provider/aws: Add network_interface to aws_instance

[grubernaut]

Adds the network_interface schema object to aws_instance resources.

Would preferably want to remove the custom Set function, but without the hash on device_index, we incur state diffs on every apply.

$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSInstance_NetworkInterface'   
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/21 13:08:33 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance_NetworkInterface -timeout 120m
=== RUN   TestAccAWSInstance_NetworkInterfacePrimary
--- PASS: TestAccAWSInstance_NetworkInterfacePrimary (121.01s)
=== RUN   TestAccAWSInstance_NetworkInterfaceExisting
--- PASS: TestAccAWSInstance_NetworkInterfaceExisting (164.98s)
=== RUN   TestAccAWSInstance_NetworkInterfaceMultiple
--- PASS: TestAccAWSInstance_NetworkInterfaceMultiple (144.31s)
=== RUN   TestAccAWSInstance_NetworkInterfaceSG
--- PASS: TestAccAWSInstance_NetworkInterfaceSG (116.07s)
PASS
ok      github.com/hashicorp/terraform/builtin/providers/aws    546.383s

Fixes: #2989, #2998, #3105, #1557, #5765
Closes: #12694, #10244, #7096, #10516
Related to: #4231, #1149, #10593, #3205

[grubernaut]

All instance tests. TestAccAWSInstance_multipleRegions is failing for an unrelated reason.

$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSInstance'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/22 11:00:57 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance -timeout 120m
=== RUN   TestAccAWSInstanceDataSource_basic
--- PASS: TestAccAWSInstanceDataSource_basic (135.12s)
=== RUN   TestAccAWSInstanceDataSource_tags
--- PASS: TestAccAWSInstanceDataSource_tags (112.05s)
=== RUN   TestAccAWSInstanceDataSource_AzUserData
--- PASS: TestAccAWSInstanceDataSource_AzUserData (120.19s)
=== RUN   TestAccAWSInstanceDataSource_gp2IopsDevice
--- PASS: TestAccAWSInstanceDataSource_gp2IopsDevice (92.93s)
=== RUN   TestAccAWSInstanceDataSource_blockDevices
--- PASS: TestAccAWSInstanceDataSource_blockDevices (96.14s)
=== RUN   TestAccAWSInstanceDataSource_rootInstanceStore
--- PASS: TestAccAWSInstanceDataSource_rootInstanceStore (106.75s)
=== RUN   TestAccAWSInstanceDataSource_privateIP
--- PASS: TestAccAWSInstanceDataSource_privateIP (134.14s)
=== RUN   TestAccAWSInstanceDataSource_keyPair
--- PASS: TestAccAWSInstanceDataSource_keyPair (111.97s)
=== RUN   TestAccAWSInstanceDataSource_VPC
--- PASS: TestAccAWSInstanceDataSource_VPC (129.75s)
=== RUN   TestAccAWSInstanceDataSource_SecurityGroups
--- PASS: TestAccAWSInstanceDataSource_SecurityGroups (116.91s)
=== RUN   TestAccAWSInstanceDataSource_VPCSecurityGroups
--- PASS: TestAccAWSInstanceDataSource_VPCSecurityGroups (136.68s)
=== RUN   TestAccAWSInstance_importBasic
--- PASS: TestAccAWSInstance_importBasic (113.86s)
=== RUN   TestAccAWSInstance_basic
--- PASS: TestAccAWSInstance_basic (163.77s)
=== RUN   TestAccAWSInstance_GP2IopsDevice
--- PASS: TestAccAWSInstance_GP2IopsDevice (80.50s)
=== RUN   TestAccAWSInstance_blockDevices
--- PASS: TestAccAWSInstance_blockDevices (97.97s)
=== RUN   TestAccAWSInstance_rootInstanceStore
--- PASS: TestAccAWSInstance_rootInstanceStore (81.21s)
=== RUN   TestAccAWSInstance_sourceDestCheck
--- PASS: TestAccAWSInstance_sourceDestCheck (172.48s)
=== RUN   TestAccAWSInstance_disableApiTermination
--- PASS: TestAccAWSInstance_disableApiTermination (140.40s)
=== RUN   TestAccAWSInstance_vpc
--- PASS: TestAccAWSInstance_vpc (107.72s)
=== RUN   TestAccAWSInstance_ipv6_supportAddressCount
--- PASS: TestAccAWSInstance_ipv6_supportAddressCount (236.52s)
=== RUN   TestAccAWSInstance_multipleRegions
--- FAIL: TestAccAWSInstance_multipleRegions (226.57s)
        testing.go:268: Step 0 error: Check failed: Check 2/2 error: Instance not found
=== RUN   TestAccAWSInstance_NetworkInstanceSecurityGroups
--- PASS: TestAccAWSInstance_NetworkInstanceSecurityGroups (131.02s)
=== RUN   TestAccAWSInstance_NetworkInstanceVPCSecurityGroupIDs
--- PASS: TestAccAWSInstance_NetworkInstanceVPCSecurityGroupIDs (112.93s)
=== RUN   TestAccAWSInstance_tags
--- PASS: TestAccAWSInstance_tags (128.56s)
=== RUN   TestAccAWSInstance_instanceProfileChange
--- PASS: TestAccAWSInstance_instanceProfileChange (119.44s)
=== RUN   TestAccAWSInstance_privateIP
--- PASS: TestAccAWSInstance_privateIP (243.79s)
=== RUN   TestAccAWSInstance_associatePublicIPAndPrivateIP
--- PASS: TestAccAWSInstance_associatePublicIPAndPrivateIP (220.94s)
=== RUN   TestAccAWSInstance_keyPairCheck
--- PASS: TestAccAWSInstance_keyPairCheck (90.06s)
=== RUN   TestAccAWSInstance_rootBlockDeviceMismatch
--- PASS: TestAccAWSInstance_rootBlockDeviceMismatch (110.40s)
=== RUN   TestAccAWSInstance_forceNewAndTagsDrift
--- PASS: TestAccAWSInstance_forceNewAndTagsDrift (217.66s)
=== RUN   TestAccAWSInstance_changeInstanceType
--- PASS: TestAccAWSInstance_changeInstanceType (149.46s)
=== RUN   TestAccAWSInstance_NetworkInterfacePrimary
--- PASS: TestAccAWSInstance_NetworkInterfacePrimary (103.99s)
=== RUN   TestAccAWSInstance_NetworkInterfaceExisting
--- PASS: TestAccAWSInstance_NetworkInterfaceExisting (112.06s)
=== RUN   TestAccAWSInstance_NetworkInterfaceMultiple
--- PASS: TestAccAWSInstance_NetworkInterfaceMultiple (155.46s)
=== RUN   TestAccAWSInstance_NetworkInterfaceSG
--- PASS: TestAccAWSInstance_NetworkInterfaceSG (112.60s)
FAIL
exit status 1
FAIL    github.com/hashicorp/terraform/builtin/providers/aws    4722.023s
Makefile:48: recipe for target 'testacc' failed
make: *** [testacc] Error 1

[catsby]

TestAccAWSInstance_multipleRegions is failing for other reasons unfortunately ( 😦 )

[catsby]

👍

[grubernaut]

Special thanks to the many authors and contributors to the multiple pull requests and issues referenced here. Thank you for your help and patience here while we sorted this out. You are all awesome ❤️

[grubernaut]

Test output after adding private_ip_addresses:

$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=TestAccAWSInstance'
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/03/22 15:10:42 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance -timeout 120m
=== RUN   TestAccAWSInstanceDataSource_basic
--- PASS: TestAccAWSInstanceDataSource_basic (121.66s)
=== RUN   TestAccAWSInstanceDataSource_tags
--- PASS: TestAccAWSInstanceDataSource_tags (129.38s)
=== RUN   TestAccAWSInstanceDataSource_AzUserData
--- PASS: TestAccAWSInstanceDataSource_AzUserData (120.40s)
=== RUN   TestAccAWSInstanceDataSource_gp2IopsDevice
--- PASS: TestAccAWSInstanceDataSource_gp2IopsDevice (83.71s)
=== RUN   TestAccAWSInstanceDataSource_blockDevices
--- PASS: TestAccAWSInstanceDataSource_blockDevices (100.12s)
=== RUN   TestAccAWSInstanceDataSource_rootInstanceStore
--- PASS: TestAccAWSInstanceDataSource_rootInstanceStore (85.91s)
=== RUN   TestAccAWSInstanceDataSource_privateIP
--- PASS: TestAccAWSInstanceDataSource_privateIP (242.32s)
=== RUN   TestAccAWSInstanceDataSource_keyPair
--- PASS: TestAccAWSInstanceDataSource_keyPair (86.77s)
=== RUN   TestAccAWSInstanceDataSource_VPC
--- PASS: TestAccAWSInstanceDataSource_VPC (112.46s)
=== RUN   TestAccAWSInstanceDataSource_SecurityGroups
--- FAIL: TestAccAWSInstanceDataSource_SecurityGroups (11.25s)
        testing.go:268: Step 0 error: Error applying: 1 error(s) occurred:

                * aws_security_group.tf_test_foo: 1 error(s) occurred:

                * aws_security_group.tf_test_foo: Error authorizing security group ingress rules: InvalidPermission.Duplicate: The permission '0.0.0.0/0-icmp--1--1' has already been authorized on the specifie
d group
                        status code: 400, request id: 80ee5196-9315-4f98-829b-7d5ea833363d
=== RUN   TestAccAWSInstanceDataSource_VPCSecurityGroups
--- PASS: TestAccAWSInstanceDataSource_VPCSecurityGroups (139.54s)
=== RUN   TestAccAWSInstance_importBasic
--- PASS: TestAccAWSInstance_importBasic (109.00s)
=== RUN   TestAccAWSInstance_basic
--- PASS: TestAccAWSInstance_basic (149.52s)
=== RUN   TestAccAWSInstance_GP2IopsDevice
--- PASS: TestAccAWSInstance_GP2IopsDevice (76.02s)
=== RUN   TestAccAWSInstance_blockDevices
--- PASS: TestAccAWSInstance_blockDevices (93.09s)
=== RUN   TestAccAWSInstance_rootInstanceStore
--- PASS: TestAccAWSInstance_rootInstanceStore (81.02s)
=== RUN   TestAccAWSInstance_sourceDestCheck
--- PASS: TestAccAWSInstance_sourceDestCheck (158.65s)
=== RUN   TestAccAWSInstance_disableApiTermination
--- PASS: TestAccAWSInstance_disableApiTermination (148.76s)
=== RUN   TestAccAWSInstance_vpc
--- PASS: TestAccAWSInstance_vpc (107.43s)
=== RUN   TestAccAWSInstance_ipv6_supportAddressCount
--- PASS: TestAccAWSInstance_ipv6_supportAddressCount (236.78s)
=== RUN   TestAccAWSInstance_multipleRegions
--- FAIL: TestAccAWSInstance_multipleRegions (213.14s)
        testing.go:268: Step 0 error: Check failed: Check 2/2 error: Instance not found
=== RUN   TestAccAWSInstance_NetworkInstanceSecurityGroups
--- PASS: TestAccAWSInstance_NetworkInstanceSecurityGroups (135.58s)
=== RUN   TestAccAWSInstance_NetworkInstanceVPCSecurityGroupIDs
--- PASS: TestAccAWSInstance_NetworkInstanceVPCSecurityGroupIDs (115.32s)
=== RUN   TestAccAWSInstance_tags
--- PASS: TestAccAWSInstance_tags (128.09s)
=== RUN   TestAccAWSInstance_instanceProfileChange
--- PASS: TestAccAWSInstance_instanceProfileChange (118.27s)
=== RUN   TestAccAWSInstance_privateIP
--- PASS: TestAccAWSInstance_privateIP (223.52s)
=== RUN   TestAccAWSInstance_associatePublicIPAndPrivateIP
--- PASS: TestAccAWSInstance_associatePublicIPAndPrivateIP (223.89s)
=== RUN   TestAccAWSInstance_keyPairCheck
--- PASS: TestAccAWSInstance_keyPairCheck (78.75s)
=== RUN   TestAccAWSInstance_rootBlockDeviceMismatch
--- PASS: TestAccAWSInstance_rootBlockDeviceMismatch (107.83s)
=== RUN   TestAccAWSInstance_forceNewAndTagsDrift
--- PASS: TestAccAWSInstance_forceNewAndTagsDrift (196.05s)
=== RUN   TestAccAWSInstance_changeInstanceType
--- PASS: TestAccAWSInstance_changeInstanceType (136.91s)
=== RUN   TestAccAWSInstance_NetworkInterfacePrimary
--- PASS: TestAccAWSInstance_NetworkInterfacePrimary (80.43s)
=== RUN   TestAccAWSInstance_NetworkInterfaceExisting
--- PASS: TestAccAWSInstance_NetworkInterfaceExisting (231.22s)
=== RUN   TestAccAWSInstance_NetworkInterfaceMultiple
--- PASS: TestAccAWSInstance_NetworkInterfaceMultiple (155.80s)
=== RUN   TestAccAWSInstance_NetworkInterfaceSG
--- PASS: TestAccAWSInstance_NetworkInterfaceSG (238.21s)
=== RUN   TestAccAWSInstance_NetworkInterfacePrivateAddresses
--- PASS: TestAccAWSInstance_NetworkInterfacePrivateAddresses (88.66s)
FAIL
exit status 1
FAIL    github.com/hashicorp/terraform/builtin/providers/aws    4865.501s
make: *** [testacc] Error 1

The two failing tests are failing for unrelated causes

[stack72]

1 question within on updating - also, do we need to replicate this for spot_instances / spot_fleet_requests

[stack72]

wow, so the only thing that can cause an update here is a change to device_index?

[peteromoon]

Thanks for this. I would like to see this functionality merged.

I am not sure what your expectations are, but I did some manual tests and the behavior did not align with my expectations.

Change Primary Network Interface

1. Create Instance with one network interface using

   network_interface {
        device_index = 0
        interface_id = "${aws_network_interface.test1.id}"
        delete_on_termination = false
    }

2. After "terraform apply" has been run, change interface_id to reference a different network interface

   network_interface {
        device_index = 0
        interface_id = "${aws_network_interface.test2.id}"
        delete_on_termination = false
    }

3. "terraform plan" reports no changes, and "terraform apply" makes no changes
4. I would have expected instance to be recreated or warning/error message indicating primary network interface can't be changed.

Add An Additional Network Interface

1. Create Instance with one network interface using

  network_interface {
       device_index = 0
       interface_id = "${aws_network_interface.test1.id}"
       delete_on_termination = false
   }

2. After "terraform apply" has been run, add an additional network interface to the instance

   network_interface {
        device_index = 1
        interface_id = "${aws_network_interface.test2.id}"
        delete_on_termination = false
    }

3. "terraform plan" reports an additional network interface will be associated with the instance, "terraform apply" however makes no actual changes. Running "terraform plan" again produces the same change report.

~ aws_instance.foo
    network_interface.#:                                 "1" => "2"
    network_interface.3260762424.attachment_id:          "" => "<computed>"
    network_interface.3260762424.delete_on_termination:  "" => "false"
    network_interface.3260762424.description:            "" => ""
    network_interface.3260762424.device_index:           "" => "1"
    network_interface.3260762424.interface_id:           "" => "eni-a070f1e5"
    network_interface.3260762424.ipv6_address_count:     "" => ""
    network_interface.3260762424.private_ip_address:     "" => "<computed>"
    network_interface.3260762424.private_ip_addresses.#: "0" => "0"
    network_interface.3260762424.security_groups.#:      "" => "<computed>"
    network_interface.3260762424.subnet_id:              "" => ""
    network_interface.3678435449.delete_on_termination:  "false" => "false"
    network_interface.3678435449.description:            "" => ""
    network_interface.3678435449.device_index:           "0" => "0"
    network_interface.3678435449.interface_id:           "eni-9074f5d5" => "eni-9074f5d5"
    network_interface.3678435449.ipv6_address_count:     "0" => "0"
    network_interface.3678435449.private_ip_addresses.#: "1" => "0"
    network_interface.3678435449.private_ip_addresses.0: "10.1.1.11" => ""
    network_interface.3678435449.subnet_id:              "subnet-09f14c40" => ""

4. I would have expected the additional network interface to be associated with the instance.

Change a Secondary Network Interface

1. Create Instance with two network interface using

  network_interface {
       device_index = 0
       interface_id = "${aws_network_interface.test1.id}"
       delete_on_termination = false
   }

  network_interface {
       device_index = 1
       interface_id = "${aws_network_interface.test2.id}"
       delete_on_termination = false
   }

2. After "terraform apply" has been run, change the second network interface of the instance

  network_interface {
       device_index = 0
       interface_id = "${aws_network_interface.test1.id}"
       delete_on_termination = false
   }

  network_interface {
       device_index = 1
       interface_id = "${aws_network_interface.test3.id}"
       delete_on_termination = false
   }

3. "terraform plan" reports no changes will be made, "terraform apply" also makes no changes.

4. I would have expected the second network interface associated with the instance to be changed.

Remove a Secondary Network Interface

1. Create Instance with two network interface using

  network_interface {
       device_index = 0
       interface_id = "${aws_network_interface.test1.id}"
       delete_on_termination = false
   }

  network_interface {
       device_index = 1
       interface_id = "${aws_network_interface.test2.id}"
       delete_on_termination = false
   }

2. After "terraform apply" has been run, remove the second network interface from the instance, leaving the primary network interface only:

  network_interface {
       device_index = 0
       interface_id = "${aws_network_interface.test1.id}"
       delete_on_termination = false
   }

3. "terraform plan" reports second network interface will be removed, "terraform apply" however makes no actual changes. Running "terraform plan" again produces the same change report.

~ aws_instance.foo
    network_interface.#:                                 "2" => "1"
    network_interface.3260762424.delete_on_termination:  "false" => "false"
    network_interface.3260762424.description:            "" => ""
    network_interface.3260762424.device_index:           "1" => "0"
    network_interface.3260762424.ipv6_address_count:     "0" => "0"
    network_interface.3260762424.private_ip_addresses.#: "1" => "0"
    network_interface.3260762424.private_ip_addresses.0: "10.1.1.12" => ""
    network_interface.3260762424.subnet_id:              "subnet-66d44f01" => ""
    network_interface.3678435449.delete_on_termination:  "false" => "false"
    network_interface.3678435449.description:            "" => ""
    network_interface.3678435449.device_index:           "0" => "0"
    network_interface.3678435449.interface_id:           "eni-79133e0a" => "eni-79133e0a"
    network_interface.3678435449.ipv6_address_count:     "0" => "0"
    network_interface.3678435449.private_ip_addresses.#: "1" => "0"
    network_interface.3678435449.private_ip_addresses.0: "10.1.1.11" => ""
    network_interface.3678435449.subnet_id:              "subnet-66d44f01" => ""

4. I would have expected the second network interface association with the instance to be removed.

[peteromoon]

Another observation.

The primary network interface (eth0, device_index=0) is different from the other network interfaces in AWS. It can't be changed without instance replacement. Secondary network interfaces can be added or removed without recreating the instances.

This is similar to EBS volumes. The root EBS volume can't be detached from an instance, while other volumes can. The Terraform configuration parameters for aws_instance reflects this with root_block_device and ebs_block_device.

Can we not differentiate between the primary and secondary network interfaces in the Terraform configuration parameters?

We could use the existing network interface configuration parameters (subnet_id, etc), plus network_interface_id for the primary network interface and then use network_interface for the all the secondary network interfaces.

Or would you prefer the semantics to be that any changes to network_interface requires instance replacement. If you desire the ability to add or remove secondary network interfaces without instance replacement then you must use aws_network_interface and its attachment attribute.

[grubernaut]

Hey @peteromoon, thanks for the observations! This is still very much a WIP and a lot of things still need to be fleshed out before it's ready-to-go.

• Change Primary Network Interface:
  Actually, because of how this PR is currently hashing all of the attributes inside of the network_interface block, none of the attributes are catching a diff. Something we're aiming to fix!

• Add an additional network interface
  Ah interesting, wasn't aware of this issue. We'll add this to the list of items that need fixed here 😄

• Change a secondary network interface
  Same issue as the first item

• Remove a secondary network interface
  Will dive into this one as well

In response to your second comment: The PR spawned from multiple issues on users not being able to replace the root network interface with one of their own choosing. The AWS API (and subsequently the SDK) don't differentiate between the primary network interface (eth0), and any secondary network interfaces. That is definitely good information to have though, and we'll be discussing this internally to come up with the best solution for this.

I'll also update the title of the PR to [WIP] as well.

[grubernaut]

All aws_instance acceptance tests pass:

New changes since review

[thomasbibb]

Great addition - Great work on getting this merged!

[epetrovich]

I've upgraded terraform to 0.9.4 and all my spot instances are going to be recreated:

network_interface.#:                       "" => "<computed>" (forces new resource)
network_interface_id:                      "eni-9967c25f" => "<computed>"

How can I fix that?
The state file is at 0.9.4 and I've didn't enable s3 bucket versioning (

[grubernaut]

Hey @epetrovich, apologies for this!

Would you mind creating a separate issue to track this, and I'll get to fixing this as soon as possible. Thanks!

[grubernaut]

Hey @epetrovich, I'm getting a ForceNew flag even on v0.9.3 without any networking setup on the instance.

-/+ aws_spot_instance_request.foo
    ami:                               "ami-c5eabbf5" => "ami-c5eabbf5"
    associate_public_ip_address:       "false" => "false"
    availability_zone:                 "" => "<computed>"
    ebs_block_device.#:                "0" => "<computed>"
    ephemeral_block_device.#:          "0" => "<computed>"
    instance_state:                    "" => "<computed>"
    instance_type:                     "c4.xlarge" => "c4.xlarge"
    ipv6_addresses.#:                  "" => "<computed>" (forces new resource)
    key_name:                          "" => "<computed>"
    network_interface_id:              "" => "<computed>"
    placement_group:                   "" => "<computed>"
    private_dns:                       "" => "<computed>"
    private_ip:                        "" => "<computed>"
    public_dns:                        "" => "<computed>"
    public_ip:                         "" => "<computed>"
    root_block_device.#:               "" => "<computed>" (forces new resource)
    security_groups.#:                 "0" => "<computed>"
    source_dest_check:                 "true" => "true"
    spot_bid_status:                   "price-too-low" => "<computed>"
    spot_instance_id:                  "" => "<computed>"
    spot_price:                        "0.03" => "0.03"
    spot_request_state:                "open" => "<computed>"
    spot_type:                         "persistent" => "persistent"
    subnet_id:                         "subnet-14a1d55d" => "subnet-14a1d55d"
    tenancy:                           "" => "<computed>"
    vpc_security_group_ids.#:          "1" => "1"
    vpc_security_group_ids.1560950835: "sg-b2305ac9" => "sg-b2305ac9"
    wait_for_fulfillment:              "false" => "false"


Plan: 1 to add, 0 to change, 1 to destroy.

[epetrovich]

@grubernaut Thank for your attention.
The problem was fixed by adding next section to the aws_spot_instance_request and it is not related to this thread.

lifecycle {
ignore_changes = ["network_interface"]
}

[cannonba11]

I am having an issue with specifying delete_on_termination to be True when specifying a network interface ID to attach.
Specifically, I create an aws_network_interface resource so I can tag it and then specify it's network_interface_id in network_interface{} inside my aws_instance. But I also want the interface to have delete_on_termination to be set True, but I get this error on terraform apply:
Error launching source instance: InvalidParameterCombination: A network interface may not specify a network interface ID and delete on termination as true

How to get around this? My main purpose is to tag network interfaces via tf

[edmundcraske]

@cannonba11 from what you've written it seems that you want to use a network interface which was created elsewhere and yet have your instance resource delete it on termination, which doesn't make sense - either you've created it elsewhere so it needs to be managed elsewhere, or you're creating it as part of instance creation, and hence want to delete it on termination?

[cannonba11]

@edmundcraske
My requirements are:
-I want to be able to tag the network interface that's associated with my ec2 instance.
-I want only one interface with that instance.
My spec looks like this:

resource "aws_network_interface" "eth0" {
      subnet_id       = "${var.subnet_id}"
      security_groups = ["${var.sg_ids}"]
      tags {
      Environment = "${var.environment}"
      App = "${var.name}"
      Name = "${var.name}_${var.environment}_eth0"
    } 
}
resource "aws_instance" "runtime-instance" {

  ami = "${var.ami}"
  instance_type = "${var.instance_type}"
  key_name = "abcd"
  availability_zone = "${var.az}"
  iam_instance_profile = "${var.iam_instance_profile}"
  network_interface {
    device_index = 0
    network_interface_id = "${aws_network_interface.eth0.id}"
    delete_on_termination = true
  }
}

If I don't add the network_interface inside the runtime-instance block, then the instance comes up with an interface without tags. The only way I can have a tagged network interface come up with this instance is how I have it above (correct me if I am wrong). But this throws an error as delete_on_termination is set to true. If I remove delete_on_termination from the above spec, it works fine - comes up with one interface eth0 with the correct tags.

[edmundcraske]

@cannonba11 you need to remove the ‘delete_on_termination’ setting for the network interface - logically how can terraform delete it as part of the instance if it is actually managed under its own separate resource? What are you hoping to achieve by having it set? It is unnecessary and would cause an inconsistency by trying to manage the existence of the network interface in more than one place.

[cannonba11]

@edmundcraske - Thanks for the explanation, I understand what you are saying but say someone terminates the instance from the aws console, the network interface will still be lying around. It will only be deleted via a terraform destroy. It would be better to have a network_interface_tags attribute just like volume_tags attribute in the aws_instance resource, that way one can have network interface managed as part of the instance and also have Tags for it. The overarching goal is to have network interface tags for an ENI attached to an EC2, but the only way available via terraform means that the interface will have to be a separate resource thereby increasing the number of items to manage or keep track of.

[edmundcraske]

That’s not really a terraform problem though - if you let AWS create a network interface for you, it doesn’t let you specify tags for the network interface, or tell you what the network interface ID is, you have to go and make separate calls to do that.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.