Terraform plan replacing my ec2 instance

Terraform Providers AWS
1

Hi

Any one have any idea why my terraform plan replacing the ec2 instance.

Below is the plan details

aws_instance.iexams_aapp_ec2appnav[0] must be replaced

-/+ resource “aws_instance” “iexams_aapp_ec2appnav” {
ami = “ami-0aa45729f3eac199e”
~ arn = “arn:aws:ec2:ap-southeast-1:595700656340:instance/i-07918208a3f38fdfa” → (known after apply)
~ associate_public_ip_address = false → (known after apply)
~ availability_zone = “ap-southeast-1a” → (known after apply)
~ cpu_core_count = 2 → (known after apply)
~ cpu_threads_per_core = 2 → (known after apply)
disable_api_termination = false
ebs_optimized = false
get_password_data = false
hibernation = false
+ host_id = (known after apply)
iam_instance_profile = “iamprof-sxm-prdiz-wappnav”
~ id = “i-07918208a3f38fdfa” → (known after apply)
~ instance_state = “running” → (known after apply)
instance_type = “r5.xlarge”
~ ipv6_address_count = 0 → (known after apply)
~ ipv6_addresses = → (known after apply)
key_name = “kp-sxm-prdiz-wappnav”
monitoring = false
+ network_interface_id = (known after apply)
+ outpost_arn = (known after apply)
+ password_data = (known after apply)
+ placement_group = (known after apply)
~ primary_network_interface_id = “eni-0ee57fd32aaa33b70” → (known after apply)
~ private_dns = “ip-10-191-105-183.ap-southeast-1.compute.internal” → (known after apply)
~ private_ip = “10.191.105.183” → (known after apply)
+ public_dns = (known after apply)
+ public_ip = (known after apply)
~ security_groups = → (known after apply)
source_dest_check = true
subnet_id = “subnet-0f98fec18cc734c21”
tags = {
“Backup” = “Yes”
“Name” = “vm-sxm-prdizapp-wappnavp01-sxm”
“OS” = “Windows 2016”
“Patch Group” = “ssmpg-sxm-prdizapp-wappnav”
“agency-code” = “seab”
“environment” = “prd”
“hostname” = “wappnavp01-sxm”
“miid” = “”
“project-code” = “sxm”
“purpose” = “iExams intranet application navison app tier.”
“tier” = “app”
“zone” = “iz”
}
~ tenancy = “default” → (known after apply)
~ user_data = “9528a0b7f7c9ccd2898c7ddefdcd7a19e6a5f6af” → “59ea6de06a36a2099a21bb766900f01ec58e79e3” # forces replacement
volume_tags = {
“Backup” = “Yes”
“Name” = “bst-ebs-sxm-prdizapp-wappnav”
“agency-code” = “seab”
“environment” = “prd”
“project-code” = “sxm”
“purpose” = “iExams intranet application navison app tier.”
“tier” = “app”
“zone” = “iz”
}
vpc_security_group_ids = [
“sg-018fb24d39ecd316d”,
“sg-03c0f79bb1fa65817”,
]

  + ebs_block_device {
      + delete_on_termination = (known after apply)
      + device_name           = (known after apply)
      + encrypted             = (known after apply)
      + iops                  = (known after apply)
      + kms_key_id            = (known after apply)
      + snapshot_id           = (known after apply)
      + volume_id             = (known after apply)
      + volume_size           = (known after apply)
      + volume_type           = (known after apply)
    }

  + ephemeral_block_device {
      + device_name  = (known after apply)
      + no_device    = (known after apply)
      + virtual_name = (known after apply)
    }

  ~ metadata_options {
      ~ http_endpoint               = "enabled" -> (known after apply)
      ~ http_put_response_hop_limit = 1 -> (known after apply)
      ~ http_tokens                 = "optional" -> (known after apply)
    }

  + network_interface {
      + delete_on_termination = (known after apply)
      + device_index          = (known after apply)
      + network_interface_id  = (known after apply)
    }

  ~ root_block_device {
        delete_on_termination = true
      ~ device_name           = "/dev/sda1" -> (known after apply)
        encrypted             = true
      ~ iops                  = 600 -> (known after apply)
      ~ kms_key_id            = "arn:aws:kms:ap-southeast-1:595700656340:key/23f18664-8874-4d0b-8dc9-c33b0dc8753f" -> (known after apply)
      ~ volume_id             = "vol-0aa82bd9bbb6d78ef" -> (known after apply)
        volume_size           = 200
        volume_type           = "gp2"
    }
}

My userdata in code is

version 000011

User data for app nav

write-output “Running User Data Script”
write-host “(host) Running User Data Script”

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

Don’t set this before Set-ExecutionPolicy as it throws an error

$ErrorActionPreference = “continue”

Set Timezone and Temp folder

Set-TimeZone -Name “Malay Peninsula Standard Time”

w32tm /query /configuration

w32tm /query /status

$file = $env:SystemRoot + "\Temp" + (Get-Date).ToString(“MM-dd-yy-hh-mm”)
New-Item $file -ItemType file

Remove HTTP listener

Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

WinRM

write-output “Setting up WinRM”
write-host “(host) setting up WinRM”

$DnsName = $env:COMPUTERNAME
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Set-Service WinRM -StartMode Automatic

Open HTTP listener

# New-Item -Path WSMan:\LocalHost\Listener -Transport HTTP -Address * -Force

$fw = New-Object -ComObject HNetCfg.FWPolicy2

# try to find/enable the default rule first

$matching_rules = fw.Rules | ? { _.Name -eq “Windows Remote Management (HTTP-In)” }

$rule = $null

Write-Output “By default Windows Firewall has a rule for WinRM HTTP-In”

If ($matching_rules -isnot [Array]) {

Write-Output “Editing existing single HTTP firewall rule”

$rule = $matching_rules

}

Else {

# try to find one with the All or Public profile first

Write-Output “Found multiple existing HTTP firewall rules…”

$rule = matching_rules | % { _.Profiles -band 4 }[0]

If (-not $rule -or $rule -is [Array]) {

Write-Output “Editing an arbitrary single HTTP firewall rule (multiple existed)”

# oh well, just pick the first one

$rule = $matching_rules[0]

}

}

$rule.Profiles = 0x7FFFFFFF

$rule.Protocol = 6

$rule.LocalPorts = 5985

$rule.RemotePorts = “*”

$rule.LocalAddresses = “*”

$rule.RemoteAddresses = “*”

$rule.Enabled = $true

$rule.Direction = 1

$rule.Action = 1

$rule.Grouping = “Windows Remote Management”

Open HTTPS listener

$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName “$DnsName”
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
New-NetFirewallRule -DisplayName ‘Windows Remote Management (HTTPS-In)’ -Group “Windows Remote Management” -Name ‘Windows Remote Management (HTTPS-In)’ -Description “Inbound rule for Windows Remote Management via WS-Management. [TCP 5986]” -Profile Any -LocalPort 5986 -Protocol TCP

Set-Item wsman:\localhost\client\trustedhosts * -Force

Get-Item WSMan:\localhost\Client\TrustedHosts

Get-WSManInstance -ResourceURI winrm/config/listener -SelectorSet @{Address=“*”;Transport=“http”}

New-WSManInstance - ResourceURI winrm/config/Listener -SelectorSet @{Transport=HTTPS} -ValueSet @{Hostname=“$DnsName”;CertificateThumbprint=“$Cert.Thumbprint”}

to allow winrm

If(!(Get-Item -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service”)) {
New-Item -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Force
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowAutoConfig” -Value 1 -Type DWord
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowBasic” -Value 1 -Type DWord
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “IPv4Filter” -Value *
# New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowUnencryptedTraffic” -Value 1 -Type DWord
New-Item -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS” -Force
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS” -Name “AllowRemoteShellAccess” -Value 1 -Type DWord
}
else {
# else just try to create and set everything
If(Get-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowAutoConfig”){
Set-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowAutoConfig” -Value 1 -Type DWord
Set-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “IPv4Filter” -Value *
}
else {
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowAutoConfig” -Value 1 -Type DWord
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “IPv4Filter” -Value *
}

If(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowBasic"){
    Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowBasic" -Value 1 -Type DWord
}
else {
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowBasic" -Value 1 -Type DWord
}

# If(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowUnencryptedTraffic"){
#     Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowUnencryptedTraffic" -Value 1 -Type DWord
# }
# else {
#     New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowUnencryptedTraffic" -Value 1 -Type DWord
# }

If(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS") {
    if(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "AllowRemoteShellAccess") {
        Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "AllowRemoteShellAccess" -Value 1 -Type DWord
        Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "IdleTimeout" -Value 493e0 -Type DWord
        Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "ShellTimeOut" -Value 493e0 -Type DWord    
    }
    else {
        New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "AllowRemoteShellAccess" -Value 1 -Type DWord
        New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "IdleTimeout" -Value 493e0 -Type DWord
        New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "ShellTimeOut" -Value 493e0 -Type DWord    
    }
}
else {
    New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Force
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "AllowRemoteShellAccess" -Value 1 -Type DWord
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "IdleTimeout" -Value 493e0 -Type DWord
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "ShellTimeOut" -Value 493e0 -Type DWord
}

}

Set-ItemProperty -Path “HKLM:Software\Policies\Microsoft\Windows\WinRM\Client” -Name “AllowUnencryptedTraffic” -Value 1 -Type DWord

Set-ItemProperty -Path “HKLM:Software\Policies\Microsoft\Windows\WinRM\Client” -Name “AllowBasic” -Value 1 -Type DWord

Set-ItemProperty -Path “HKLM:Software\Policies\Microsoft\Windows\WinRM\Client” -Name “AllowDigest” -Value 1 -Type DWord

Allow remote

Set-ItemProperty -Path “HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System” -Name LocalAccountTokenFilterPolicy -Value 1
Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” -Name “AllowRemoteShellAccess” -Value 1

Restart-Service WinRM

winrm enumerate winrm/config/listener

winrm get winrm/config

Test-WSMan -ComputerName $DnsName

set to 0 to allow copy paste

Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” -Name “fDisableClip” -Value 0

set to 0 to allow drive redirection

Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” -Name “fDisableCdm” -Value 0

And ec2 instance userdata in console is

version 000011

User data for app nav

write-output “Running User Data Script”
write-host “(host) Running User Data Script”

Set-ExecutionPolicy Unrestricted -Scope LocalMachine -Force -ErrorAction Ignore

Don’t set this before Set-ExecutionPolicy as it throws an error

$ErrorActionPreference = “continue”

Set Timezone and Temp folder

Set-TimeZone -Name “Malay Peninsula Standard Time”

w32tm /query /configuration

w32tm /query /status

$file = $env:SystemRoot + "\Temp" + (Get-Date).ToString(“MM-dd-yy-hh-mm”)
New-Item $file -ItemType file

Remove HTTP listener

Remove-Item -Path WSMan:\Localhost\listener\listener* -Recurse

WinRM

write-output “Setting up WinRM”
write-host “(host) setting up WinRM”

$DnsName = $env:COMPUTERNAME
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Set-Service WinRM -StartMode Automatic

Open HTTP listener

# New-Item -Path WSMan:\LocalHost\Listener -Transport HTTP -Address * -Force

$fw = New-Object -ComObject HNetCfg.FWPolicy2

# try to find/enable the default rule first

$matching_rules = fw.Rules | ? { _.Name -eq “Windows Remote Management (HTTP-In)” }

$rule = $null

Write-Output “By default Windows Firewall has a rule for WinRM HTTP-In”

If ($matching_rules -isnot [Array]) {

Write-Output “Editing existing single HTTP firewall rule”

$rule = $matching_rules

}

Else {

# try to find one with the All or Public profile first

Write-Output “Found multiple existing HTTP firewall rules…”

$rule = matching_rules | % { _.Profiles -band 4 }[0]

If (-not $rule -or $rule -is [Array]) {

Write-Output “Editing an arbitrary single HTTP firewall rule (multiple existed)”

# oh well, just pick the first one

$rule = $matching_rules[0]

}

}

$rule.Profiles = 0x7FFFFFFF

$rule.Protocol = 6

$rule.LocalPorts = 5985

$rule.RemotePorts = “*”

$rule.LocalAddresses = “*”

$rule.RemoteAddresses = “*”

$rule.Enabled = $true

$rule.Direction = 1

$rule.Action = 1

$rule.Grouping = “Windows Remote Management”

Open HTTPS listener

$Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName “$DnsName”
New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint -Force
New-NetFirewallRule -DisplayName ‘Windows Remote Management (HTTPS-In)’ -Group “Windows Remote Management” -Name ‘Windows Remote Management (HTTPS-In)’ -Description “Inbound rule for Windows Remote Management via WS-Management. [TCP 5986]” -Profile Any -LocalPort 5986 -Protocol TCP

Set-Item wsman:\localhost\client\trustedhosts * -Force

Get-Item WSMan:\localhost\Client\TrustedHosts

Get-WSManInstance -ResourceURI winrm/config/listener -SelectorSet @{Address=“*”;Transport=“http”}

New-WSManInstance - ResourceURI winrm/config/Listener -SelectorSet @{Transport=HTTPS} -ValueSet @{Hostname=“$DnsName”;CertificateThumbprint=“$Cert.Thumbprint”}

to allow winrm

If(!(Get-Item -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service”)) {
New-Item -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Force
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowAutoConfig” -Value 1 -Type DWord
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowBasic” -Value 1 -Type DWord
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “IPv4Filter” -Value *
# New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowUnencryptedTraffic” -Value 1 -Type DWord
New-Item -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS” -Force
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS” -Name “AllowRemoteShellAccess” -Value 1 -Type DWord
}
else {
# else just try to create and set everything
If(Get-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowAutoConfig”){
Set-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowAutoConfig” -Value 1 -Type DWord
Set-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “IPv4Filter” -Value *
}
else {
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “AllowAutoConfig” -Value 1 -Type DWord
New-ItemProperty -Path “HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service” -Name “IPv4Filter” -Value *
}

If(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowBasic"){
    Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowBasic" -Value 1 -Type DWord
}
else {
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowBasic" -Value 1 -Type DWord
}

# If(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowUnencryptedTraffic"){
#     Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowUnencryptedTraffic" -Value 1 -Type DWord
# }
# else {
#     New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service" -Name "AllowUnencryptedTraffic" -Value 1 -Type DWord
# }

If(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS") {
    if(Get-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "AllowRemoteShellAccess") {
        Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "AllowRemoteShellAccess" -Value 1 -Type DWord
        Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "IdleTimeout" -Value 493e0 -Type DWord
        Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "ShellTimeOut" -Value 493e0 -Type DWord    
    }
    else {
        New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "AllowRemoteShellAccess" -Value 1 -Type DWord
        New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "IdleTimeout" -Value 493e0 -Type DWord
        New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "ShellTimeOut" -Value 493e0 -Type DWord    
    }
}
else {
    New-Item -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Force
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "AllowRemoteShellAccess" -Value 1 -Type DWord
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "IdleTimeout" -Value 493e0 -Type DWord
    New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS" -Name "ShellTimeOut" -Value 493e0 -Type DWord
}

}

Set-ItemProperty -Path “HKLM:Software\Policies\Microsoft\Windows\WinRM\Client” -Name “AllowUnencryptedTraffic” -Value 1 -Type DWord

Set-ItemProperty -Path “HKLM:Software\Policies\Microsoft\Windows\WinRM\Client” -Name “AllowBasic” -Value 1 -Type DWord

Set-ItemProperty -Path “HKLM:Software\Policies\Microsoft\Windows\WinRM\Client” -Name “AllowDigest” -Value 1 -Type DWord

Allow remote

Set-ItemProperty -Path “HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System” -Name LocalAccountTokenFilterPolicy -Value 1
Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” -Name “AllowRemoteShellAccess” -Value 1

Restart-Service WinRM

winrm enumerate winrm/config/listener

winrm get winrm/config

Test-WSMan -ComputerName $DnsName

set to 0 to allow copy paste

Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” -Name “fDisableClip” -Value 0

set to 0 to allow drive redirection

Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services” -Name “fDisableCdm” -Value 0

I have verified both user data is identical,
Can anyone help to determine why its replacing the userdata hence ec2 instance

2

Hey, its almost impossible to read the data you pasted, please try code formatting from next time :slight_smile:

Now, it says its replcaing your ec2 instance because of :

user_data = “9528a0b7f7c9ccd2898c7ddefdcd7a19e6a5f6af” → “59ea6de06a36a2099a21bb766900f01ec58e79e3” # forces replacement

So, you need to check what has been changed in the userdata.

3

Hi Tanmay

There is no change in user data
I am not sure this behaviour of terraform. In fact my all 50 ec2 in Aws account replacing and creating new instance because of user data. No change has been done from our end.

4

You dont need to share your user data here, but what you need to validate is the diff between the current one and (hopefully) the changed userdata. Someone possibly updated it manually ?

If you’re confident that you haven’t made any change, then you can ignore the change to userdata block by applying below in your ec2 resource definition :

  lifecycle {
    ignore_changes = [user_data]
  }

Note : this will make your TF plan not to replace all 50 instances, but when you actually make a next time user-data update, it won’t detect and apply that as well because you are ignoring it. Hence, keep this as last option.

5

Thank you Tanmay for helping. It’s works for me , solve my big problem. Thanks a lot.

1 Like