Run an ASG instance refresh on TF configuration change

[hugoShaka]

What would you like Teleport to do?

As a user editing the Teleport ASG with Terraform (updating config or Teleport version) I want the changes to apply immediately.

What problem does this solve?

Changes in configuration don't trigger an instance refresh, thus are not applied unless machines are deleted/restarted.
This causes a lot of confusion and time lost troubleshooting why the configuration change did not apply. This can also cause security issues when users think they have updated to a version containing a security fix while still running vulnerable images.

If a workaround exists, please include it.

Trigger instance rollout manually.

Implementation details

See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group#automatically-refresh-all-instances-after-the-group-is-updated

[GavinFrazar]

template changes will trigger a refresh by default, unless you use version = "$Latest" instead of referring to the template latest version:

A refresh will not start when version = "$Latest" is configured in the launch_template block. To trigger the instance refresh when a launch template is changed, configure version to use the latest_version attribute of the aws_launch_template resource.

Thus the fix is to change these config blocks like so:

  launch_template {
    name    = aws_launch_template.proxy.name
-   version = "$Latest"
+   version = aws_launch_template.proxy.latest_version
  }