terraform-provider-aws: Encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified
This issue was originally opened by @jayudhandha as hashicorp/terraform#18059. It was migrated here as a result of the provider split. The original body of the issue is below.
Hi,
I am migrating my Autoscaling groups to use launch_template instead of launch_configuration. (To support T2 Unlimited)
Below is my code snippet.
resource "aws_launch_template" "test_launch_template" {
image_id = "ami_id"
name_prefix = "test-pref"
instance_type = "t2.small"
key_name = "jayesh"
vpc_security_group_ids = ["sg-23423432","sg-23452115"]
user_data = "${base64encode(data.template_file.user_data.rendered)}"
iam_instance_profile {
name = "test"
}
disable_api_termination = true
instance_initiated_shutdown_behavior = "terminate"
block_device_mappings {
device_name = "/dev/sda1"
ebs {
delete_on_termination = true
volume_size = "${var.volume_size}"
}
}
credit_specification {
cpu_credits = "unlimited"
}
lifecycle {
create_before_destroy = "true"
}
}
While running terraform apply I am getting below error.
1 error(s) occurred:
- aws_autoscaling_group.test_asg: 1 error(s) occurred:
- aws_autoscaling_group.test_asg: Error creating AutoScaling Group: ValidationError: You must use a valid fully-formed launch template. the encrypted flag cannot be specified since device /dev/sda1 has a snapshot specified. status code: 400, request id: 7902a390-58de-11e8-af77-87d327f8b121
May be any parameter is missing but i am not sure which one.
As per error, It looks that encrypted parameter is specified. But i haven’t passed that. Then why this error is coming?
Thanks in advance!
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 23
- Comments: 26 (4 by maintainers)
Commits related to this issue
- Skip ebs encryption flag for snapshots on launch template. AWS does not allow setting encryption values on ebs block devices created from a snapshot. This patch lists block devices created from snaps... — committed to jmcarp/terraform-provider-aws by jmcarp 6 years ago
- WIP experiment but failed due to: https://github.com/terraform-providers/terraform-provider-aws/issues/4553 — committed to EFXCIA/terraform-aws-vault by efx-jjohnson 6 years ago
- It's not pretty but it works. Though I think we should wait for https://github.com/terraform-providers/terraform-provider-aws/issues/4553 to be fixed & then do a cleaner implementation. To make this ... — committed to EFXCIA/terraform-aws-vault by efx-jjohnson 6 years ago
I have had to go back to launch configurations which is not desired, but unfortunately necessary. this is a pretty big deal and is hampering our usage of launch templates. any prioritization for fixing this would be greatly appreciated.
This has been released in version 1.34.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
@yardensachs We kept using good old AWS
launch configurationsinstead oflaunch templatesfor configuring our ASG instances.https://www.terraform.io/docs/providers/aws/r/launch_configuration.html
provider.aws v1.38.0 I’m also seeing it after setting encrypted=true or encrypted=false in the launch template. The only way I get success is to set encrypted=“” which shows up in the AWS console as ‘Default’.
@bflad @terraformbot @tf-release-bot Facing the same issue. Removing the block_device_mappings argument fixed it (but I can no longer tweak the root volume size). Hope this issue can be fixed ASAP
The fix for this has been merged into master and will release with version 1.34.0 of the AWS provider, likely later today.
Bug fix pull request submitted: #5632
This must get fixed, in order to use
aws_launch_templatein a fully automated way. I do want to tweak the root device volume size and not to remove it and need to have this done automatically and not in a manual waySame here.
Also same: Removing the block_device_mappings argument fixed it (but I can no longer tweak the root volume size).
Ok so I found a way to complete this automatically, although its very hacky.
I figured out the issue here is because terraform auto defaults the encryption if you dont pass an option in, which it shouldnt.
if you use the aws cli to create a new template version, and overwrite the ebs volume options with no encryption passed in, the correct option will be put into the template and will allow you to spin up instance.
So to solve this automatically, I added a local-exec to my launch template that will run the aws command, update the ebs volume with the same name and not pass in the encryption method, and now it works.
The sleep 10 was to fix an issues with the id interpolation that I think I found with this resource type. You could probably just remove the ebs block inside the terraform template and just use the aws cli to update the created template with the block if you wanted.
Hit the same problem today with the workaround mentioned above; editing the launch template in AWS Console then continue with Terraform.
I ran into the same issue and the following workaround process did the trick :
You will see that terraform does not complain about the encryption flag difference on your already created template.
Please note that evreytime you update the launch template with terraform, the same manual trick will be needed in the aws console.
Seems above PR has been hold for a while. When can we get it merged?
We are in terraform 0.12.x now. Hope the fix can work in 0.12 directly.
PR submitted: https://github.com/hashicorp/terraform-aws-vault/pull/97
I ran into this issue and came across this when searching for the error code BUT I was using AWS CLI; not Terraform.
So this issue is really an issue with AWS API itself; in AWS CLI I was able to resolved it by removing the encrypted field altogether. In Terraform it would probably require some code change so that it does not always set encrypted field by default.
Facing the same issue. Removing the
block_device_mappingsargument fixed it (but I can no longer tweak the root volume size).