在使用资源组的情况下，创建ECS实例会返回失败

netcmcc commented 2 years ago

问题描述：

在使用资源组的情况下，创建ECS实例会返回失败，但实际创建成功

Terraform Version

Terraform v1.2.5
on darwin_amd64
+ provider registry.terraform.io/aliyun/alicloud v1.176.0

Affected Resource(s)

Please list the resources as a list, for example:

alicloud_instance

Terraform Configuration Files

terraform {
  required_providers {
    alicloud = {
      source  = "aliyun/alicloud"
      version = "1.176.0"
    }
  }
}

provider "alicloud" {
  # Configuration options
  region = var.region
}

variable "tags" {
  type = map(string)
  default = {
    tag1 = "tag1v",
    tag2 = "tag2v"
  }
  description = "A mapping of tags to assign to the project."
}

variable "region" {
  description = "The application's account region"
  default     = "cn-shanghai"
  type        = string
}

variable "resource_group_id" {
  default = "rg-aek2njhhouvxvji"
  type    = string
}

resource "alicloud_vpc" "this" {
  vpc_name          = "dev-chenming-vpc"
  cidr_block        = "10.20.0.0/16"
  resource_group_id = var.resource_group_id
  tags              = var.tags
}

resource "alicloud_vswitch" "vsw_first" {
  vpc_id       = alicloud_vpc.this.id
  cidr_block   = "10.20.0.0/22"
  vswitch_name = join("-", ["vpcname", "cn-shanghai-b"])
  zone_id      = "cn-shanghai-b"
  tags         = var.tags
}

resource "alicloud_security_group" "this" {
  name              = "vpc-default-sg"
  vpc_id            = alicloud_vpc.this.id
  resource_group_id = var.resource_group_id
  tags              = var.tags
}

resource "alicloud_security_group_rule" "allow_vpc_icmp" {
  type              = "ingress"
  ip_protocol       = "icmp"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "-1/-1"
  priority          = 100
  security_group_id = alicloud_security_group.this.id
  cidr_ip           = "0.0.0.0/0"
}

resource "alicloud_security_group_rule" "egress_allow_all" {
  type              = "egress"
  ip_protocol       = "all"
  nic_type          = "intranet"
  policy            = "accept"
  port_range        = "-1/-1"
  priority          = 100
  security_group_id = alicloud_security_group.this.id
  cidr_ip           = "0.0.0.0/0"
}

resource "alicloud_instance" "instance" {
  availability_zone = "cn-shanghai-b"
  security_groups   = [alicloud_security_group.this.id]

  instance_type        = "ecs.t6-c2m1.large"
  system_disk_category = "cloud_efficiency"
  system_disk_size     = 20

  # key_name = "dev-dmhub-key"
  # system_disk_name           = "test_foo_system_disk_name"
  # system_disk_description    = "test_foo_system_disk_description"

  image_id                   = "ubuntu_20_04_x64_20G_alibase_20220524.vhd"
  instance_name              = "test_foo"
  vswitch_id                 = alicloud_vswitch.vsw_first.id
  internet_charge_type       = "PayByTraffic"
  internet_max_bandwidth_out = 5

  resource_group_id = var.resource_group_id

  tags        = var.tags

}

Debug Output

alicloud_security_group.this: Creating...
alicloud_vswitch.vsw_first: Creating...
alicloud_security_group.this: Creation complete after 3s [id=sg-uf68wm81myl2qfbynbq6]
alicloud_security_group_rule.egress_allow_all: Creating...
alicloud_security_group_rule.allow_vpc_icmp: Creating...
alicloud_security_group_rule.allow_vpc_icmp: Creation complete after 1s [id=sg-uf68wm81myl2qfbynbq6:ingress:icmp:-1/-1:intranet:0.0.0.0/0:accept:100]
alicloud_security_group_rule.egress_allow_all: Creation complete after 1s [id=sg-uf68wm81myl2qfbynbq6:egress:all:-1/-1:intranet:0.0.0.0/0:accept:100]
alicloud_vswitch.vsw_first: Creation complete after 8s [id=vsw-uf6gs4e7z5fgwlbt5tthd]
alicloud_instance.instance: Creating...
alicloud_instance.instance: Still creating... [10s elapsed]
alicloud_instance.instance: Still creating... [20s elapsed]
alicloud_instance.instance: Still creating... [30s elapsed]
alicloud_instance.instance: Still creating... [40s elapsed]
alicloud_instance.instance: Still creating... [50s elapsed]
alicloud_instance.instance: Still creating... [1m0s elapsed]
alicloud_instance.instance: Still creating... [1m10s elapsed]
alicloud_instance.instance: Still creating... [1m20s elapsed]
alicloud_instance.instance: Still creating... [1m30s elapsed]
alicloud_instance.instance: Still creating... [1m40s elapsed]
alicloud_instance.instance: Still creating... [1m50s elapsed]
alicloud_instance.instance: Still creating... [2m0s elapsed]
alicloud_instance.instance: Still creating... [2m10s elapsed]
╷
│ Error: [ERROR] terraform-provider-alicloud/alicloud/resource_alicloud_instance.go:528:
│ [ERROR] terraform-provider-alicloud/alicloud/service_alicloud_ecs.go:205: ResourceNotfound!!! [Provider ERROR]RequestId: 8EFA3B3C-D9C1-52C3-80F5-0B3D724E4CFF:
│ The specified Instance i-uf68wm81myl2qfbwapwh is not found.
│
│   with alicloud_instance.instance,
│   on main.tf line 83, in resource "alicloud_instance" "instance":
│   83: resource "alicloud_instance" "instance" {
│

Expected Behavior

成功创建资源。

Actual Behavior

登录阿里云控制台查看已成功创建ECS实例，但是terraform报找不到该实例ID。

问题估计出在查询接口没传resource_group_id。销毁可能也有问题，请一并验证下。

Steps to Reproduce

创建资源组，并记录资源组ID。并填入以上tf代码的rg-aek2njhhouvxvji替换为刚创建的资源组ID。

创建RAM账号，生成并记录AccessKey。

为该RAM账号授权，除TAG权限外，仅对创建的资源组授权

使用该RAM账户的AccessKey执行terraform

terraform apply --auto-approve

几分钟后会出现以上报错，此时登录阿里云控制台，可以看到实例已创建成功，需手工清理。

Important Factoids

使用RAM账户执行terraform。RAM账户仅对指定资源组授权以上权限。

销毁可能也有问题，请一并验证下。

References

https://github.com/aliyun/terraform-provider-alicloud/issues/5190

shankerwangmiao commented 2 years ago

根据我的使用情况，我发现如果 ram 账号被授予全部权限时，带有资源组的 ECS 可以正常创建、枚举和删除。我猜是否是因为当 ram 账号被授予特定安全组的权限时，ECS 的枚举出现了异常？

shankerwangmiao commented 2 years ago

您可以试着给 terraform 套上 burpsuite 代理抓取一下请求诊断一下。

xiaozhu36 commented 2 years ago

你好，目前这个问题已经在最新的版本 1.177.0 上修复了，请更新后重试下。

netcmcc commented 2 years ago

1.177.0已验证通过，可以close了。

aliyun / terraform-provider-alicloud