I'm having a bit of a trouble with the following Terraform scenario:
- create a SG and launch an instance that uses the SG
- modify the SG description
I would expect Terraform to unlink the SG from the instance, destroy the SG, create a new one, link the new one.
However, what I'm seeing is a timeout while trying to destroy the SG (obviously, as it's in use and AWS won't allow that).
I'm not sure whether this is a bug or I'm doing something wrong.
To understand my issue, as per below run apply, then change the description of the SG and then run apply again.
provider "aws" {
region = "eu-west-1"
}
resource "aws_default_vpc" "default" {
tags {
Name = "Default VPC"
}
}
data "aws_subnet_ids" "example" {
vpc_id = "${aws_default_vpc.default.id}"
}
resource "aws_security_group" "webserver" {
name = "staging-webserver"
description = "meow"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags {
Name = "EBS webserver SG - staging"
}
}
resource "aws_instance" "dummy" {
ami = "ami-f7e8558e"
instance_type = "t2.micro"
availability_zone = "eu-west-1a"
vpc_security_group_ids = [
"${aws_security_group.webserver.id}"
]
}
Best Answer
no terraform wont unlink a security group from anything before destroying it.
The best thing you can do is create another security group and use that one and let the old one be deleted or ignore the changes for desciption.