = ["${aws_security_group.example.id}"]
// other stuff
} Then the new SG gets created, swapped out on the ENI for the EC2 instance and then the old SG can be deleted. |
Thanks @b-dean! This approach worked for me as well. |
@hydroxide Any chance you can re-open this? It's happening for lots of us, apparently (me included). It's very simple to reproduce, simply remove a security group that's assigned to at least one server. Terraform hangs until its timeout. It's possible to workaround by manually (AWS UI) removing the assignment in parallel, but that wouldn't be fun for a significant number of instances. |
I am currently experiencing this same behavior. Renamed a security group attached to a instance resource; terraform detects I'm no longer using said security group and hangs until it times out in an attempt to delete it. If I remove the security group in aws console or destroy the instance, terraform returns successfully. |
I am also experiencing a similar issue in Terraform v0.11.7. I am unable to delete existing security groups that are no longer applicable to an EC2 instance dynamically based on a boolean variable for an environment. "Terraform plan" seems to be Ok, but "Terraform apply" seems to be producing an error after 10 mins. I think terraform is trying to delete the security groups first and then detach it from the EC2 instance. It should be the other way round. For now, I am now manually detaching the security groups from the EC2 instance from AWS Console and then running "terraform apply", which seems to work. |
Exactly the same happens when the security group is in use by ECS service. |
I have just run into this issue as well while writing tests for a custom terraform provider. I wrote a test that, as part of the same step, removed a link from resource A->B and deleted resource B. However, terraform attempted to delete B prior to the update of A finishing. This behaviour seems very counter intuitive to me. While it probably leads to faster running applys in some (many?) cases, it seems that without a lot more metadata being provided by either the end-user or the providers, terraform would have no way to know when this is safe and thus should default to the safer behaviour of waiting for updates to all resources which depend on a resource scheduled for removal before actually proceeding with that removal. After some searching around I've found the following issues that I think are either this same issue, or are closely related. In some cases, |
I'm facing this issue when destroying my cloud lab which is completely deployed using Terraform (VPC, Route Tables, Subnets, EIP, EC2, EBS, Route53). Looks like Terraform is trying to remove Route Table before removing the EC2 instances or Subnets. |
I just hit this with |
Also experiencing this on: In my case there are left over network interfaces (not in-use), so terraform hangs trying to delete associated security groups. |
+1 |
1 similar comment
+1 |
I'm experiencing this issue with Terraform v0.11.8 and provider.AWS v1.41.0. |
Also in
|
Any chance this will be fixed in future releases? It's been an issue for a while now and even lifecycle hooks with 'create_before_destroy' won't work. |
Hi all, From reading over the comment thread here it seems like there are a few subtly different problems being described:
In order to understand better what's going on here, it would be helpful if at least one of the participants in this thread for each of those situations could capture a trace log during a failing operation. To do that:
The log includes detailed information about how Terraform is constructing the graph, which will allow us to see whether there is indeed a bug in the graph construction (dependencies in the wrong order, or missing) or if something more subtle and resource-type-specific is going on here. Thanks to everyone for sharing descriptions of the problem above, and sorry for the delay in responding here. |
My use case (simplified): File my_ec2.tf
I've checked
Security group dependency detected only on another security group referenced in the "my_sg". My intention is to reuse |
I hit the same problem with security group list in a rds vpc_security_group_ids. |
+1 -- running into this problem when I have an RDS instance with two security groups, and I would like to remove one. So, @apparentlymart this in essence the same as the latter case you mentioned: terraform tries to delete the security group before removing the security group from the RDS instance. I am a bit hesitant to add the log output from |
In the logs you should find some lines containing the string If you can share the entire list of nodes after that initial log line, that will at least allow me to see whether there is the expected dependency edges between the resources, though if it turns out that there is then we may need additional detail to fully explain it. If the configuration has other objects in it aside from the RDS instance and security groups, it would help also to know the addresses of the resources in question (so we can easily identify them in the list) and, ideally, the full configuration sources for those resources so we can see how the dependencies between them are declared. Thanks! |
Terraform v0.11.11 + provider.aws v1.45.0 My use case was to modify my security group and then apply. I'm hitting the same DependencyViolation while trying to destroy the security group. Trace log extract after TransitiveReductionTransformer are at https://gist.github.com/schley2103/5834f2f0b7c590352c2be4f7cb717594.js. It built 5 graphs. Thanks! |
Thanks @b-dean. This issue is the number one Google result for "terraform aws_security_group create before destroy" to see if that would resolve the problem where Terraform hangs indefinitely when you re-create a security group attached to running instances. Seems like a valid workaround in the interim. |
I think @b-dean 's solution also works with |
Also happens with aws_rds_cluster. Terraform 0.12 |
Happening to me too on 0.12. If an RDS is using a security group, that group cannot ever be destroyed. It's immortal. |
Happening to me with this config:
In my use case, I already have an ec2 instance and a security group attached to it; its failing trying to destroy the sg when I made changes to it, without detaching it from the instance first. |
@jbardin can you reopen the issue? The bug is still present in:
Example:
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I have a configuration of EC2 instances belonging to security groups in AWS:
When running terraform destroy, Terraform attempts to destroy the security groups until timeout (5 minutes), at which point it prints the following error:
Indeed, the instances (which Terraform has not yet attempted to destroy) are dependent on the security group. Given that the configuration for these resources is maintained completely in Terraform, it seems to be some bug with the dependency resolution. I wonder if this may have anything to do with the VPC.
The text was updated successfully, but these errors were encountered: