Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

diffs didn't match error on T3 server after taint then apply #5719

Closed
ghost opened this issue Aug 29, 2018 · 4 comments · Fixed by #5805
Closed

diffs didn't match error on T3 server after taint then apply #5719

ghost opened this issue Aug 29, 2018 · 4 comments · Fixed by #5805
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Milestone
v1.37.0

Comments

@ghost
Copy link

ghost commented Aug 29, 2018

This issue was originally opened by @twellspring as hashicorp/terraform#18733. It was migrated here as a result of the provider split. The original body of the issue is below.

Terraform Version

Terraform v0.11.7
+ provider.aws v1.33.0
+ provider.dns v2.0.0
+ provider.null v1.0.0
+ provider.template v1.0.0

Terraform Configuration Files

This server was created as a t3.small.  It appears the error is related to The CPU credits getting set differently by the creation than is expected so the next time terraform apply runs it changes the setting.

resource "aws_instance" "compute_ec2" {
  ami                         = "${data.aws_ami.ubuntu.id}"
  associate_public_ip_address = "${local.associate_public_ip == "true" ? true : false}"
  availability_zone           = "${module.globals.region}${var.series["az"]}"
  disable_api_termination     = "${lookup(local.termination_protection, module.globals.env)}"
  iam_instance_profile        = "ec2-instance-role-${module.globals.env}"
  instance_type               = "${lookup(local.instances, module.globals.env)}"
  key_name                    = "${module.globals.env}-deployer-key"
  source_dest_check           = "${var.source_dest_check}"
  subnet_id                   = "${data.aws_subnet.compute_subnet.id}"
  vpc_security_group_ids      = ["${data.aws_security_group.compute_ec2_sg.*.id}"]

  connection {
    host        = "${self.private_ip}"
    private_key = "${file("${module.globals.deployer_key_path}")}"
    user        = "ubuntu"
  }

  lifecycle {
    ignore_changes = ["ami"]
  }

  root_block_device {
    volume_size = "${local.root_volume_size}"
  }

  tags {
    Environment = "${module.globals.env}"
    Name        = "${local.hostname}"
  }

  # Generate and accept minion key
  provisioner "local-exec" {
    command = "ssh -F /data/credentials/ssh/config ${module.globals.salt_master_ip} \"bash -l -c 'salt-keygen ${local.hostname}'\""
  }

  # Copy the keys to minion
  provisioner "local-exec" {
    command = "mkdir -p /tmp/minion_keys"
  }

  provisioner "local-exec" {
    command = "rm -f /tmp/minion_keys/${local.hostname}.*"
  }

  provisioner "local-exec" {
    command = "scp -F /data/credentials/ssh/config ${module.globals.salt_master_ip}:/tmp/minion_keys/${local.hostname}\\* /tmp/minion_keys"
  }

  provisioner "file" {
    source      = "/tmp/minion_keys/${local.hostname}.pub"
    destination = "/tmp/minion.pub"
  }

  provisioner "file" {
    source      = "/tmp/minion_keys/${local.hostname}.pem"
    destination = "/tmp/minion.pem"
  }

  provisioner "remote-exec" {
    inline = [
      "sudo mkdir -p /etc/salt/pki/minion",
      "sudo mv /tmp/minion.* /etc/salt/pki/minion/",
      "mkdir /tmp/salt",
    ]
  }

Debug Output

https://gist.github.com/twellspring/151fe1e56e5bc1689d541614b758ae71

Crash Output

https://gist.github.com/twellspring/8e75fb2e32910182e0dcbd3e9ae18351

Expected Behavior

Actual Behavior

Steps to Reproduce

terraform taint
terraform apply

Additional Context

References
@ghost ghost mentioned this issue Aug 29, 2018
Closed
@MMollyy
Copy link

MMollyy commented Sep 6, 2018
edited
Loading

I can confirm this behaviour, and some other teams at our organization as well.
It seem the aws provider is not able to handle tainting for the new t3 instance type.

Full error:


Please include the following information in your report:

    Terraform Version: 0.11.7
    Resource ID: aws_instance.xyz
    Mismatch reason: attribute mismatch: credit_specification.0.cpu_credits
    Diff One (usually from plan): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"get_password_data":*terraform.ResourceAttrDiff{Old:"false", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.stack-name":*terraform.ResourceAttrDiff{Old:"development", New:"development", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "cpu_core_count":*terraform.ResourceAttrDiff{Old:"1", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "password_data":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "security_groups.#":*terraform.ResourceAttrDiff{Old:"0", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tenancy":*terraform.ResourceAttrDiff{Old:"default", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "subnet_id":*terraform.ResourceAttrDiff{Old:"subnet-741de92f", New:"subnet-741de92f", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "ipv6_addresses.#":*terraform.ResourceAttrDiff{Old:"0", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.environment":*terraform.ResourceAttrDiff{Old:"d", New:"d", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.os-type":*terraform.ResourceAttrDiff{Old:"windows", New:"windows", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "ephemeral_block_device.#":*terraform.ResourceAttrDiff{Old:"0", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "public_ip":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "cpu_threads_per_core":*terraform.ResourceAttrDiff{Old:"2", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.BACKUP":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "network_interface_id":*terraform.ResourceAttrDiff{Old:"eni-08d251284cc455db9", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "root_block_device.#":*terraform.ResourceAttrDiff{Old:"1", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.Name":*terraform.ResourceAttrDiff{Old:"xyz", New:"xyz", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "associate_public_ip_address":*terraform.ResourceAttrDiff{Old:"false", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_security_group_ids.139870218":*terraform.ResourceAttrDiff{Old:"sg-10fdf46b", New:"sg-10fdf46b", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "ebs_block_device.#":*terraform.ResourceAttrDiff{Old:"0", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "instance_state":*terraform.ResourceAttrDiff{Old:"running", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.%":*terraform.ResourceAttrDiff{Old:"9", New:"9", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "user_data":*terraform.ResourceAttrDiff{Old:"753f381da347971a3fe46c0ab3e9daec223af9bc", New:"753f381da347971a3fe46c0ab3e9daec223af9bc", NewComputed:false, NewRemoved:false, NewExtra:"<powershell>\n#Requires -Version 3.0\n\n# Configure a Windows host for remote management with Ansible\n# -----------------------------------------------------------\n#\n# This script checks the current WinRM (PS Remoting) configuration and makes\n# the necessary changes to allow Ansible to connect, authenticate and\n# execute PowerShell commands.\n#\n# All events are logged to the Windows EventLog, useful for unattended runs.\n#\n# Use option -Verbose in order to see the verbose output messages.\n#\n# Use option -CertValidityDays to specify how long this certificate is valid\n# starting from today. So you would specify -CertValidityDays 3650 to get\n# a 10-year valid certificate.\n#\n# Use option -ForceNewSSLCert if the system has been SysPreped and a new\n# SSL Certificate must be forced on the WinRM Listener when re-running this\n# script. This is necessary when a new SID and CN name is created.\n#\n# Use option -EnableCredSSP to enable CredSSP as an authentication option.\n#\n# Use option -DisableBasicAuth to disable basic authentication.\n#\n# Use option -SkipNetworkProfileCheck to skip the network profile check.\n# Without specifying this the script will only run if the device's interfaces\n# are in DOMAIN or PRIVATE zones.  Provide this switch if you want to enable\n# WinRM on a device with an interface in PUBLIC zone.\n#\n# Use option -SubjectName to specify the CN name of the certificate. This\n# defaults to the system's hostname and generally should not be specified.\n\n# Written by Trond Hindenes <[email protected]>\n# Updated by Chris Church <[email protected]>\n# Updated by Michael Crilly <[email protected]>\n# Updated by Anton Ouzounov <[email protected]>\n# Updated by Nicolas Simond <[email protected]>\n# Updated by Dag Wieërs <[email protected]>\n# Updated by Jordan Borean <[email protected]>\n# Updated by Erwan Quélin <[email protected]>\n# Updated by David Norman <[email protected]>\n#\n# Version 1.0 - 2014-07-06\n# Version 1.1 - 2014-11-11\n# Version 1.2 - 2015-05-15\n# Version 1.3 - 2016-04-04\n# Version 1.4 - 2017-01-05\n# Version 1.5 - 2017-02-09\n# Version 1.6 - 2017-04-18\n# Version 1.7 - 2017-11-23\n# Version 1.8 - 2018-02-23\n\n# Support -Verbose option\n[CmdletBinding()]\n\nParam (\n    [string]$SubjectName = $env:COMPUTERNAME,\n    [int]$CertValidityDays = 1095,\n    [switch]$SkipNetworkProfileCheck,\n    $CreateSelfSignedCert = $true,\n    [switch]$ForceNewSSLCert,\n    [switch]$GlobalHttpFirewallAccess,\n    [switch]$DisableBasicAuth = $false,\n    [switch]$EnableCredSSP\n)\n\nFunction Write-Log\n{\n    $Message = $args[0]\n    Write-EventLog -LogName Application -Source $EventSource -EntryType Information -EventId 1 -Message $Message\n}\n\nFunction Write-VerboseLog\n{\n    $Message = $args[0]\n    Write-Verbose $Message\n    Write-Log $Message\n}\n\nFunction Write-HostLog\n{\n    $Message = $args[0]\n    Write-Output $Message\n    Write-Log $Message\n}\n\nFunction New-LegacySelfSignedCert\n{\n    Param (\n        [string]$SubjectName,\n        [int]$ValidDays = 1095\n    )\n\n    $hostnonFQDN = $env:computerName\n    $hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname\n    $SignatureAlgorithm = \"SHA256\"\n\n    $name = New-Object -COM \"X509Enrollment.CX500DistinguishedName.1\"\n    $name.Encode(\"CN=$SubjectName\", 0)\n\n    $key = New-Object -COM \"X509Enrollment.CX509PrivateKey.1\"\n    $key.ProviderName = \"Microsoft Enhanced RSA and AES Cryptographic Provider\"\n    $key.KeySpec = 1\n    $key.Length = 4096\n    $key.SecurityDescriptor = \"D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)\"\n    $key.MachineContext = 1\n    $key.Create()\n\n    $serverauthoid = New-Object -COM \"X509Enrollment.CObjectId.1\"\n    $serverauthoid.InitializeFromValue(\"1.3.6.1.5.5.7.3.1\")\n    $ekuoids = New-Object -COM \"X509Enrollment.CObjectIds.1\"\n    $ekuoids.Add($serverauthoid)\n    $ekuext = New-Object -COM \"X509Enrollment.CX509ExtensionEnhancedKeyUsage.1\"\n    $ekuext.InitializeEncode($ekuoids)\n\n    $cert = New-Object -COM \"X509Enrollment.CX509CertificateRequestCertificate.1\"\n    $cert.InitializeFromPrivateKey(2, $key, \"\")\n    $cert.Subject = $name\n    $cert.Issuer = $cert.Subject\n    $cert.NotBefore = (Get-Date).AddDays(-1)\n    $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)\n\n    $SigOID = New-Object -ComObject X509Enrollment.CObjectId\n    $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value)\n\n    [string[]] $AlternativeName  += $hostnonFQDN\n    $AlternativeName += $hostFQDN\n    $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames\n\n    foreach ($AN in $AlternativeName)\n    {\n        $AltName = New-Object -ComObject X509Enrollment.CAlternativeName\n        $AltName.InitializeFromString(0x3,$AN)\n        $IAlternativeNames.Add($AltName)\n    }\n\n    $SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames\n    $SubjectAlternativeName.InitializeEncode($IAlternativeNames)\n\n    [String[]]$KeyUsage = (\"DigitalSignature\", \"KeyEncipherment\")\n    $KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage\n    $KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage))\n    $KeyUsageObj.Critical = $true\n\n    $cert.X509Extensions.Add($KeyUsageObj)\n    $cert.X509Extensions.Add($ekuext)\n    $cert.SignatureInformation.HashAlgorithm = $SigOID\n    $CERT.X509Extensions.Add($SubjectAlternativeName)\n    $cert.Encode()\n\n    $enrollment = New-Object -COM \"X509Enrollment.CX509Enrollment.1\"\n    $enrollment.InitializeFromRequest($cert)\n    $certdata = $enrollment.CreateRequest(0)\n    $enrollment.InstallResponse(2, $certdata, 0, \"\")\n\n    # extract/return the thumbprint from the generated cert\n    $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2\n    $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata))\n\n    return $parsed_cert.Thumbprint\n}\n\nFunction Enable-GlobalHttpFirewallAccess\n{\n    Write-Verbose \"Forcing global HTTP firewall access\"\n    # this is a fairly naive implementation; could be more sophisticated about rule matching/collapsing\n    $fw = New-Object -ComObject HNetCfg.FWPolicy2\n\n    # try to find/enable the default rule first\n    $add_rule = $false\n    $matching_rules = $fw.Rules | ? { $_.Name -eq \"Windows Remote Management (HTTP-In)\" }\n    $rule = $null\n    If ($matching_rules) {\n        If ($matching_rules -isnot [Array]) {\n            Write-Verbose \"Editing existing single HTTP firewall rule\"\n            $rule = $matching_rules\n        }\n        Else {\n            # try to find one with the All or Public profile first\n            Write-Verbose \"Found multiple existing HTTP firewall rules...\"\n            $rule = $matching_rules | % { $_.Profiles -band 4 }[0]\n\n            If (-not $rule -or $rule -is [Array]) {\n                Write-Verbose \"Editing an arbitrary single HTTP firewall rule (multiple existed)\"\n                # oh well, just pick the first one\n                $rule = $matching_rules[0]\n            }\n        }\n    }\n\n    If (-not $rule) {\n        Write-Verbose \"Creating a new HTTP firewall rule\"\n        $rule = New-Object -ComObject HNetCfg.FWRule\n        $rule.Name = \"Windows Remote Management (HTTP-In)\"\n        $rule.Description = \"Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]\"\n        $add_rule = $true\n    }\n\n    $rule.Profiles = 0x7FFFFFFF\n    $rule.Protocol = 6\n    $rule.LocalPorts = 5985\n    $rule.RemotePorts = \"*\"\n    $rule.LocalAddresses = \"*\"\n    $rule.RemoteAddresses = \"*\"\n    $rule.Enabled = $true\n    $rule.Direction = 1\n    $rule.Action = 1\n    $rule.Grouping = \"Windows Remote Management\"\n\n    If ($add_rule) {\n        $fw.Rules.Add($rule)\n    }\n\n    Write-Verbose \"HTTP firewall rule $($rule.Name) updated\"\n}\n\n# Setup error handling.\nTrap\n{\n    $_\n    Exit 1\n}\n$ErrorActionPreference = \"Stop\"\n\n# Get the ID and security principal of the current user account\n$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()\n$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)\n\n# Get the security principal for the Administrator role\n$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator\n\n# Check to see if we are currently running \"as Administrator\"\nif (-Not $myWindowsPrincipal.IsInRole($adminRole))\n{\n    Write-Output \"ERROR: You need elevated Administrator privileges in order to run this script.\"\n    Write-Output \"       Start Windows PowerShell by using the Run as Administrator option.\"\n    Exit 2\n}\n\n$EventSource = $MyInvocation.MyCommand.Name\nIf (-Not $EventSource)\n{\n    $EventSource = \"Powershell CLI\"\n}\n\nIf ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False)\n{\n    New-EventLog -LogName Application -Source $EventSource\n}\n\n# Detect PowerShell version.\nIf ($PSVersionTable.PSVersion.Major -lt 3)\n{\n    Write-Log \"PowerShell version 3 or higher is required.\"\n    Throw \"PowerShell version 3 or higher is required.\"\n}\n\n# Find and start the WinRM service.\nWrite-Verbose \"Verifying WinRM service.\"\nIf (!(Get-Service \"WinRM\"))\n{\n    Write-Log \"Unable to find the WinRM service.\"\n    Throw \"Unable to find the WinRM service.\"\n}\nElseIf ((Get-Service \"WinRM\").Status -ne \"Running\")\n{\n    Write-Verbose \"Setting WinRM service to start automatically on boot.\"\n    Set-Service -Name \"WinRM\" -StartupType Automatic\n    Write-Log \"Set WinRM service to start automatically on boot.\"\n    Write-Verbose \"Starting WinRM service.\"\n    Start-Service -Name \"WinRM\" -ErrorAction Stop\n    Write-Log \"Started WinRM service.\"\n\n}\n\n# WinRM should be running; check that we have a PS session config.\nIf (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\\localhost\\Listener)))\n{\n  If ($SkipNetworkProfileCheck) {\n    Write-Verbose \"Enabling PS Remoting without checking Network profile.\"\n    Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop\n    Write-Log \"Enabled PS Remoting without checking Network profile.\"\n  }\n  Else {\n    Write-Verbose \"Enabling PS Remoting.\"\n    Enable-PSRemoting -Force -ErrorAction Stop\n    Write-Log \"Enabled PS Remoting.\"\n  }\n}\nElse\n{\n    Write-Verbose \"PS Remoting is already enabled.\"\n}\n\n# Make sure there is a SSL listener.\n$listeners = Get-ChildItem WSMan:\\localhost\\Listener\nIf (!($listeners | Where {$_.Keys -like \"TRANSPORT=HTTPS\"}))\n{\n    # We cannot use New-SelfSignedCertificate on 2012R2 and earlier\n    $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays\n    Write-HostLog \"Self-signed SSL certificate generated; thumbprint: $thumbprint\"\n\n    # Create the hashtables of settings to be used.\n    $valueset = @{\n        Hostname = $SubjectName\n        CertificateThumbprint = $thumbprint\n    }\n\n    $selectorset = @{\n        Transport = \"HTTPS\"\n        Address = \"*\"\n    }\n\n    Write-Verbose \"Enabling SSL listener.\"\n    New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset\n    Write-Log \"Enabled SSL listener.\"\n}\nElse\n{\n    Write-Verbose \"SSL listener is already active.\"\n\n    # Force a new SSL cert on Listener if the $ForceNewSSLCert\n    If ($ForceNewSSLCert)\n    {\n\n        # We cannot use New-SelfSignedCertificate on 2012R2 and earlier\n        $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays\n        Write-HostLog \"Self-signed SSL certificate generated; thumbprint: $thumbprint\"\n\n        $valueset = @{\n            CertificateThumbprint = $thumbprint\n            Hostname = $SubjectName\n        }\n\n        # Delete the listener for SSL\n        $selectorset = @{\n            Address = \"*\"\n            Transport = \"HTTPS\"\n        }\n        Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset\n\n        # Add new Listener with new SSL cert\n        New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset\n    }\n}\n\n# Check for basic authentication.\n$basicAuthSetting = Get-ChildItem WSMan:\\localhost\\Service\\Auth | Where-Object {$_.Name -eq \"Basic\"}\n\nIf ($DisableBasicAuth)\n{\n    If (($basicAuthSetting.Value) -eq $true)\n    {\n        Write-Verbose \"Disabling basic auth support.\"\n        Set-Item -Path \"WSMan:\\localhost\\Service\\Auth\\Basic\" -Value $false\n        Write-Log \"Disabled basic auth support.\"\n    }\n    Else\n    {\n        Write-Verbose \"Basic auth is already disabled.\"\n    }\n}\nElse\n{\n    If (($basicAuthSetting.Value) -eq $false)\n    {\n        Write-Verbose \"Enabling basic auth support.\"\n        Set-Item -Path \"WSMan:\\localhost\\Service\\Auth\\Basic\" -Value $true\n        Write-Log \"Enabled basic auth support.\"\n    }\n    Else\n    {\n        Write-Verbose \"Basic auth is already enabled.\"\n    }\n}\n\n# If EnableCredSSP if set to true\nIf ($EnableCredSSP)\n{\n    # Check for CredSSP authentication\n    $credsspAuthSetting = Get-ChildItem WSMan:\\localhost\\Service\\Auth | Where {$_.Name -eq \"CredSSP\"}\n    If (($credsspAuthSetting.Value) -eq $false)\n    {\n        Write-Verbose \"Enabling CredSSP auth support.\"\n        Enable-WSManCredSSP -role server -Force\n        Write-Log \"Enabled CredSSP auth support.\"\n    }\n}\n\nIf ($GlobalHttpFirewallAccess) {\n    Enable-GlobalHttpFirewallAccess\n}\n\n# Configure firewall to allow WinRM HTTPS connections.\n$fwtest1 = netsh advfirewall firewall show rule name=\"Allow WinRM HTTPS\"\n$fwtest2 = netsh advfirewall firewall show rule name=\"Allow WinRM HTTPS\" profile=any\nIf ($fwtest1.count -lt 5)\n{\n    Write-Verbose \"Adding firewall rule to allow WinRM HTTPS.\"\n    netsh advfirewall firewall add rule profile=any name=\"Allow WinRM HTTPS\" dir=in localport=5986 protocol=TCP action=allow\n    Write-Log \"Added firewall rule to allow WinRM HTTPS.\"\n}\nElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5))\n{\n    Write-Verbose \"Updating firewall rule to allow WinRM HTTPS for any profile.\"\n    netsh advfirewall firewall set rule name=\"Allow WinRM HTTPS\" new profile=any\n    Write-Log \"Updated firewall rule to allow WinRM HTTPS for any profile.\"\n}\nElse\n{\n    Write-Verbose \"Firewall rule already exists to allow WinRM HTTPS.\"\n}\n\n# Test a remoting connection to localhost, which should work.\n$httpResult = Invoke-Command -ComputerName \"localhost\" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue\n$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck\n\n$httpsResult = New-PSSession -UseSSL -ComputerName \"localhost\" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue\n\nIf ($httpResult -and $httpsResult)\n{\n    Write-Verbose \"HTTP: Enabled | HTTPS: Enabled\"\n}\nElseIf ($httpsResult -and !$httpResult)\n{\n    Write-Verbose \"HTTP: Disabled | HTTPS: Enabled\"\n}\nElseIf ($httpResult -and !$httpsResult)\n{\n    Write-Verbose \"HTTP: Enabled | HTTPS: Disabled\"\n}\nElse\n{\n    Write-Log \"Unable to establish an HTTP or HTTPS remoting session.\"\n    Throw \"Unable to establish an HTTP or HTTPS remoting session.\"\n}\nWrite-VerboseLog \"PS Remoting has been successfully configured for Ansible.\"\n\n# allow unencrypted communication for legacy compatibility while we migrate\nSet-Item WSMan:\\localhost\\Service\\AllowUnencrypted -Value $true\nGet-NetFirewallRule WINRM-HTTP-In-TCP-PUBLIC | Set-NetFirewallRule -RemoteAddress \"Any\"\n</powershell>\n", RequiresNew:false, Sensitive:false, Type:0x0}, "ami":*terraform.ResourceAttrDiff{Old:"ami-0284c77b", New:"ami-0284c77b", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "primary_network_interface_id":*terraform.ResourceAttrDiff{Old:"eni-08d251284cc455db9", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "source_dest_check":*terraform.ResourceAttrDiff{Old:"true", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "private_ip":*terraform.ResourceAttrDiff{Old:"10.119.128.70", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "root_block_device.0.volume_type":*terraform.ResourceAttrDiff{Old:"standard", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "key_name":*terraform.ResourceAttrDiff{Old:"keypair", New:"keypair", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "root_block_device.0.volume_size":*terraform.ResourceAttrDiff{Old:"64", New:"64", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "volume_tags.%":*terraform.ResourceAttrDiff{Old:"0", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.stack-number":*terraform.ResourceAttrDiff{Old:"###", New:"#", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "public_dns":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"arn", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "network_interface.#":*terraform.ResourceAttrDiff{Old:"0", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.app-number":*terraform.ResourceAttrDiff{Old:"CNA", New:"CNA", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "ipv6_address_count":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "root_block_device.0.delete_on_termination":*terraform.ResourceAttrDiff{Old:"true", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_security_group_ids.#":*terraform.ResourceAttrDiff{Old:"1", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.os-version":*terraform.ResourceAttrDiff{Old:"windows2016", New:"windows2016", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "credit_specification.0.cpu_credits":*terraform.ResourceAttrDiff{Old:"unlimited", New:"standard", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "private_dns":*terraform.ResourceAttrDiff{Old:"ip-10-119-128-70.eu-west-1.compute.internal", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "root_block_device.0.volume_id":*terraform.ResourceAttrDiff{Old:"vol-07f656c239dac6a96", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.powerschedule":*terraform.ResourceAttrDiff{Old:"06-22-1111100-1", New:"06-22-1111100-1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "availability_zone":*terraform.ResourceAttrDiff{Old:"eu-west-1a", New:"eu-west-1a", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "instance_type":*terraform.ResourceAttrDiff{Old:"t3.medium", New:"t3.medium", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "placement_group":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:true, Meta:map[string]interface {}(nil)}
    Diff Two (usually from apply): *terraform.InstanceDiff{mu:sync.Mutex{state:0, sema:0x0}, Attributes:map[string]*terraform.ResourceAttrDiff{"public_dns":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "key_name":*terraform.ResourceAttrDiff{Old:"", New:"keypair", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "vpc_security_group_ids.139870218":*terraform.ResourceAttrDiff{Old:"", New:"sg-10fdf46b", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "volume_tags.%":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "password_data":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "cpu_threads_per_core":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "user_data":*terraform.ResourceAttrDiff{Old:"", New:"753f381da347971a3fe46c0ab3e9daec223af9bc", NewComputed:false, NewRemoved:false, NewExtra:"<powershell>\n#Requires -Version 3.0\n\n# Configure a Windows host for remote management with Ansible\n# -----------------------------------------------------------\n#\n# This script checks the current WinRM (PS Remoting) configuration and makes\n# the necessary changes to allow Ansible to connect, authenticate and\n# execute PowerShell commands.\n#\n# All events are logged to the Windows EventLog, useful for unattended runs.\n#\n# Use option -Verbose in order to see the verbose output messages.\n#\n# Use option -CertValidityDays to specify how long this certificate is valid\n# starting from today. So you would specify -CertValidityDays 3650 to get\n# a 10-year valid certificate.\n#\n# Use option -ForceNewSSLCert if the system has been SysPreped and a new\n# SSL Certificate must be forced on the WinRM Listener when re-running this\n# script. This is necessary when a new SID and CN name is created.\n#\n# Use option -EnableCredSSP to enable CredSSP as an authentication option.\n#\n# Use option -DisableBasicAuth to disable basic authentication.\n#\n# Use option -SkipNetworkProfileCheck to skip the network profile check.\n# Without specifying this the script will only run if the device's interfaces\n# are in DOMAIN or PRIVATE zones.  Provide this switch if you want to enable\n# WinRM on a device with an interface in PUBLIC zone.\n#\n# Use option -SubjectName to specify the CN name of the certificate. This\n# defaults to the system's hostname and generally should not be specified.\n\n# Written by Trond Hindenes <[email protected]>\n# Updated by Chris Church <[email protected]>\n# Updated by Michael Crilly <[email protected]>\n# Updated by Anton Ouzounov <[email protected]>\n# Updated by Nicolas Simond <[email protected]>\n# Updated by Dag Wieërs <[email protected]>\n# Updated by Jordan Borean <[email protected]>\n# Updated by Erwan Quélin <[email protected]>\n# Updated by David Norman <[email protected]>\n#\n# Version 1.0 - 2014-07-06\n# Version 1.1 - 2014-11-11\n# Version 1.2 - 2015-05-15\n# Version 1.3 - 2016-04-04\n# Version 1.4 - 2017-01-05\n# Version 1.5 - 2017-02-09\n# Version 1.6 - 2017-04-18\n# Version 1.7 - 2017-11-23\n# Version 1.8 - 2018-02-23\n\n# Support -Verbose option\n[CmdletBinding()]\n\nParam (\n    [string]$SubjectName = $env:COMPUTERNAME,\n    [int]$CertValidityDays = 1095,\n    [switch]$SkipNetworkProfileCheck,\n    $CreateSelfSignedCert = $true,\n    [switch]$ForceNewSSLCert,\n    [switch]$GlobalHttpFirewallAccess,\n    [switch]$DisableBasicAuth = $false,\n    [switch]$EnableCredSSP\n)\n\nFunction Write-Log\n{\n    $Message = $args[0]\n    Write-EventLog -LogName Application -Source $EventSource -EntryType Information -EventId 1 -Message $Message\n}\n\nFunction Write-VerboseLog\n{\n    $Message = $args[0]\n    Write-Verbose $Message\n    Write-Log $Message\n}\n\nFunction Write-HostLog\n{\n    $Message = $args[0]\n    Write-Output $Message\n    Write-Log $Message\n}\n\nFunction New-LegacySelfSignedCert\n{\n    Param (\n        [string]$SubjectName,\n        [int]$ValidDays = 1095\n    )\n\n    $hostnonFQDN = $env:computerName\n    $hostFQDN = [System.Net.Dns]::GetHostByName(($env:computerName)).Hostname\n    $SignatureAlgorithm = \"SHA256\"\n\n    $name = New-Object -COM \"X509Enrollment.CX500DistinguishedName.1\"\n    $name.Encode(\"CN=$SubjectName\", 0)\n\n    $key = New-Object -COM \"X509Enrollment.CX509PrivateKey.1\"\n    $key.ProviderName = \"Microsoft Enhanced RSA and AES Cryptographic Provider\"\n    $key.KeySpec = 1\n    $key.Length = 4096\n    $key.SecurityDescriptor = \"D:PAI(A;;0xd01f01ff;;;SY)(A;;0xd01f01ff;;;BA)(A;;0x80120089;;;NS)\"\n    $key.MachineContext = 1\n    $key.Create()\n\n    $serverauthoid = New-Object -COM \"X509Enrollment.CObjectId.1\"\n    $serverauthoid.InitializeFromValue(\"1.3.6.1.5.5.7.3.1\")\n    $ekuoids = New-Object -COM \"X509Enrollment.CObjectIds.1\"\n    $ekuoids.Add($serverauthoid)\n    $ekuext = New-Object -COM \"X509Enrollment.CX509ExtensionEnhancedKeyUsage.1\"\n    $ekuext.InitializeEncode($ekuoids)\n\n    $cert = New-Object -COM \"X509Enrollment.CX509CertificateRequestCertificate.1\"\n    $cert.InitializeFromPrivateKey(2, $key, \"\")\n    $cert.Subject = $name\n    $cert.Issuer = $cert.Subject\n    $cert.NotBefore = (Get-Date).AddDays(-1)\n    $cert.NotAfter = $cert.NotBefore.AddDays($ValidDays)\n\n    $SigOID = New-Object -ComObject X509Enrollment.CObjectId\n    $SigOID.InitializeFromValue(([Security.Cryptography.Oid]$SignatureAlgorithm).Value)\n\n    [string[]] $AlternativeName  += $hostnonFQDN\n    $AlternativeName += $hostFQDN\n    $IAlternativeNames = New-Object -ComObject X509Enrollment.CAlternativeNames\n\n    foreach ($AN in $AlternativeName)\n    {\n        $AltName = New-Object -ComObject X509Enrollment.CAlternativeName\n        $AltName.InitializeFromString(0x3,$AN)\n        $IAlternativeNames.Add($AltName)\n    }\n\n    $SubjectAlternativeName = New-Object -ComObject X509Enrollment.CX509ExtensionAlternativeNames\n    $SubjectAlternativeName.InitializeEncode($IAlternativeNames)\n\n    [String[]]$KeyUsage = (\"DigitalSignature\", \"KeyEncipherment\")\n    $KeyUsageObj = New-Object -ComObject X509Enrollment.CX509ExtensionKeyUsage\n    $KeyUsageObj.InitializeEncode([int][Security.Cryptography.X509Certificates.X509KeyUsageFlags]($KeyUsage))\n    $KeyUsageObj.Critical = $true\n\n    $cert.X509Extensions.Add($KeyUsageObj)\n    $cert.X509Extensions.Add($ekuext)\n    $cert.SignatureInformation.HashAlgorithm = $SigOID\n    $CERT.X509Extensions.Add($SubjectAlternativeName)\n    $cert.Encode()\n\n    $enrollment = New-Object -COM \"X509Enrollment.CX509Enrollment.1\"\n    $enrollment.InitializeFromRequest($cert)\n    $certdata = $enrollment.CreateRequest(0)\n    $enrollment.InstallResponse(2, $certdata, 0, \"\")\n\n    # extract/return the thumbprint from the generated cert\n    $parsed_cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2\n    $parsed_cert.Import([System.Text.Encoding]::UTF8.GetBytes($certdata))\n\n    return $parsed_cert.Thumbprint\n}\n\nFunction Enable-GlobalHttpFirewallAccess\n{\n    Write-Verbose \"Forcing global HTTP firewall access\"\n    # this is a fairly naive implementation; could be more sophisticated about rule matching/collapsing\n    $fw = New-Object -ComObject HNetCfg.FWPolicy2\n\n    # try to find/enable the default rule first\n    $add_rule = $false\n    $matching_rules = $fw.Rules | ? { $_.Name -eq \"Windows Remote Management (HTTP-In)\" }\n    $rule = $null\n    If ($matching_rules) {\n        If ($matching_rules -isnot [Array]) {\n            Write-Verbose \"Editing existing single HTTP firewall rule\"\n            $rule = $matching_rules\n        }\n        Else {\n            # try to find one with the All or Public profile first\n            Write-Verbose \"Found multiple existing HTTP firewall rules...\"\n            $rule = $matching_rules | % { $_.Profiles -band 4 }[0]\n\n            If (-not $rule -or $rule -is [Array]) {\n                Write-Verbose \"Editing an arbitrary single HTTP firewall rule (multiple existed)\"\n                # oh well, just pick the first one\n                $rule = $matching_rules[0]\n            }\n        }\n    }\n\n    If (-not $rule) {\n        Write-Verbose \"Creating a new HTTP firewall rule\"\n        $rule = New-Object -ComObject HNetCfg.FWRule\n        $rule.Name = \"Windows Remote Management (HTTP-In)\"\n        $rule.Description = \"Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]\"\n        $add_rule = $true\n    }\n\n    $rule.Profiles = 0x7FFFFFFF\n    $rule.Protocol = 6\n    $rule.LocalPorts = 5985\n    $rule.RemotePorts = \"*\"\n    $rule.LocalAddresses = \"*\"\n    $rule.RemoteAddresses = \"*\"\n    $rule.Enabled = $true\n    $rule.Direction = 1\n    $rule.Action = 1\n    $rule.Grouping = \"Windows Remote Management\"\n\n    If ($add_rule) {\n        $fw.Rules.Add($rule)\n    }\n\n    Write-Verbose \"HTTP firewall rule $($rule.Name) updated\"\n}\n\n# Setup error handling.\nTrap\n{\n    $_\n    Exit 1\n}\n$ErrorActionPreference = \"Stop\"\n\n# Get the ID and security principal of the current user account\n$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()\n$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)\n\n# Get the security principal for the Administrator role\n$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator\n\n# Check to see if we are currently running \"as Administrator\"\nif (-Not $myWindowsPrincipal.IsInRole($adminRole))\n{\n    Write-Output \"ERROR: You need elevated Administrator privileges in order to run this script.\"\n    Write-Output \"       Start Windows PowerShell by using the Run as Administrator option.\"\n    Exit 2\n}\n\n$EventSource = $MyInvocation.MyCommand.Name\nIf (-Not $EventSource)\n{\n    $EventSource = \"Powershell CLI\"\n}\n\nIf ([System.Diagnostics.EventLog]::Exists('Application') -eq $False -or [System.Diagnostics.EventLog]::SourceExists($EventSource) -eq $False)\n{\n    New-EventLog -LogName Application -Source $EventSource\n}\n\n# Detect PowerShell version.\nIf ($PSVersionTable.PSVersion.Major -lt 3)\n{\n    Write-Log \"PowerShell version 3 or higher is required.\"\n    Throw \"PowerShell version 3 or higher is required.\"\n}\n\n# Find and start the WinRM service.\nWrite-Verbose \"Verifying WinRM service.\"\nIf (!(Get-Service \"WinRM\"))\n{\n    Write-Log \"Unable to find the WinRM service.\"\n    Throw \"Unable to find the WinRM service.\"\n}\nElseIf ((Get-Service \"WinRM\").Status -ne \"Running\")\n{\n    Write-Verbose \"Setting WinRM service to start automatically on boot.\"\n    Set-Service -Name \"WinRM\" -StartupType Automatic\n    Write-Log \"Set WinRM service to start automatically on boot.\"\n    Write-Verbose \"Starting WinRM service.\"\n    Start-Service -Name \"WinRM\" -ErrorAction Stop\n    Write-Log \"Started WinRM service.\"\n\n}\n\n# WinRM should be running; check that we have a PS session config.\nIf (!(Get-PSSessionConfiguration -Verbose:$false) -or (!(Get-ChildItem WSMan:\\localhost\\Listener)))\n{\n  If ($SkipNetworkProfileCheck) {\n    Write-Verbose \"Enabling PS Remoting without checking Network profile.\"\n    Enable-PSRemoting -SkipNetworkProfileCheck -Force -ErrorAction Stop\n    Write-Log \"Enabled PS Remoting without checking Network profile.\"\n  }\n  Else {\n    Write-Verbose \"Enabling PS Remoting.\"\n    Enable-PSRemoting -Force -ErrorAction Stop\n    Write-Log \"Enabled PS Remoting.\"\n  }\n}\nElse\n{\n    Write-Verbose \"PS Remoting is already enabled.\"\n}\n\n# Make sure there is a SSL listener.\n$listeners = Get-ChildItem WSMan:\\localhost\\Listener\nIf (!($listeners | Where {$_.Keys -like \"TRANSPORT=HTTPS\"}))\n{\n    # We cannot use New-SelfSignedCertificate on 2012R2 and earlier\n    $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays\n    Write-HostLog \"Self-signed SSL certificate generated; thumbprint: $thumbprint\"\n\n    # Create the hashtables of settings to be used.\n    $valueset = @{\n        Hostname = $SubjectName\n        CertificateThumbprint = $thumbprint\n    }\n\n    $selectorset = @{\n        Transport = \"HTTPS\"\n        Address = \"*\"\n    }\n\n    Write-Verbose \"Enabling SSL listener.\"\n    New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset\n    Write-Log \"Enabled SSL listener.\"\n}\nElse\n{\n    Write-Verbose \"SSL listener is already active.\"\n\n    # Force a new SSL cert on Listener if the $ForceNewSSLCert\n    If ($ForceNewSSLCert)\n    {\n\n        # We cannot use New-SelfSignedCertificate on 2012R2 and earlier\n        $thumbprint = New-LegacySelfSignedCert -SubjectName $SubjectName -ValidDays $CertValidityDays\n        Write-HostLog \"Self-signed SSL certificate generated; thumbprint: $thumbprint\"\n\n        $valueset = @{\n            CertificateThumbprint = $thumbprint\n            Hostname = $SubjectName\n        }\n\n        # Delete the listener for SSL\n        $selectorset = @{\n            Address = \"*\"\n            Transport = \"HTTPS\"\n        }\n        Remove-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset\n\n        # Add new Listener with new SSL cert\n        New-WSManInstance -ResourceURI 'winrm/config/Listener' -SelectorSet $selectorset -ValueSet $valueset\n    }\n}\n\n# Check for basic authentication.\n$basicAuthSetting = Get-ChildItem WSMan:\\localhost\\Service\\Auth | Where-Object {$_.Name -eq \"Basic\"}\n\nIf ($DisableBasicAuth)\n{\n    If (($basicAuthSetting.Value) -eq $true)\n    {\n        Write-Verbose \"Disabling basic auth support.\"\n        Set-Item -Path \"WSMan:\\localhost\\Service\\Auth\\Basic\" -Value $false\n        Write-Log \"Disabled basic auth support.\"\n    }\n    Else\n    {\n        Write-Verbose \"Basic auth is already disabled.\"\n    }\n}\nElse\n{\n    If (($basicAuthSetting.Value) -eq $false)\n    {\n        Write-Verbose \"Enabling basic auth support.\"\n        Set-Item -Path \"WSMan:\\localhost\\Service\\Auth\\Basic\" -Value $true\n        Write-Log \"Enabled basic auth support.\"\n    }\n    Else\n    {\n        Write-Verbose \"Basic auth is already enabled.\"\n    }\n}\n\n# If EnableCredSSP if set to true\nIf ($EnableCredSSP)\n{\n    # Check for CredSSP authentication\n    $credsspAuthSetting = Get-ChildItem WSMan:\\localhost\\Service\\Auth | Where {$_.Name -eq \"CredSSP\"}\n    If (($credsspAuthSetting.Value) -eq $false)\n    {\n        Write-Verbose \"Enabling CredSSP auth support.\"\n        Enable-WSManCredSSP -role server -Force\n        Write-Log \"Enabled CredSSP auth support.\"\n    }\n}\n\nIf ($GlobalHttpFirewallAccess) {\n    Enable-GlobalHttpFirewallAccess\n}\n\n# Configure firewall to allow WinRM HTTPS connections.\n$fwtest1 = netsh advfirewall firewall show rule name=\"Allow WinRM HTTPS\"\n$fwtest2 = netsh advfirewall firewall show rule name=\"Allow WinRM HTTPS\" profile=any\nIf ($fwtest1.count -lt 5)\n{\n    Write-Verbose \"Adding firewall rule to allow WinRM HTTPS.\"\n    netsh advfirewall firewall add rule profile=any name=\"Allow WinRM HTTPS\" dir=in localport=5986 protocol=TCP action=allow\n    Write-Log \"Added firewall rule to allow WinRM HTTPS.\"\n}\nElseIf (($fwtest1.count -ge 5) -and ($fwtest2.count -lt 5))\n{\n    Write-Verbose \"Updating firewall rule to allow WinRM HTTPS for any profile.\"\n    netsh advfirewall firewall set rule name=\"Allow WinRM HTTPS\" new profile=any\n    Write-Log \"Updated firewall rule to allow WinRM HTTPS for any profile.\"\n}\nElse\n{\n    Write-Verbose \"Firewall rule already exists to allow WinRM HTTPS.\"\n}\n\n# Test a remoting connection to localhost, which should work.\n$httpResult = Invoke-Command -ComputerName \"localhost\" -ScriptBlock {$env:COMPUTERNAME} -ErrorVariable httpError -ErrorAction SilentlyContinue\n$httpsOptions = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck\n\n$httpsResult = New-PSSession -UseSSL -ComputerName \"localhost\" -SessionOption $httpsOptions -ErrorVariable httpsError -ErrorAction SilentlyContinue\n\nIf ($httpResult -and $httpsResult)\n{\n    Write-Verbose \"HTTP: Enabled | HTTPS: Enabled\"\n}\nElseIf ($httpsResult -and !$httpResult)\n{\n    Write-Verbose \"HTTP: Disabled | HTTPS: Enabled\"\n}\nElseIf ($httpResult -and !$httpsResult)\n{\n    Write-Verbose \"HTTP: Enabled | HTTPS: Disabled\"\n}\nElse\n{\n    Write-Log \"Unable to establish an HTTP or HTTPS remoting session.\"\n    Throw \"Unable to establish an HTTP or HTTPS remoting session.\"\n}\nWrite-VerboseLog \"PS Remoting has been successfully configured for Ansible.\"\n\n# allow unencrypted communication for legacy compatibility while we migrate\nSet-Item WSMan:\\localhost\\Service\\AllowUnencrypted -Value $true\nGet-NetFirewallRule WINRM-HTTP-In-TCP-PUBLIC | Set-NetFirewallRule -RemoteAddress \"Any\"\n</powershell>\n", RequiresNew:true, Sensitive:false, Type:0x0}, "private_ip":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "private_dns":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "associate_public_ip_address":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "root_block_device.0.volume_size":*terraform.ResourceAttrDiff{Old:"", New:"64", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "primary_network_interface_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.BACKUP":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "placement_group":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "public_ip":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "ipv6_address_count":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "instance_state":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "ipv6_addresses.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "tags.app-number":*terraform.ResourceAttrDiff{Old:"", New:"CNA", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.Name":*terraform.ResourceAttrDiff{Old:"", New:"xyz", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "root_block_device.0.delete_on_termination":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "root_block_device.0.volume_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.stack-number":*terraform.ResourceAttrDiff{Old:"", New:"###", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "ephemeral_block_device.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "tenancy":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "instance_type":*terraform.ResourceAttrDiff{Old:"", New:"t3.medium", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "security_groups.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "source_dest_check":*terraform.ResourceAttrDiff{Old:"", New:"true", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "root_block_device.0.volume_type":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "tags.powerschedule":*terraform.ResourceAttrDiff{Old:"", New:"06-22-1111100-1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.os-version":*terraform.ResourceAttrDiff{Old:"", New:"windows2016", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "vpc_security_group_ids.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.stack-name":*terraform.ResourceAttrDiff{Old:"", New:"development", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "availability_zone":*terraform.ResourceAttrDiff{Old:"", New:"eu-west-1a", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "ami":*terraform.ResourceAttrDiff{Old:"", New:"ami-0284c77b", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "network_interface.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "get_password_data":*terraform.ResourceAttrDiff{Old:"", New:"false", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "root_block_device.#":*terraform.ResourceAttrDiff{Old:"", New:"1", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "cpu_core_count":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "tags.os-type":*terraform.ResourceAttrDiff{Old:"", New:"windows", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "ebs_block_device.#":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "network_interface_id":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "tags.environment":*terraform.ResourceAttrDiff{Old:"", New:"d", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "arn":*terraform.ResourceAttrDiff{Old:"", New:"", NewComputed:true, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}, "subnet_id":*terraform.ResourceAttrDiff{Old:"", New:"subnet-741de92f", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:true, Sensitive:false, Type:0x0}, "tags.%":*terraform.ResourceAttrDiff{Old:"", New:"9", NewComputed:false, NewRemoved:false, NewExtra:interface {}(nil), RequiresNew:false, Sensitive:false, Type:0x0}}, Destroy:false, DestroyDeposed:false, DestroyTainted:true, Meta:map[string]interface {}(nil)}

Also include as much context as you can about your config, state, and the steps you performed to trigger this error.```

@saravanan30erd saravanan30erd mentioned this issue Sep 9, 2018
Merged
@bflad bflad added bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service. labels Sep 18, 2018
@bflad bflad added this to the v1.37.0 milestone Sep 18, 2018
@bflad
Copy link
Contributor

bflad commented Sep 18, 2018

The fix for this has been merged into master for the aws_instance resource and will release with version 1.37.0 of the AWS provider, likely tomorrow.

@bflad
Copy link
Contributor

bflad commented Sep 19, 2018

This has been released in version 1.37.0 of the AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

@ghost
Copy link
Author

ghost commented Apr 3, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 3, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/ec2 Issues and PRs that pertain to the ec2 service.
Projects
None yet
Milestone
v1.37.0
Development

Successfully merging a pull request may close this issue.

credit_specification issues in aws_instance (T3) saravanan30erd/terraform-provider-aws
2 participants
@bflad @MMollyy