AWS_Instance created before network configuration is completed

[gbonk]

In our Terraform configuration, our AWS Instances are being created/started before the Security Groups and Network ACL creation is complete. With the servers already being started some of the services that have to 'call out' to the internet and other places are failing on startup. The services are failing because the network configuration is not complete and those service calls are being blocked.

I'm not entirely sure if this is a bug because I think Terraform should prioritize network configuration in it's dependency analysis, OR if it's something that I'm doing or should be doing.

Terraform Version

Terraform v0.11.3

Let me know what would be helpful, and I can add the additional details that you require.

[jbardin]

Hi @gbonk,

Terraform should complete the network configuration before the instances, but you need to provide some hint in the configuration that there is a dependency there.

Can you provide a sample config that illustrates your problem?

[gbonk]

Hi @jbardin, I've been working on a sample but when I simplify the configuration then you are correct and the network configuration completes first.

My network ACLs and Security Groups are in modules.

In the console output, I see where a network ACL starts its creation and rule application but terraform does not wait for the creation of the ACL rules to complete before starting to create AWS_Instances

I have been trying the examples/work-arounds in 1178

[jbardin]

@gbonk,

Without any configuration, it hard for me to provide examples of what you should actually do.

While we can't depend on a module as a whole for various reasons, it is preferable anyway to depend only on the specific resources that are actually your dependencies. Providing an attribute from the dependency as a module output, then referencing that in the dependent resource will create the graph edges necessary to correctly order their creation.

As a small example, which will always create depends_on before dependent:

# module "foo"
resource "null_resource" "depends_on" {
}

output "depends_on_id" {
    value = "${null_resource.depends_on.id}"
}

# main.tf
module "foo" {
  source = "./foo"
}

resource "null_resource" "dependent" {
  triggers = {
    "depends_on" = "${module.foo.depends_on_id}"
  }
}

[hashibot]

Hello again!

We didn't hear back from you, so I'm going to close this in the hope that a previous response gave you the information you needed. If not, please do feel free to re-open this and leave another comment with the information my human friends requested above. Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.