provider/aws: Fix attach of SG to instance with multiple network interfaces

With an EC2 instance that only had a single network interface, the primary interface, the Update function would call `ModifyInstanceAttribute()` on the target instance. This would only work if there was a single network interface attached to the EC2 instance. If, however, a secondary network interface was attached to the instance, the `ModifyInstanceAttribute()` API call would fail with the following error message:

 > There are multiple interfaces attached to instance 'i-XXXXX'. Please specify an interface ID for the operation instead.

 After this changeset, modifying instance security groups now makes the correct call to `ModifyNetworkInterfaceAttribute()` in order to modify the list of security groups on the primary network interface, as initially configured during the instances creation.

 This change is also safe from an instance that has a non-default primary network interface, as the instance attribute `vpc_security_group_ids` conflicts with the new `network_interface` attribute.

 Test Output:

 $ make testacc TEST=./builtin/providers/aws TESTARGS="-run=TestAccAWSInstance_addSecurityGroupNetworkInterface"
 ==> Checking that code complies with gofmt requirements...
 go generate $(go list ./... | grep -v /terraform/vendor/)
 2017/05/08 17:52:42 Generated command/internal_plugin_list.go
 TF_ACC=1 go test ./builtin/providers/aws -v -run=TestAccAWSInstance_addSecurityGroupNetworkInterface -timeout 120m
 === RUN   TestAccAWSInstance_addSecurityGroupNetworkInterface
 --- PASS: TestAccAWSInstance_addSecurityGroupNetworkInterface (327.75s)
 ok    327.756s
This commit is contained in:
Jake Champlin 2017-05-08 18:30:22 -04:00
parent dd5577ee44
commit 0d6891d505
No known key found for this signature in database
GPG Key ID: DC31F41958EF4AC2
2 changed files with 188 additions and 3 deletions

View File

@ -836,13 +836,39 @@ func resourceAwsInstanceUpdate(d *schema.ResourceData, meta interface{}) error {
groups = append(groups, aws.String(v.(string)))
_, err := conn.ModifyInstanceAttribute(&ec2.ModifyInstanceAttributeInput{
InstanceId: aws.String(d.Id()),
Groups: groups,
// If a user has multiple network interface attachments on the target EC2 instance, simply modifying the
// instance attributes via a `ModifyInstanceAttributes()` request would fail with the following error message:
// "There are multiple interfaces attached to instance 'i-XX'. Please specify an interface ID for the operation instead."
// Thus, we need to actually modify the primary network interface for the new security groups, as the primary
// network interface is where we modify/create security group assignments during Create.
log.Printf("[INFO] Modifying `vpc_security_group_ids` on Instance %q", d.Id())
instances, err := conn.DescribeInstances(&ec2.DescribeInstancesInput{
InstanceIds: []*string{aws.String(d.Id())},
if err != nil {
return err
instance := instances.Reservations[0].Instances[0]
var primaryInterface ec2.InstanceNetworkInterface
for _, ni := range instance.NetworkInterfaces {
if *ni.Attachment.DeviceIndex == 0 {
primaryInterface = *ni
if primaryInterface.NetworkInterfaceId == nil {
log.Print("[Error] Attempted to set vpc_security_group_ids on an instance without a primary network interface")
return fmt.Errorf(
"Failed to update vpc_security_group_ids on %q, which does not contain a primary network interface",
if _, err := conn.ModifyNetworkInterfaceAttribute(&ec2.ModifyNetworkInterfaceAttributeInput{
NetworkInterfaceId: primaryInterface.NetworkInterfaceId,
Groups: groups,
}); err != nil {
return err
if d.HasChange("instance_type") && !d.IsNewResource() {

View File

@ -1018,6 +1018,34 @@ func TestAccAWSInstance_addSecondaryInterface(t *testing.T) {
func TestAccAWSInstance_addSecurityGroupNetworkInterface(t *testing.T) {
var before ec2.Instance
var after ec2.Instance
resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckInstanceDestroy,
Steps: []resource.TestStep{
Config: testAccInstanceConfigAddSecurityGroupBefore,
Check: resource.ComposeTestCheckFunc(
testAccCheckInstanceExists("", &before),
resource.TestCheckResourceAttr("", "vpc_security_group_ids.#", "1"),
Config: testAccInstanceConfigAddSecurityGroupAfter,
Check: resource.ComposeTestCheckFunc(
testAccCheckInstanceExists("", &after),
resource.TestCheckResourceAttr("", "vpc_security_group_ids.#", "2"),
func testAccCheckInstanceNotRecreated(t *testing.T,
before, after *ec2.Instance) resource.TestCheckFunc {
return func(s *terraform.State) error {
@ -2013,3 +2041,134 @@ resource "aws_instance" "foo" {
const testAccInstanceConfigAddSecurityGroupBefore = `
resource "aws_vpc" "foo" {
cidr_block = ""
tags {
Name = "tf-eni-test"
resource "aws_subnet" "foo" {
vpc_id = "${}"
cidr_block = ""
availability_zone = "us-west-2a"
tags {
Name = "tf-foo-instance-add-sg-test"
resource "aws_subnet" "bar" {
vpc_id = "${}"
cidr_block = ""
availability_zone = "us-west-2a"
tags {
Name = "tf-bar-instance-add-sg-test"
resource "aws_security_group" "foo" {
vpc_id = "${}"
description = "foo"
name = "foo"
resource "aws_security_group" "bar" {
vpc_id = "${}"
description = "bar"
name = "bar"
resource "aws_instance" "foo" {
ami = "ami-c5eabbf5"
instance_type = "t2.micro"
subnet_id = "${}"
associate_public_ip_address = false
vpc_security_group_ids = [
tags {
Name = "foo-instance-sg-add-test"
resource "aws_network_interface" "bar" {
subnet_id = "${}"
private_ips = [""]
security_groups = ["${}"]
attachment {
instance = "${}"
device_index = 1
tags {
Name = "bar_interface"
const testAccInstanceConfigAddSecurityGroupAfter = `
resource "aws_vpc" "foo" {
cidr_block = ""
tags {
Name = "tf-eni-test"
resource "aws_subnet" "foo" {
vpc_id = "${}"
cidr_block = ""
availability_zone = "us-west-2a"
tags {
Name = "tf-foo-instance-add-sg-test"
resource "aws_subnet" "bar" {
vpc_id = "${}"
cidr_block = ""
availability_zone = "us-west-2a"
tags {
Name = "tf-bar-instance-add-sg-test"
resource "aws_security_group" "foo" {
vpc_id = "${}"
description = "foo"
name = "foo"
resource "aws_security_group" "bar" {
vpc_id = "${}"
description = "bar"
name = "bar"
resource "aws_instance" "foo" {
ami = "ami-c5eabbf5"
instance_type = "t2.micro"
subnet_id = "${}"
associate_public_ip_address = false
vpc_security_group_ids = [
tags {
Name = "foo-instance-sg-add-test"
resource "aws_network_interface" "bar" {
subnet_id = "${}"
private_ips = [""]
security_groups = ["${}"]
attachment {
instance = "${}"
device_index = 1
tags {
Name = "bar_interface"