sekoban commented 1 month ago

Terraform provider version

$ terraform --version
Terraform v1.5.7
on linux_amd64
+ provider registry.terraform.io/hashicorp/local v2.5.2
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.36.20

Affected Resource(s)

opentelekomcloud_compute_instance_v2

Terraform Configuration Files

resource "opentelekomcloud_compute_keypair_v2" "keypair" {
  name = var.ssh_key_name
}

resource "opentelekomcloud_compute_servergroup_v2" "svr-sg" {
  name     = "${var.name}-svrgroup"
  policies = ["anti-affinity"]
}

data "opentelekomcloud_images_image_v2" "imgdata" {
  name = var.image_name
}

resource "opentelekomcloud_blockstorage_volume_v2" "thsrv1_boot" {
  name              = "${var.name}-01-bootvolume"
  description       = "${var.name} boot volume"
  availability_zone = var.az1
  size              = var.disk_size
  volume_type       = var.disk_type
  image_id          = data.opentelekomcloud_images_image_v2.imgdata.id
  tags              = var.tags

  metadata = merge({
      attached_mode = "rw"
      readonly      = "False"
    },
    {
      __system__encrypted = "0"
    })
}

resource "opentelekomcloud_compute_instance_v2" "thsrv1_ecs" {
  name              = "${var.name}-01"
  flavor_id         = var.flavor_id
  key_pair          = var.ssh_key_name
  availability_zone = var.az1
  #user_data         = file("cloud-init/Cloud-Init_SimpleWebServer.sh")
  power_state       = "active"
  tags              = var.tags

  security_groups = [
    opentelekomcloud_networking_secgroup_v2.sg.id,
    opentelekomcloud_networking_secgroup_v2.sg_svc.id
  ]

  network {
    uuid           = var.subnet_id
    fixed_ip_v4    = var.ip1
    access_network = true
  }

  block_device {
    uuid                  = opentelekomcloud_blockstorage_volume_v2.thsrv1_boot.id
    source_type           = "volume"
    boot_index            = 0
    destination_type      = "volume"
    delete_on_termination = true
  }

  scheduler_hints {
    group = opentelekomcloud_compute_servergroup_v2.svr-sg.id
  }
}

Debug Output/Panic Output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.thsrv.opentelekomcloud_compute_instance_v2.thsrv1_ecs will be updated in-place
  ~ resource "opentelekomcloud_compute_instance_v2" "thsrv1_ecs" {
        id                  = "9ae4642a-0f01-4feb-8869-*****"
        name                = "*****-ecs-grp-srv-01"
      ~ security_groups     = [
          - "*****-ecs-grp-srv_m_sg",
          - "*****-ecs-grp-srv_svc_sg",
          + "6c0765ff-1495-4ab7-8db7-*****",
          + "a3a05913-91d3-4bac-bc57-*****",
        ]
        tags                = {
            "Environment" = "*****-ecs-grp"
            "Terraform"   = "True"
        }
        # (13 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

Steps to Reproduce

terraform apply

Expected Behavior

After the first apply, the ECS gets created in the expected way, no errors. Another plan/apply should simply do nothing.

Actual Behavior

Although no changes were done another plan/apply "wants" to update the security groups setting although already in place. (infinitely)

anton-sidelnikov commented 1 month ago

Hi @sekoban, from documentation:

* `security_groups` - (Optional) An array of one or more security group **names** to associate with the server. Changing
  this results in adding/removing security groups from the existing server.

sekoban commented 1 month ago

@anton-sidelnikov thanks, my bad

documentation clearly states: "Names should be used and not IDs. Security group names should be unique, otherwise it will return an error."

interestingly, creation works fine using the ids

opentelekomcloud / terraform-provider-opentelekomcloud

Terraform opentelekomcloud_compute_instance_v2 does want to update security_groups in-place infinitely #2664