使用 Terraform 时,为什么当我在其 in/egress 规则中对 EC2 实例进行更改时,我的 RDS 实例会关闭并重新启动?

When using Terraform, why does my RDS instance tear down and stand back up when I make a change to an EC2 Instance in its in/egress rules?

我有一个 ec2 资源(显示)有自己的安全组(未显示)

resource "aws_instance" "outpost" {
  ami           = "ami-0469d1xxxxxxxx"
  instance_type = "t2.micro"
  key_name      = module.secretsmanager.key_name
  vpc_security_group_ids = [module.ec2_security_group.security_group_id]
  subnet_id              = module.vpc.public_subnets[0]
  tags = {
    Name        = "${var.env}-${var.user}-ec2-outpost"
    Terraform   = "true"
    Environment = var.env
    Created     = "${timestamp()}"
  }
}

具有该 ec2 安全组的入口和出口规则的 RDS 实例的安全组:

module "db_security_group" {
  source      = "terraform-aws-modules/security-group/aws"
  version     = "~> 4"
  name        = "${var.env}-${var.user}-${local.db_name}"
  vpc_id      = module.vpc.vpc_id

  ingress_with_source_security_group_id = [
    {
      rule                     = "postgresql-tcp"
      source_security_group_id = module.ec2_security_group.security_group_id
    }
  ]

  egress_with_source_security_group_id = [
    {
      rule                     = "postgresql-tcp"
      source_security_group_id = module.ec2_security_group.security_group_id
    }
  ]

}

以及db_security_group

中的RDS实例 
module "rds" {
  source                                = "terraform-aws-modules/rds/aws"
  version                               = "~> 3.4.0"
  identifier                            = "${var.env}-${var.user}-${local.db_name}"
  engine                                = var.postgres.engine
  engine_version                        = var.postgres.engine_version
  family                                = var.postgres.family
  major_engine_version                  = var.postgres.major_engine_version
  instance_class                        = var.postgres.instance_class
  allocated_storage                     = var.postgres.allocated_storage
  max_allocated_storage                 = var.postgres.max_allocated_storage
  storage_encrypted                     = var.postgres.storage_encrypted
  name                                  = var.postgres.name
  username                              = var.postgres.username
  password                              = var.rds_password
  port                                  = var.postgres.port
  multi_az                              = var.postgres.multi_az
  subnet_ids                            = module.vpc.private_subnets
  vpc_security_group_ids                = [module.db_security_group.security_group_id]
  maintenance_window                    = var.postgres.maintenance_window
  backup_window                         = var.postgres.backup_window
  enabled_cloudwatch_logs_exports       = var.postgres.enabled_cloudwatch_logs_exports
  backup_retention_period               = var.postgres.backup_retention_period
  skip_final_snapshot                   = var.postgres.skip_final_snapshot
  deletion_protection                   = var.postgres.deletion_protection
  performance_insights_enabled          = var.postgres.performance_insights_enabled
  performance_insights_retention_period = var.postgres.performance_insights_retention_period
  create_monitoring_role                = var.postgres.create_monitoring_role
  monitoring_role_name                  = "${var.env}-${var.user}-${var.postgres.monitoring_role_name}"
  monitoring_interval                   = var.postgres.monitoring_interval
  snapshot_identifier                   = var.postgres.snapshot_identifier
}

当我对 ec2 实例(例如 iam_instance_profile)或 module.db_security_group.security_group_id 的 in/outbound 规则中引用的实例进行任何更改时,为什么 RDS 实例被 Terraform 摧毁并重建?

似乎除了在给出 snapshot_identifier 时看到的 usernamepassword 行为外(here and here),Terraform 还会将 RDS 实例标记为删除和设置这些参数中的任何一个时进行娱乐。当重新apply有问题的计划时,您会看到这种情况发生,因为最初的 username and/or password 从未真正设置过通过 Terraform;它认为有变化。