r/aws_instance: root_block_device conflicts (or causes churn) with image_id SSM alias

[dekimsey]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform AWS Provider Version

Terraform v1.1.3
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v3.74.0
+ provider registry.terraform.io/hashicorp/cloudinit v2.2.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/vault v3.2.1

Affected Resource(s)

• aws_instance

Terraform Configuration Files

resource "aws_ssm_parameter" "demo" {
  name        = "/my/foo/ami"
  type        = "String"
  value       = "ami-deadbeef" # fixme
  data_type   = "aws:ec2:image"

}

resource "aws_instance" "apply-churn" {
  ami           = "ssm:resolve:/my/foo/ami"
  instance_type = "t3.micro"
}

resource "aws_instance" "does-not-work" {
  ami           = "ssm:resolve:/my/foo/ami"
  instance_type = "t3.micro"
  root_block_device {
    volume_size = 16
    volume_type = "gp3"
  }
}

Debug Output

The churning instance output is not included.

The failed provision excerpt:

2022-02-02T16:34:15.843-0600 [DEBUG] aws_instance.does-not-work: applying the planned Create change
2022-02-02T16:34:15.843-0600 [TRACE] GRPCProvider: ApplyResourceChange
2022-02-02T16:34:15.844-0600 [TRACE] provider.terraform-provider-aws_v3.74.0_x5: Received request: tf_proto_version=5 tf_resource_type=aws_instance tf_rpc=ApplyResourceChange @caller=/opt/teamcity-agent/work/5d79fe75d4460a2f/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.5.0/tfprotov5/tf5server/server.go:595 @module=sdk.proto tf_provider_addr=provider tf_req_id=22de00b6-55e2-1b80-e88a-03a4d84b67e1 timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [TRACE] provider.terraform-provider-aws_v3.74.0_x5: Calling downstream: tf_proto_version=5 tf_provider_addr=provider tf_req_id=22de00b6-55e2-1b80-e88a-03a4d84b67e1 tf_rpc=ApplyResourceChange @module=sdk.proto tf_resource_type=aws_instance @caller=/opt/teamcity-agent/work/5d79fe75d4460a2f/pkg/mod/github.com/hashicorp/terraform-plugin-go@v0.5.0/tfprotov5/tf5server/server.go:602 timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "ebs_block_device" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "ipv6_addresses" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "network_interface" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "vpc_security_group_ids" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "secondary_private_ips" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "security_groups" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "tags_all" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "capacity_reservation_specification" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "metadata_options" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "enclave_options" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "network_interface" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] setting computed for "ephemeral_block_device" from ComputedKeys: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] Describing AMI "resolve:ssm:/amsdev/ami/amsdev-msa-apps-1" to get root block device name: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:15.844-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:15 [DEBUG] [aws-sdk-go] DEBUG: Request ec2/DescribeImages Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: ec2.us-east-2.amazonaws.com
User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.1.3 (+https://www.terraform.io) terraform-provider-aws/3.74.0 (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.42.38 (go1.16; darwin; arm64)
Content-Length: 102
Authorization: AWS4-HMAC-SHA256 Credential=DEADBEEF/20220202/us-east-2/ec2/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date, Signature=7d4abcab3fccd5798b164f17d40035ebc4a331778e33b1fecfbdee660e65cd67
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20220202T223415Z
Accept-Encoding: gzip

Action=DescribeImages&ImageId.1=resolve%3Assm%3A%2Fmy%2Ffoo%2Fami&Version=2016-11-15
-----------------------------------------------------: timestamp=2022-02-02T16:34:15.844-0600
2022-02-02T16:34:16.258-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:16 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeImages Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 400 Bad Request
Connection: close
Transfer-Encoding: chunked
Cache-Control: no-cache, no-store
Content-Type: text/xml;charset=UTF-8
Date: Wed, 02 Feb 2022 22:34:15 GMT
Server: AmazonEC2
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: accept-encoding
X-Amzn-Requestid: 6d1ea146-3c73-4d4a-ba6b-425fd5205eaf

-----------------------------------------------------: timestamp=2022-02-02T16:34:16.255-0600
2022-02-02T16:34:16.258-0600 [INFO]  provider.terraform-provider-aws_v3.74.0_x5: 2022/02/02 16:34:16 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidAMIID.Malformed</Code><Message>Invalid id: "resolve:ssm:/my/foo/ami" (expecting "ami-...")</Message></Error></Errors><RequestID>6d1ea146-3c73-4d4a-ba6b-425fd5205eaf</RequestID></Response>: timestamp=2022-02-02T16:34:16.255-0600

Panic Output

n/a

Expected Behavior

1) Instance should have created. 2) "Working" instance churns due to image_id mismatch with API (we are looking for ssm:resolve:... but AWS reports the instance as having ami-...) 3) SSM parameter value changes should not cause instance replacement.

Actual Behavior

The "working" instance churns.

  # aws_instance.apply-churn must be replaced
-/+ resource "aws_instance" "apply-churn" {
      ~ ami                                  = "ami-01ddb72f8d51f9152" -> "resolve:ssm:/my/foo/ami" # forces replacement
      ~ arn                                  = "arn:aws:ec2:us-east-2:199134549251:instance/i-0816c15e42ecce989" -> (known after apply)

The "does-not-work" instance fails to provision.

╷
│ Error: error collecting instance settings: InvalidAMIID.Malformed: Invalid id: "resolve:ssm:/my/foo/ami" (expecting "ami-...")
│       status code: 400, request id: 872b7d30-1f70-4d9e-96cb-7c0dcbcac880
│ 
│   with aws_instance.does-not-work,
│   on demo.tf line 7, in resource "aws_instance" "does-not-work":
│    7: resource "aws_instance" "does-not-work" {
│ 

Steps to Reproduce

1. terraform apply

Important Factoids

I'd very much like to be able to support this aliasing as a tool to help reduce instance churn and allow me to pin to aliases instead of hard-coded IDs. I think this is a great feature for managing aws_instance's and it is unfortunate it's not well supported here.

This appears to be caused by the ec2:DescribeImage call in FetchRootDeviceName which is looking up the root device name on the instance.

The apply churn case is self-explanatory.

References

• AWS blog post demoing this feature: https://aws.amazon.com/blogs/compute/using-system-manager-parameter-as-an-alias-for-ami-id/

[voodoodror]

@dekimsey Did you manage to get it working without root_block_device? Seems like it never worked actually