Aws_instance using module outputs for security IDs is always dirty in plan

jghal · August 6, 2025, 1:13pm

I have a module to create my network infrastructure in AWS, and it is returning a list of security group IDs. After I deploy an aws_instance using that output for the subnet_ids parameter, the next plan says it must replace the instance because of the security group IDs even though the plan isn’t replacing the security groups. Can anyone explain why

security group:

resource "aws_security_group" "dns" {
  name        = "SG-DNS"
  description = "Allow DNS traffic within security group."
  vpc_id      = aws_vpc.main.id
  tags = {
    Name    = "SG-DNS"
    product = var.product
  }
  lifecycle {
    ignore_changes = [
      tags
    ]
  }
}

outputs:

output "security_groups" {
  value = {
    dns = aws_security_group.dns.id
    dns = aws_security_group.ssh.id
    ssl = aws_security_group.ssl.id
  }
}

instance:

resource "aws_instance" "this" {
  ami                  = data.aws_ami.this.id
  iam_instance_profile = "base_profile"
  instance_type = "t3.large"
  root_block_device {
    encrypted             = true
    volume_type           = "gp3"
    volume_size           = "100"
    delete_on_termination = true
  }
  security_groups = [
    module.Network.security_groups["dns"],
    module.Network.security_groups["ssh"],
    module.Network.security_groups["ssl"]
  ]
...
}

then in the plan

      ~ security_groups                      = [ # forces replacement
          + "sg-123456",
          + "sg-234567",
          + "sg-345678",
        ]

wyardley · August 8, 2025, 11:22pm

Are these 3 security groups already applied to that compute instance?

One note I see in the provider docs that may explain what you’re seeing:

If you are creating Instances in a VPC, use vpc_security_group_ids instead.

jghal · August 11, 2025, 12:20pm

Are these 3 security groups already applied to that compute instance?

yes

One note I see in the provider docs that may explain what you’re seeing:

I missed that, I’ll try updating my code.

jghal · August 11, 2025, 2:15pm

Changing to vpc_security_group_ids resolved the issue.

system · September 10, 2025, 2:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Terraform wants to replace my AWS instance with no modifications AWS	3	9283	August 5, 2021
Second time apply without any change in code or manual console change causing force replacement AWS	7	3681	February 1, 2021
Unexpected removal of values when updating aws_security_group AWS	0	390	July 22, 2019
Why does a aws_vpc Data Source lookup via Tags produce a different plan than by Id? AWS	1	2318	June 16, 2021
Forces replacement in module in security group AWS	0	1323	January 4, 2023

Aws_instance using module outputs for security IDs is always dirty in plan

Related topics