-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permanent diff when using consul_config_entry
for intentions
#281
Comments
Hi @lawliet89, thanks for reporting this issue. Could you please add the content of the |
@remilapeyre I am using Consul 1.10.1. |
Hi @lawliet89, here's the error I get when trying to apply locals {
connect_allowed_services = ["hello", "world"]
}
resource "consul_config_entry" "service_intention" {
kind = "service-intentions"
name = "grafana"
config_json = jsonencode(
{
Sources = concat(
[
{
Name = "ambassador"
Description = "Allow Ambassador to access"
Permissions = [
{
Action = "allow"
HTTP = {
PathPrefix = "/"
}
}
]
}
],
[for service in local.connect_allowed_services : {
Name = service
Description = "Allow service to access"
Permissions = [
{
Action = "allow"
HTTP = {
PathPrefix = "/"
}
}
]
}],
[
{
Name = "*"
Description = "Deny everyone else"
Permissions = [
{
Action = "deny"
HTTP = {
PathPrefix = "/"
}
}
]
}
],
)
}
)
}
:
|
You need to set a resource "consul_config_entry" "service_default" {
kind = "service-defaults"
name = "grafana"
config_json = jsonencode({
Protocol = "http"
})
} |
Thanks, I looked into the issue. The root cause of the issue is that Consul configuration entries can take different attributes based on their kind, and those attributes can have different defaults based on the configuration of thee cluster. Even worse one config entry kind can have different attributes based on the Consul server version. This makes it impossible for Terraform to known if an attribute it reads but that was not in the configuration is just the default value and should be kept, or if the config entry was changed by an external process and this attribute needs to be removed. The only way to not have perpetual diffs with resource "consul_config_entry" "service_default" {
kind = "service-defaults"
name = "grafana"
config_json = jsonencode({
Protocol = "http"
Expose = {}
MeshGateway = {}
TransparentProxy = {}
})
}
locals {
connect_allowed_services = ["hello", "world"]
}
resource "consul_config_entry" "service_intention" {
kind = "service-intentions"
name = "grafana"
config_json = jsonencode(
{
Sources = concat(
[
{
Name = "ambassador"
Description = "Allow Ambassador to access"
Precedence = 9
Type = "consul"
Permissions = [
{
Action = "allow"
HTTP = {
PathPrefix = "/"
}
}
]
}
],
[for service in local.connect_allowed_services : {
Name = service
Description = "Allow service to access"
Precedence = 9
Type = "consul"
Permissions = [
{
Action = "allow"
HTTP = {
PathPrefix = "/"
}
}
]
}],
[
{
Name = "*"
Description = "Deny everyone else"
Precedence = 8
Type = "consul"
Permissions = [
{
Action = "deny"
HTTP = {
PathPrefix = "/"
}
}
]
}
],
)
}
)
depends_on = [
consul_config_entry.service_default
]
} I see that there is no mention of this in the documentation, since it's something that differs from all other Terraform resources I will add a note about it at https://registry.terraform.io/providers/hashicorp/consul/latest/docs/resources/config_entry. Do this solves your issue? |
That's logical. The only issue I can see is that the precedence of an intention source might change between different consul versions (AFAIK) . I guess it might not be very viable to put in custom diff suppression code for different config entries? |
Indeed the custom diff suppression function would need to be different for different Consul versions. To make things more complex, Terraform providers needs to be able to be able to compute plans without making calls to the Consul server (e.g. with |
Hi there,
Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.
Terraform Version
Run
terraform -v
to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.Affected Resource(s)
Please list the resources as a list, for example:
consul_config_entry
If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.
Terraform Configuration Files
Debug Output
Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.
Panic Output
If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the
crash.log
.Expected Behavior
No permanent diff
Actual Behavior
Permanent diff in some values that are assigned by Consul.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform plan
The text was updated successfully, but these errors were encountered: