Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ebs_block_device parameter 'encrypted' evaluated as 'true' even when not set #5360

Closed
gilmatic opened this issue Feb 28, 2016 · 13 comments · Fixed by Yelp/terraform#15
Closed

Comments

@gilmatic
Copy link

When attempting to include an ebs_block_device with an encrypted snapshot in an aws_launch_configuration, the following error is received no matter how the ebs_block_device is defined:

Parameter encrypted is invalid. You cannot specify the encrypted flag if specifying a snapshot id in a block device mapping. Launching EC2 instance failed.

The ebs_block_device gave the same error whether configured any of the following three ways:

 ebs_block_device {
    encrypted = 0
    device_name = "/dev/xvdg"
    volume_size = "50"
    snapshot_id = "snap-1234567"
    delete_on_termination = "true"
  }

or

 ebs_block_device {
    encrypted = 1
    device_name = "/dev/xvdg"
    volume_size = "50"
    snapshot_id = "snap-1234567"
    delete_on_termination = "true"
  }

or

 ebs_block_device {
    device_name = "/dev/xvdg"
    volume_size = "50"
    snapshot_id = "snap-1234567"
    delete_on_termination = "true"
  }

When set to '0' tfstate reads the following way:

ebs_block_device.#: "" => "1"
ebs_block_device.2403880458.delete_on_termination: "" => "1"
ebs_block_device.2403880458.device_name: "" => "/dev/xvdg"
ebs_block_device.2403880458.encrypted: "" => "0"
ebs_block_device.2403880458.iops: "" => ""
ebs_block_device.2403880458.snapshot_id: "" => "snap-1234567"
ebs_block_device.2403880458.volume_size: "" => "50"
ebs_block_device.2403880458.volume_type: "" => ""
ebs_optimized: "" => ""

When set to '1' or *undefined tfstate shows the encrypted value as '1'.

The AWS API appears to not accept any encrypted value if a snapshot used for the ebs_block_device.

If a snapshot is specified in an ebs_block_device, terraform should ignore the encrypted value and not expose it to the API, which would hopefully allow the autoscaling group to spin up instances successfully.

@buildmaster
Copy link

just ran into this too, seems related to #1862 in that the api should be passing nil in the launch configuration? Occurs in version 0.6.12 and 0.6.11.

@gilmatic
Copy link
Author

Last known good in our enterprise was 0.6.8 and the issue does not exist in this version...somewhere between 9-12 is where the error arose.

@anthonycorletti
Copy link

👍 working on this with @gilmatic too

@jamesdehart
Copy link

I can provide a bit more information on this issue. Version 0.6.9 works correctly with the aws_launch_configuration seen above from @gilmatic I use the same thing in my code.

The ASG Fails to bring an instance in service due to the encrypted pram.

Terraform versions 0.6.10+ does the below.

  aws_launch_configuration.launch_config: Creating...
    associate_public_ip_address:                       "" => "0"
    ebs_block_device.#:                                "" => "1"
    ebs_block_device.2403880458.delete_on_termination: "" => "1"
    ebs_block_device.2403880458.device_name:           "" => "/dev/xvdg"
    ebs_block_device.2403880458.encrypted:             "" => "<computed>"
    ebs_block_device.2403880458.iops:                  "" => "<computed>"
    ebs_block_device.2403880458.snapshot_id:           "" => "snap-1234567"
    ebs_block_device.2403880458.volume_size:           "" => "50"
    ebs_block_device.2403880458.volume_type:           "" => "gp2"
    ebs_optimized:                                     "" => "<computed>"

Terraform version 0.6.12 State file:

"attributes": {
                            "associate_public_ip_address": "false",
                            "ebs_block_device.#": "1",
                            "ebs_block_device.2403880458.delete_on_termination": "true",
                            "ebs_block_device.2403880458.device_name": "/dev/xvdg",
                            "ebs_block_device.2403880458.encrypted": "false"
                            "ebs_block_device.2403880458.iops": "0",
                            "ebs_block_device.2403880458.snapshot_id": "snap-1234567",
                            "ebs_block_device.2403880458.volume_size": "50",
                            "ebs_block_device.2403880458.volume_type": "gp2",
                            "ebs_optimized": "false",
                            ...

Terraform version 0.6.9 I see the below and works.

  aws_launch_configuration.launch_config: Creating...
    associate_public_ip_address:                       "" => "0"
    ebs_block_device.#:                                "" => "1"
    ebs_block_device.2403880458.delete_on_termination: "" => "1"
    ebs_block_device.2403880458.device_name:           "" => "/dev/xvdg"
    ebs_block_device.2403880458.iops:                  "" => "<computed>"
    ebs_block_device.2403880458.snapshot_id:           "" => "snap-1234567"
    ebs_block_device.2403880458.volume_size:           "" => "50"
    ebs_block_device.2403880458.volume_type:           "" => "gp2"
    ebs_optimized:                                     "" => "<computed>"

Trace Log:

# LOG
016/03/08 06:48:34 [DEBUG] apply: aws_launch_configuration.launch_config: executing Apply
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws: 2016/03/08 06:48:34 [DEBUG] autoscaling create launch configuration: {
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:   BlockDeviceMappings: [{
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:       DeviceName: "/dev/xvdg",
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:       Ebs: {
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:         DeleteOnTermination: true,
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:         Encrypted: false,
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:         SnapshotId: "snap-12345678",
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:         VolumeSize: 50,
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:         VolumeType: "gp2"
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:       }
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:     }],
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:   EbsOptimized: false,
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:   ImageId: "ami-12345678",
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:   InstanceMonitoring: {
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:     Enabled: true
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:   },
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:   InstanceType: "t2.large",
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:   LaunchConfigurationName: "Test-lc",
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws:   SecurityGroups: ["sg-12345678"],
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws: }
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws: 2016/03/08 06:48:34 [DEBUG] Waiting for state to become: [success]
2016/03/08 06:48:34 [DEBUG] terraform-provider-aws: 2016/03/08 06:48:34 [TRACE] Waiting 500ms before next try
2016/03/08 06:48:36 [DEBUG] terraform-provider-aws: 2016/03/08 06:48:36 [INFO] launch configuration ID: Test-lc
2016/03/08 06:48:36 [DEBUG] terraform-provider-aws: 2016/03/08 06:48:36 [DEBUG] Waiting for state to become: [success]
2016/03/08 06:48:36 [DEBUG] terraform-provider-aws: 2016/03/08 06:48:36 [TRACE] Waiting 500ms before next try
2016/03/08 06:48:36 [DEBUG] terraform-provider-aws: 2016/03/08 06:48:36 [DEBUG] launch configuration describe configuration: {
2016/03/08 06:48:36 [DEBUG] terraform-provider-aws:   LaunchConfigurationNames: ["Test-lc"]
2016/03/08 06:48:36 [DEBUG] terraform-provider-aws: }

@jamesdehart
Copy link

Found a PR #4481 that caused this issue for the Launch config. I could be wrong since I don't know go yet but I don't see a check for snapshot_id. If there is a snapshot_id then the ebs_block_device.2403880458.encrypted should not show up.

@bryanvaz
Copy link

The issue seems also be inconsistent on the AWS side as well. If you specify a spot price in exact same code as above, the problem will go away, and the ASG can spin up an instance fine, even if it has and 'encrypted false' flag.

@silverjava
Copy link

is there anyone who knows how to get around of it?

@jamesdehart
Copy link

Going back to an earlier version is what I had to do. Not the best plan. :(

On Sunday, March 20, 2016, silverjava notifications@github.com wrote:

is there anyone who knows how to get around of it?


You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#5360 (comment)

@MiguelMoll
Copy link

Checking in to see if there's been any progress or perhaps another work around (besides downgrading) for this problem.

@silverjava
Copy link

I was doing downgrade to work around of it :(

@jamesdehart
Copy link

It's what I did.

On Wednesday, April 27, 2016, silverjava notifications@github.com wrote:

I was doing downgrade to work around of it :(


You are receiving this because you commented.
Reply to this email directly or view it on GitHub
#5360 (comment)

@jen20
Copy link
Contributor

jen20 commented May 3, 2016

Fixed in #6452. Thanks for the detailed report!

@ghost
Copy link

ghost commented Apr 26, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 26, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.