https://pulumi.com logo
#aws
Title
# aws
e

enough-vegetable-9165

02/19/2024, 7:06 AM
Hi, I'm not sure if this is the right place to post a question, but I have a question. If this is something I should ask elsewhere, please let me know. I'm currently configuring ec2 with pulumi and the code I'm using is as follows
Copy code
from pulumi_aws import ec2
import pulumi

# import static_var as var
from .. import static_var as var


def virginia_gateway02_ec2(aws_provider):
    gateway = ec2.Instance(
        "virginia_gateway_02",
        ami="ami-0243daab335a35363",
        instance_type="m6g.medium",
        subnet_id="subnet-05e0270a52c53dbe2",
        key_name="VA_BASTION",
        security_groups=[
            var.Prod_Proxy_sg,
            var.Prod_Keeper_sg,
            var.Prod_Gateway_sg,
            var.Prod_Lamdaproxy_sg,
            var.Bastion_ssh_sg,
        ],
        opts=pulumi.ResourceOptions(provider=aws_provider),
        metadata_options=ec2.InstanceMetadataOptionsArgs(
            instance_metadata_tags="enabled"
        ),
        tags={"Name": "virginia-gateway-02-n"},
    )
    return gateway
The part I changed here is the following part for the virginia_gateway_02 instance (the code for the virginia_gateway_01 instance is the same except for the name)
Copy code
metadata_options=ec2.InstanceMetadataOptionsArgs(
            instance_metadata_tags="enabled"
        ),
and then preview it says that the security group has changed and tries to proceed with the replace as shown in the following log.
Copy code
++aws:ec2/instance:Instance: (create-replacement)
        [id=i-0ab971ea11c733ec5]
        [urn=urn:pulumi:prod::whatap-service-iac::aws:ec2/instance:Instance::virginia_gateway_01]
        [provider=urn:pulumi:prod::whatap-service-iac::pulumi:providers:aws::us_east1::ecbd8e07-306f-4403-8a12-8c38048f8085]
      ~ securityGroups: [
          + [0]: "sg-0ba0b4895336c5302"
          + [1]: "sg-0fb7e108c168a5661"
          + [2]: "sg-0d648a2d23ed512f4"
          + [3]: "sg-09a31da3b1246a9e3"
          + [4]: "sg-0564e67b90232bfb5"
        ]
Even checking what is being held as a resource in pulumi, the above security groups are the same as they are now.
Copy code
[
  "sg-0ba0b4895336c5302",
  "sg-0d648a2d23ed512f4",
  "sg-09a31da3b1246a9e3",
  "sg-0564e67b90232bfb5",
  "sg-0fb7e108c168a5661"
]
I have two questions here. What part of my code seems to be causing the security group to change, and On the AWS console, the security group change works without replacing the instance (no replace), but I'm wondering why it's being replaced in pulumi - does anyone have any insight into that?
I found why this happend "Deprecated:Use of
securityGroups
is discouraged as it does not allow for changes and will force your instance to be replaced if changes are made. To avoid this, use
vpcSecurityGroupIds
which allows for updates."
2 Views