Terraform 不断强制重新创建资源（删除然后创建）

Question

我正在使用 terraform + terraform cloud （用于远程状态管理）

\n\n

\xe2\x9c\xa6 \xe2\x9e\x9c terraform -v                               \nTerraform v0.12.24\n+ provider.aws v2.60.0\n+ provider.null v2.1.2\n\n

\n\n

\xe2\x9c\xa6 \xe2\x9e\x9c terraform plan                                     \nRefreshing Terraform state in-memory prior to plan...\nThe refreshed state will be used to calculate this plan, but will not be\npersisted to local or remote state storage.\n\nmodule.vpc.module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-0e89e6d2515004e3d]\nmodule.s3.aws_s3_bucket.project_bucket: Refreshing state... [id=project-bucket]\ndata.aws_availability_zones.all: Refreshing state...\nmodule.bastion.aws_key_pair.ssh_key: Refreshing state... [id=project]\nmodule.vpc.module.vpc.aws_eip.nat[0]: Refreshing state... [id=eipalloc-053796962073bcc33]\nmodule.vpc.module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-037152cf7128a8a31]\nmodule.vpc.module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0b4f07b30fb51ab78]\nmodule.vpc.module.vpc.aws_route_table.private[0]: Refreshing state... [id=rtb-0dd52f77a6da2f2b8]\nmodule.vpc.module.vpc.aws_subnet.private[2]: Refreshing state... [id=subnet-007658ad3ec49fed8]\nmodule.vpc.module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-050f67e4a3f5b978e]\nmodule.vpc.module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-03b773348ee69e0ec]\nmodule.vpc.module.vpc.aws_subnet.public[2]: Refreshing state... [id=subnet-088a8a66b9709ef80]\nmodule.vpc.module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-0fd9ca3b8e2220d17]\nmodule.vpc.module.vpc.aws_internet_gateway.this[0]: Refreshing state... [id=igw-023440c10240ecb89]\nmodule.bastion.module.bastion_sg.aws_security_group.this_name_prefix[0]: Refreshing state... [id=sg-083a3f9ac371028cc]\nmodule.vpc.module.vpc.aws_route.public_internet_gateway[0]: Refreshing state... [id=r-rtb-050f67e4a3f5b978e1080289494]\nmodule.vpc.module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-03491c0a1e86fb1f4]\nmodule.vpc.module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-01d46d6a2886abad7]\nmodule.vpc.module.vpc.aws_nat_gateway.this[0]: Refreshing state... [id=nat-02883dcc0730919c0]\nmodule.vpc.module.vpc.aws_route_table_association.public[2]: Refreshing state... [id=rtbassoc-0249a452e3f9abb36]\nmodule.vpc.module.vpc.aws_route_table_association.private[2]: Refreshing state... [id=rtbassoc-03c5e67988a5d7e82]\nmodule.vpc.module.vpc.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-0c1c4c526a43cd642]\nmodule.vpc.module.vpc.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-0c6fe768236033ceb]\nmodule.vpc.module.vpc.aws_route.private_nat_gateway[0]: Refreshing state... [id=r-rtb-0dd52f77a6da2f2b81080289494]\nmodule.bastion.module.bastion_sg.aws_security_group_rule.egress_rules[0]: Refreshing state... [id=sgrule-4146597370]\nmodule.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[0]: Refreshing state... [id=sgrule-2752251669]\nmodule.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[3]: Refreshing state... [id=sgrule-2109081080]\nmodule.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[1]: Refreshing state... [id=sgrule-1148563241]\nmodule.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[2]: Refreshing state... [id=sgrule-4076860060]\nmodule.bastion.aws_instance.bastion: Refreshing state... [id=i-0a0ce9a84e320ee1a]\n\n------------------------------------------------------------------------\n\nAn execution plan has been generated and is shown below.\nResource actions are indicated with the following symbols:\n+/- create replacement and then destroy\n\nTerraform will perform the following actions:\n\n  # module.bastion.aws_instance.bastion must be replaced\n+/- resource "aws_instance" "bastion" {\n        ami                          = "ami-08ee2516c7709ea48"\n      ~ arn                          = "arn:aws:ec2:us-east-2:555065427312:instance/i-0a0ce9a84e320ee1a" -> (known after apply)\n      ~ associate_public_ip_address  = true -> (known after apply)\n      ~ availability_zone            = "us-east-2a" -> (known after apply)\n      ~ cpu_core_count               = 1 -> (known after apply)\n      ~ cpu_threads_per_core         = 1 -> (known after apply)\n      - disable_api_termination      = false -> null\n      - ebs_optimized                = false -> null\n        get_password_data            = false\n      - hibernation                  = false -> null\n      + host_id                      = (known after apply)\n      ~ id                           = "i-0a0ce9a84e320ee1a" -> (known after apply)\n      ~ instance_state               = "running" -> (known after apply)\n        instance_type                = "t2.micro"\n      ~ ipv6_address_count           = 0 -> (known after apply)\n      ~ ipv6_addresses               = [] -> (known after apply)\n        key_name                     = "project"\n      - monitoring                   = false -> null\n      + network_interface_id         = (known after apply)\n      + outpost_arn                  = (known after apply)\n      + password_data                = (known after apply)\n      + placement_group              = (known after apply)\n      ~ primary_network_interface_id = "eni-06538a1ff826fc7cd" -> (known after apply)\n      ~ private_dns                  = "ip-10-0-101-59.us-east-2.compute.internal" -> (known after apply)\n      ~ private_ip                   = "10.0.101.59" -> (known after apply)\n      ~ public_dns                   = "ec2-3-14-143-30.us-east-2.compute.amazonaws.com" -> (known after apply)\n      ~ public_ip                    = "3.14.143.30" -> (known after apply)\n      ~ security_groups              = [ # forces replacement\n          + "sg-083a3f9ac371028cc",\n        ]\n        source_dest_check            = true\n        subnet_id                    = "subnet-0fd9ca3b8e2220d17"\n        tags                         = {\n            "Name"        = "edna-devstg-bastion"\n            "environment" = "dev/stg"\n            "project"     = "eDNA"\n            "team"        = "project"\n            "terraform"   = "true"\n        }\n      ~ tenancy                      = "default" -> (known after apply)\n      ~ volume_tags                  = {} -> (known after apply)\n      ~ vpc_security_group_ids       = [\n          - "sg-083a3f9ac371028cc",\n        ] -> (known after apply)\n\n      - credit_specification {\n          - cpu_credits = "standard" -> null\n        }\n\n      + ebs_block_device {\n          + delete_on_termination = (known after apply)\n          + device_name           = (known after apply)\n          + encrypted             = (known after apply)\n          + iops                  = (known after apply)\n          + kms_key_id            = (known after apply)\n          + snapshot_id           = (known after apply)\n          + volume_id             = (known after apply)\n          + volume_size           = (known after apply)\n          + volume_type           = (known after apply)\n        }\n\n      + ephemeral_block_device {\n          + device_name  = (known after apply)\n          + no_device    = (known after apply)\n          + virtual_name = (known after apply)\n        }\n\n      ~ metadata_options {\n          ~ http_endpoint               = "enabled" -> (known after apply)\n          ~ http_put_response_hop_limit = 1 -> (known after apply)\n          ~ http_tokens                 = "optional" -> (known after apply)\n        }\n\n      + network_interface {\n          + delete_on_termination = (known after apply)\n          + device_index          = (known after apply)\n          + network_interface_id  = (known after apply)\n        }\n\n      ~ root_block_device {\n          ~ delete_on_termination = false -> (known after apply)\n          ~ device_name           = "/dev/sda1" -> (known after apply)\n          ~ encrypted             = false -> (known after apply)\n          ~ iops                  = 100 -> (known after apply)\n          + kms_key_id            = (known after apply)\n          ~ volume_id             = "vol-0ff291d46afbd5aaa" -> (known after apply)\n          ~ volume_size           = 8 -> (known after apply)\n          ~ volume_type           = "gp2" -> (known after apply)\n        }\n    }\n\nPlan: 1 to add, 0 to change, 1 to destroy.\n\n------------------------------------------------------------------------\n\nNote: You didn\'t specify an "-out" parameter to save this plan, so Terraform\ncan\'t guarantee that exactly these actions will be performed if\n"terraform apply" is subsequently run.\n\n

\n\n

我之前尝试过检查taint命令是如何工作的，并做到了这一点

\n\n

\n\n

但后来我尝试完全删除并重新创建堆栈。看来我没有“受污染”的资源，因为以下输出是这样说的。

\n\n

\xe2\x9c\xa6 \xe2\x9e\x9c terraform -v                               \nTerraform v0.12.24\n+ provider.aws v2.60.0\n+ provider.null v2.1.2\n\n

\n\n

但是我仍然重新创建堡垒主机，因为它是由

\n\n

~ security_groups              = [ # forces replacement\n          + "sg-083a3f9ac371028cc",\n        ]\n\n

\n\n

这是我的模块结构

\n\n

\xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 config.tf\n\xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 env.auto.tfvars\n\xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 goodies\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x94\xe2\x94\x80\xe2\x94\x80 bastion_ip_address.txt\n\xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 main.tf\n\xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 modules\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 bastion\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 main.tf\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 outputs.tf\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x94\xe2\x94\x80\xe2\x94\x80 variables.tf\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 cassandra\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 elasticache\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 kubernetes\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 rds\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 s3\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x94\xe2\x94\x80\xe2\x94\x80 main.tf\n\xe2\x94\x82\xc2\xa0\xc2\xa0 \xe2\x94\x94\xe2\x94\x80\xe2\x94\x80 vpc\n\xe2\x94\x82\xc2\xa0\xc2\xa0     \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 main.tf\n\xe2\x94\x82\xc2\xa0\xc2\xa0     \xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 outputs.tf\n\xe2\x94\x82\xc2\xa0\xc2\xa0     \xe2\x94\x94\xe2\x94\x80\xe2\x94\x80 variables.tf\n\xe2\x94\x9c\xe2\x94\x80\xe2\x94\x80 README.md\n\xe2\x94\x94\xe2\x94\x80\xe2\x94\x80 variables.tf\n

\n\n

main.tf（根级别）

\n\n

module "s3" {\n  source = "./modules/s3"\n}\n\nmodule "vpc" {\n  source      = "./modules/vpc"\n  team        = var.team\n  project     = var.project\n  component   = ""\n  environment = var.environment\n  tags        = module.project_config.tags\n}\n\nmodule "bastion" {\n  source        = "./modules/bastion"\n  vpc_id        = module.vpc.vpc_id\n  vpc_subnet_id = module.vpc.public_subnets[0]\n  instance_type = "t2.micro"\n  team          = var.team\n  project       = var.project\n  component     = ""\n  environment   = var.environment\n  tags          = module.project_config.tags\n}\n\n

\n\n

这是我的堡垒 terraform 配置 module/bastion/main.tf

\n\n

module "bastion_label" {\n  source      = "git::https://github.com/cloudposse/terraform-null-label.git?ref=master"\n  namespace   = var.project\n  environment = var.environment\n  attributes  = [var.component]\n  name        = "bastion"\n}\n\n# \n# Local computed variables\n# \n# locals {\n#   names = {\n#     bastion_sg = join(module.bastion_label.delimiter, [module.bastion_label.id, "sg"])\n#   }\n# }\n\n# \n# Define security key\n# \nresource "aws_key_pair" "ssh_key" {\n  key_name   = var.team\n  public_key = file(".ssh/${var.team}.pub")\n}\n\n# \n# Define bastion security group\n# \nmodule "bastion_sg" {\n  source = "terraform-aws-modules/security-group/aws"\n\n  name        = "bastion-sg"\n  description = "security group for bastion host"\n  vpc_id      = var.vpc_id\n\n  ingress_cidr_blocks = ["0.0.0.0/0"]\n  ingress_rules       = ["https-443-tcp", "http-80-tcp", "ssh-tcp", "all-icmp"]\n  egress_rules        = ["all-all"]\n\n  tags = var.tags\n}\n\n#\n# Define bastion ec2 instance\n#\nresource "aws_instance" "bastion" {\n  instance_type = var.instance_type\n  ami           = "ami-08ee2516c7709ea48"\n  key_name      = aws_key_pair.ssh_key.key_name\n  subnet_id     = var.vpc_subnet_id\n\n  security_groups = [\n    module.bastion_sg.this_security_group_id\n  ]\n\n  connection {\n    type        = "ssh"\n    user        = "centos"\n    private_key = file(".ssh/${var.team}")\n    host        = self.public_ip\n  }\n\n  depends_on = [aws_key_pair.ssh_key]\n\n  lifecycle {\n    create_before_destroy = true\n  }\n\n  tags = merge(var.tags, {\n    Name = module.bastion_label.id\n  })\n}\n\n\n

\n\n

我做错了什么或错过了什么？

\n

Answer 1

你好，Dmitry，@ydaetskcoR 说你需要使用vpc_security_group_ids而不是使用security_groups. https://www.terraform.io/docs/providers/aws/r/instance.html