search

ClickHouse / terraform-provider-clickhouse

Terraform Provider for ClickHouse Cloud
Apache License 2.0
21 stars 7 forks source link

clickhouse_private_endpoint_registration always update in-place the id in terraform plan/apply #71

Closed yardenws closed 1 month ago

yardenws commented 2 months ago

Title

When using the resource "clickhouse_private_endpoint_registartion" Every time I run terraform plan / apply it says there are changes to the infrastructure. happens in both scenarios:

Code example:

resource "clickhouse_private_endpoint_registration" "private_endpoints" { cloud_provider = "aws" id = "vpce-xxxx" region = var.region }

OR

resource "aws_vpc_endpoint" "legacy2clickhouse" { vpc_id = var.vpc_id service_name = data.clickhouse_private_endpoint_config.service_id.endpoint_service_id vpc_endpoint_type = "Interface" security_group_ids = [for sg in data.aws_security_group.legacy_security_group : sg.id] subnet_ids = [for subnet in data.aws_subnet.legacy_subnet : subnet.id] private_dns_enabled = true tags = { Name = "${var.environment} Clickhouse Legacy Peering" } }

resource "clickhouse_private_endpoint_registration" "private_endpoints" { cloud_provider = "aws" id = aws_vpc_endpoint.legacy2clickhouse.id region = var.region }

Output example:

Terraform will perform the following actions:

module.site.module.clickhouse[0].clickhouse_private_endpoint_registration.private_endpoints will be updated in-place ~ resource "clickhouse_private_endpoint_registration" "private_endpoints" { id = "vpce-xxxxxxx"

(3 unchanged attributes hidden)

}
smstone commented 1 month ago

Hello @yardenws,

I attempted to recreate the issue you've described above but was not able to. I used the configuration from the examples directory and used the latest ClickHouse provider version v0.0.10.

My environment setup is as follows:

$ terraform version
Terraform v1.9.3
on darwin_arm64
+ provider registry.terraform.io/clickhouse/clickhouse v0.0.10
+ provider registry.terraform.io/hashicorp/aws v5.60.0

Can you please let me know which versions you're using when this happens? If you're not on the latest, can you please try them to see if it addresses this issue?

Thank you, Steven

yardenws commented 1 month ago

Hey @smstone, Thanks for your comment. I'm able to reproduce this issue using those versions: terraform version: 1.9.3 clickhouse provider version: 0.0.10 aws terraform provider is currently lower than 5.0.0. ( can it be related? this resource is a clickhouse provider resource..)

smstone commented 1 month ago

Thank you for providing that @yardenws.

I still am unable to reproduce this using the versions you provided.

If possible, can you share your Terraform configuration so we can review it? Alternatively, you can reach out to ClickHouse Cloud support so we have the ClickHouse instance IDs plus the Terraform code to investigate this fully and get to the cause of this issue.

Have a nice weekend, Steven

whites11 commented 1 month ago

I can replicate this using the PrivateLink example

whites11 commented 1 month ago

The problem is with the private_endpoint_ids field in the terraform state for the clickhouse_service resource.

That field is updated in 2 ways:

  1. by adding endpoint IDs in the resource itself
resource "clickhouse_service" "aws_red" {
  ...
  private_endpoint_ids = [
    "yadayada"
  ]
}
  1. by adding a clickhouse_service_private_endpoint_attachment resource.

problem is that the two resources are fighting against each other, making the plan for clickhouse_service always dirty, and in turn (for a game of depends_on) other resources always dirty as well.

We need a way to distinguish endpoint_ids that are explicitly requested by user in the clickhouse_service resource attributes and those implicitly added via clickhouse_service_private_endpoint_attachment.

whites11 commented 1 month ago

The solution is to make the clickhouse_service <-> vpc endpoint attachment explicit in the clickhouse_service config.

Example:

resource "clickhouse_service" "aws_red" {
  ...
    private_endpoint_ids = [
    clickhouse_private_endpoint_registration.private_endpoint_aws_foo.id
  ]
}

resource "clickhouse_private_endpoint_registration" "private_endpoint_aws_foo" {
  id             = aws_vpc_endpoint.pl_vpc_foo.id
  ...
}

resource "aws_vpc_endpoint" "pl_vpc_foo" {
  ...
}

The clickhouse_service_private_endpoint_attachment resource as it is implemented right now, can never work.