enough-vegetable-9165
02/19/2024, 7:06 AMfrom pulumi_aws import ec2
import pulumi
# import static_var as var
from .. import static_var as var
def virginia_gateway02_ec2(aws_provider):
gateway = ec2.Instance(
"virginia_gateway_02",
ami="ami-0243daab335a35363",
instance_type="m6g.medium",
subnet_id="subnet-05e0270a52c53dbe2",
key_name="VA_BASTION",
security_groups=[
var.Prod_Proxy_sg,
var.Prod_Keeper_sg,
var.Prod_Gateway_sg,
var.Prod_Lamdaproxy_sg,
var.Bastion_ssh_sg,
],
opts=pulumi.ResourceOptions(provider=aws_provider),
metadata_options=ec2.InstanceMetadataOptionsArgs(
instance_metadata_tags="enabled"
),
tags={"Name": "virginia-gateway-02-n"},
)
return gateway
The part I changed here is the following part for the virginia_gateway_02 instance (the code for the virginia_gateway_01 instance is the same except for the name)
metadata_options=ec2.InstanceMetadataOptionsArgs(
instance_metadata_tags="enabled"
),
and then preview
it says that the security group has changed and tries to proceed with the replace as shown in the following log.
++aws:ec2/instance:Instance: (create-replacement)
[id=i-0ab971ea11c733ec5]
[urn=urn:pulumi:prod::whatap-service-iac::aws:ec2/instance:Instance::virginia_gateway_01]
[provider=urn:pulumi:prod::whatap-service-iac::pulumi:providers:aws::us_east1::ecbd8e07-306f-4403-8a12-8c38048f8085]
~ securityGroups: [
+ [0]: "sg-0ba0b4895336c5302"
+ [1]: "sg-0fb7e108c168a5661"
+ [2]: "sg-0d648a2d23ed512f4"
+ [3]: "sg-09a31da3b1246a9e3"
+ [4]: "sg-0564e67b90232bfb5"
]
Even checking what is being held as a resource in pulumi, the above security groups are the same as they are now.
[
"sg-0ba0b4895336c5302",
"sg-0d648a2d23ed512f4",
"sg-09a31da3b1246a9e3",
"sg-0564e67b90232bfb5",
"sg-0fb7e108c168a5661"
]
I have two questions here.
What part of my code seems to be causing the security group to change, and
On the AWS console, the security group change works without replacing the instance (no replace), but I'm wondering why it's being replaced in pulumi - does anyone have any insight into that?enough-vegetable-9165
02/20/2024, 3:18 AMsecurityGroups
is discouraged as it does not allow for changes and will force your instance to be replaced if changes are made. To avoid this, use vpcSecurityGroupIds
which allows for updates."