Terraform 不断强制重新创建资源(删除然后创建)

Terraform constantly forces to recreate the resource (delete then create)

我正在使用 terraform + terraform cloud(用于远程状态管理)

✦ ➜ terraform -v                               
Terraform v0.12.24
+ provider.aws v2.60.0
+ provider.null v2.1.2

✦ ➜ terraform plan                                     
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

module.vpc.module.vpc.aws_vpc.this[0]: Refreshing state... [id=vpc-0e89e6d2515004e3d]
module.s3.aws_s3_bucket.project_bucket: Refreshing state... [id=project-bucket]
data.aws_availability_zones.all: Refreshing state...
module.bastion.aws_key_pair.ssh_key: Refreshing state... [id=project]
module.vpc.module.vpc.aws_eip.nat[0]: Refreshing state... [id=eipalloc-053796962073bcc33]
module.vpc.module.vpc.aws_subnet.private[1]: Refreshing state... [id=subnet-037152cf7128a8a31]
module.vpc.module.vpc.aws_subnet.private[0]: Refreshing state... [id=subnet-0b4f07b30fb51ab78]
module.vpc.module.vpc.aws_route_table.private[0]: Refreshing state... [id=rtb-0dd52f77a6da2f2b8]
module.vpc.module.vpc.aws_subnet.private[2]: Refreshing state... [id=subnet-007658ad3ec49fed8]
module.vpc.module.vpc.aws_route_table.public[0]: Refreshing state... [id=rtb-050f67e4a3f5b978e]
module.vpc.module.vpc.aws_subnet.public[1]: Refreshing state... [id=subnet-03b773348ee69e0ec]
module.vpc.module.vpc.aws_subnet.public[2]: Refreshing state... [id=subnet-088a8a66b9709ef80]
module.vpc.module.vpc.aws_subnet.public[0]: Refreshing state... [id=subnet-0fd9ca3b8e2220d17]
module.vpc.module.vpc.aws_internet_gateway.this[0]: Refreshing state... [id=igw-023440c10240ecb89]
module.bastion.module.bastion_sg.aws_security_group.this_name_prefix[0]: Refreshing state... [id=sg-083a3f9ac371028cc]
module.vpc.module.vpc.aws_route.public_internet_gateway[0]: Refreshing state... [id=r-rtb-050f67e4a3f5b978e1080289494]
module.vpc.module.vpc.aws_route_table_association.public[1]: Refreshing state... [id=rtbassoc-03491c0a1e86fb1f4]
module.vpc.module.vpc.aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-01d46d6a2886abad7]
module.vpc.module.vpc.aws_nat_gateway.this[0]: Refreshing state... [id=nat-02883dcc0730919c0]
module.vpc.module.vpc.aws_route_table_association.public[2]: Refreshing state... [id=rtbassoc-0249a452e3f9abb36]
module.vpc.module.vpc.aws_route_table_association.private[2]: Refreshing state... [id=rtbassoc-03c5e67988a5d7e82]
module.vpc.module.vpc.aws_route_table_association.private[1]: Refreshing state... [id=rtbassoc-0c1c4c526a43cd642]
module.vpc.module.vpc.aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-0c6fe768236033ceb]
module.vpc.module.vpc.aws_route.private_nat_gateway[0]: Refreshing state... [id=r-rtb-0dd52f77a6da2f2b81080289494]
module.bastion.module.bastion_sg.aws_security_group_rule.egress_rules[0]: Refreshing state... [id=sgrule-4146597370]
module.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[0]: Refreshing state... [id=sgrule-2752251669]
module.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[3]: Refreshing state... [id=sgrule-2109081080]
module.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[1]: Refreshing state... [id=sgrule-1148563241]
module.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[2]: Refreshing state... [id=sgrule-4076860060]
module.bastion.aws_instance.bastion: Refreshing state... [id=i-0a0ce9a84e320ee1a]

------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.bastion.aws_instance.bastion must be replaced
+/- resource "aws_instance" "bastion" {
        ami                          = "ami-08ee2516c7709ea48"
      ~ arn                          = "arn:aws:ec2:us-east-2:555065427312:instance/i-0a0ce9a84e320ee1a" -> (known after apply)
      ~ associate_public_ip_address  = true -> (known after apply)
      ~ availability_zone            = "us-east-2a" -> (known after apply)
      ~ cpu_core_count               = 1 -> (known after apply)
      ~ cpu_threads_per_core         = 1 -> (known after apply)
      - disable_api_termination      = false -> null
      - ebs_optimized                = false -> null
        get_password_data            = false
      - hibernation                  = false -> null
      + host_id                      = (known after apply)
      ~ id                           = "i-0a0ce9a84e320ee1a" -> (known after apply)
      ~ instance_state               = "running" -> (known after apply)
        instance_type                = "t2.micro"
      ~ ipv6_address_count           = 0 -> (known after apply)
      ~ ipv6_addresses               = [] -> (known after apply)
        key_name                     = "project"
      - monitoring                   = false -> null
      + network_interface_id         = (known after apply)
      + outpost_arn                  = (known after apply)
      + password_data                = (known after apply)
      + placement_group              = (known after apply)
      ~ primary_network_interface_id = "eni-06538a1ff826fc7cd" -> (known after apply)
      ~ private_dns                  = "ip-10-0-101-59.us-east-2.compute.internal" -> (known after apply)
      ~ private_ip                   = "10.0.101.59" -> (known after apply)
      ~ public_dns                   = "ec2-3-14-143-30.us-east-2.compute.amazonaws.com" -> (known after apply)
      ~ public_ip                    = "3.14.143.30" -> (known after apply)
      ~ security_groups              = [ # forces replacement
          + "sg-083a3f9ac371028cc",
        ]
        source_dest_check            = true
        subnet_id                    = "subnet-0fd9ca3b8e2220d17"
        tags                         = {
            "Name"        = "edna-devstg-bastion"
            "environment" = "dev/stg"
            "project"     = "eDNA"
            "team"        = "project"
            "terraform"   = "true"
        }
      ~ tenancy                      = "default" -> (known after apply)
      ~ volume_tags                  = {} -> (known after apply)
      ~ vpc_security_group_ids       = [
          - "sg-083a3f9ac371028cc",
        ] -> (known after apply)

      - credit_specification {
          - cpu_credits = "standard" -> null
        }

      + ebs_block_device {
          + delete_on_termination = (known after apply)
          + device_name           = (known after apply)
          + encrypted             = (known after apply)
          + iops                  = (known after apply)
          + kms_key_id            = (known after apply)
          + snapshot_id           = (known after apply)
          + volume_id             = (known after apply)
          + volume_size           = (known after apply)
          + volume_type           = (known after apply)
        }

      + ephemeral_block_device {
          + device_name  = (known after apply)
          + no_device    = (known after apply)
          + virtual_name = (known after apply)
        }

      ~ metadata_options {
          ~ http_endpoint               = "enabled" -> (known after apply)
          ~ http_put_response_hop_limit = 1 -> (known after apply)
          ~ http_tokens                 = "optional" -> (known after apply)
        }

      + network_interface {
          + delete_on_termination = (known after apply)
          + device_index          = (known after apply)
          + network_interface_id  = (known after apply)
        }

      ~ root_block_device {
          ~ delete_on_termination = false -> (known after apply)
          ~ device_name           = "/dev/sda1" -> (known after apply)
          ~ encrypted             = false -> (known after apply)
          ~ iops                  = 100 -> (known after apply)
          + kms_key_id            = (known after apply)
          ~ volume_id             = "vol-0ff291d46afbd5aaa" -> (known after apply)
          ~ volume_size           = 8 -> (known after apply)
          ~ volume_type           = "gp2" -> (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

我之前曾尝试检查 taint 命令是如何工作的并做了这个

但后来我尝试完全删除并重新创建堆栈。而且我似乎没有 "tainted" 资源,因为下面的输出是这样说的。

✦ ➜ terraform state list | xargs -L 1 terraform untaint

Error: Resource instance is not tainted

Resource instance data.aws_availability_zones.all is not currently tainted,
and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.bastion.aws_instance.bastion is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.bastion.aws_key_pair.ssh_key is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.s3.aws_s3_bucket.project_bucket is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance
module.bastion.module.bastion_sg.aws_security_group.this_name_prefix[0] is not
currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance
module.bastion.module.bastion_sg.aws_security_group_rule.egress_rules[0] is
not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance
module.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[0] is
not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance
module.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[1] is
not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance
module.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[2] is
not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance
module.bastion.module.bastion_sg.aws_security_group_rule.ingress_rules[3] is
not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_eip.nat[0] is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_internet_gateway.this[0] is not
currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_nat_gateway.this[0] is not
currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route.private_nat_gateway[0] is
not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route.public_internet_gateway[0]
is not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route_table.private[0] is not
currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route_table.public[0] is not
currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route_table_association.private[0]
is not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route_table_association.private[1]
is not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route_table_association.private[2]
is not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route_table_association.public[0]
is not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route_table_association.public[1]
is not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_route_table_association.public[2]
is not currently tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_subnet.private[0] is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_subnet.private[1] is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_subnet.private[2] is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_subnet.public[0] is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_subnet.public[1] is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_subnet.public[2] is not currently
tainted, and so it cannot be untainted.


Error: Resource instance is not tainted

Resource instance module.vpc.module.vpc.aws_vpc.this[0] is not currently
tainted, and so it cannot be untainted.

但是我仍然在重新创建 bastion 主机,因为它被

强制
~ security_groups              = [ # forces replacement
          + "sg-083a3f9ac371028cc",
        ]

这是我的模块结构

├── config.tf
├── env.auto.tfvars
├── goodies
│   └── bastion_ip_address.txt
├── main.tf
├── modules
│   ├── bastion
│   │   ├── main.tf
│   │   ├── outputs.tf
│   │   └── variables.tf
│   ├── cassandra
│   ├── elasticache
│   ├── kubernetes
│   ├── rds
│   ├── s3
│   │   └── main.tf
│   └── vpc
│       ├── main.tf
│       ├── outputs.tf
│       └── variables.tf
├── README.md
└── variables.tf

main.tf(根级别)

module "s3" {
  source = "./modules/s3"
}

module "vpc" {
  source      = "./modules/vpc"
  team        = var.team
  project     = var.project
  component   = ""
  environment = var.environment
  tags        = module.project_config.tags
}

module "bastion" {
  source        = "./modules/bastion"
  vpc_id        = module.vpc.vpc_id
  vpc_subnet_id = module.vpc.public_subnets[0]
  instance_type = "t2.micro"
  team          = var.team
  project       = var.project
  component     = ""
  environment   = var.environment
  tags          = module.project_config.tags
}

这是我的堡垒 terraform 配置 modules/bastion/main.tf

module "bastion_label" {
  source      = "git::https://github.com/cloudposse/terraform-null-label.git?ref=master"
  namespace   = var.project
  environment = var.environment
  attributes  = [var.component]
  name        = "bastion"
}

# 
# Local computed variables
# 
# locals {
#   names = {
#     bastion_sg = join(module.bastion_label.delimiter, [module.bastion_label.id, "sg"])
#   }
# }

# 
# Define security key
# 
resource "aws_key_pair" "ssh_key" {
  key_name   = var.team
  public_key = file(".ssh/${var.team}.pub")
}

# 
# Define bastion security group
# 
module "bastion_sg" {
  source = "terraform-aws-modules/security-group/aws"

  name        = "bastion-sg"
  description = "security group for bastion host"
  vpc_id      = var.vpc_id

  ingress_cidr_blocks = ["0.0.0.0/0"]
  ingress_rules       = ["https-443-tcp", "http-80-tcp", "ssh-tcp", "all-icmp"]
  egress_rules        = ["all-all"]

  tags = var.tags
}

#
# Define bastion ec2 instance
#
resource "aws_instance" "bastion" {
  instance_type = var.instance_type
  ami           = "ami-08ee2516c7709ea48"
  key_name      = aws_key_pair.ssh_key.key_name
  subnet_id     = var.vpc_subnet_id

  security_groups = [
    module.bastion_sg.this_security_group_id
  ]

  connection {
    type        = "ssh"
    user        = "centos"
    private_key = file(".ssh/${var.team}")
    host        = self.public_ip
  }

  depends_on = [aws_key_pair.ssh_key]

  lifecycle {
    create_before_destroy = true
  }

  tags = merge(var.tags, {
    Name = module.bastion_label.id
  })
}


我做错了什么或错过了什么?

嗨,德米特里,@ydaetskcoR 说你需要使用 vpc_security_group_ids 而不是 security_groupshttps://www.terraform.io/docs/providers/aws/r/instance.html