Hi I m not sure if this is the right place to post a questio Pulumi Community #aws

Hi, I'm not sure if this is the right place to pos...

enough-vegetable-9165

02/19/2024, 7:06 AM

Hi, I'm not sure if this is the right place to post a question, but I have a question. If this is something I should ask elsewhere, please let me know. I'm currently configuring ec2 with pulumi and the code I'm using is as follows

Copy code

from pulumi_aws import ec2
import pulumi

# import static_var as var
from .. import static_var as var


def virginia_gateway02_ec2(aws_provider):
    gateway = ec2.Instance(
        "virginia_gateway_02",
        ami="ami-0243daab335a35363",
        instance_type="m6g.medium",
        subnet_id="subnet-05e0270a52c53dbe2",
        key_name="VA_BASTION",
        security_groups=[
            var.Prod_Proxy_sg,
            var.Prod_Keeper_sg,
            var.Prod_Gateway_sg,
            var.Prod_Lamdaproxy_sg,
            var.Bastion_ssh_sg,
        ],
        opts=pulumi.ResourceOptions(provider=aws_provider),
        metadata_options=ec2.InstanceMetadataOptionsArgs(
            instance_metadata_tags="enabled"
        ),
        tags={"Name": "virginia-gateway-02-n"},
    )
    return gateway

The part I changed here is the following part for the virginia_gateway_02 instance (the code for the virginia_gateway_01 instance is the same except for the name)

Copy code

metadata_options=ec2.InstanceMetadataOptionsArgs(
            instance_metadata_tags="enabled"
        ),

and then preview it says that the security group has changed and tries to proceed with the replace as shown in the following log.

Copy code

++aws:ec2/instance:Instance: (create-replacement)
        [id=i-0ab971ea11c733ec5]
        [urn=urn:pulumi:prod::whatap-service-iac::aws:ec2/instance:Instance::virginia_gateway_01]
        [provider=urn:pulumi:prod::whatap-service-iac::pulumi:providers:aws::us_east1::ecbd8e07-306f-4403-8a12-8c38048f8085]
      ~ securityGroups: [
          + [0]: "sg-0ba0b4895336c5302"
          + [1]: "sg-0fb7e108c168a5661"
          + [2]: "sg-0d648a2d23ed512f4"
          + [3]: "sg-09a31da3b1246a9e3"
          + [4]: "sg-0564e67b90232bfb5"
        ]

Even checking what is being held as a resource in pulumi, the above security groups are the same as they are now.

Copy code

[
  "sg-0ba0b4895336c5302",
  "sg-0d648a2d23ed512f4",
  "sg-09a31da3b1246a9e3",
  "sg-0564e67b90232bfb5",
  "sg-0fb7e108c168a5661"
]

I have two questions here. What part of my code seems to be causing the security group to change, and On the AWS console, the security group change works without replacing the instance (no replace), but I'm wondering why it's being replaced in pulumi - does anyone have any insight into that?

enough-vegetable-9165

02/20/2024, 3:18 AM

I found why this happend "Deprecated:Use of

securityGroups

is discouraged as it does not allow for changes and will force your instance to be replaced if changes are made. To avoid this, use

vpcSecurityGroupIds

which allows for updates."

2 Views

Open in Slack

Previous Next