search

PaloAltoNetworks / terraform-aws-vmseries-modules

Terraform Reusable Modules for VM-Series on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws
MIT License
40 stars 49 forks source link

VM-Series AMI lookup matching multiple images #239

Closed seanyoungberg closed 2 years ago

seanyoungberg commented 2 years ago

Describe the bug

Initially a 10.1.6 marketplace was published. Later an image was published for 10.1.6-h6. The data lookup for the AMI based on var.vmseries_version will match both of these causing indeterminate image selection. If the initial deployment was done prior to the release of the updated image, it will try to force recreation of the VM as it now matching a new image.

https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/blob/d90962ec49811151dbbd12f66de8eb09eb5f0700/modules/vmseries/main.tf#L10

Expected behavior

Specifying version example 10.1.6 should always explicitly match the AMI of that specific version and not additional hotfixes images matching the same pattern.

Current behavior

Subsequent apply after new marketplace image is published causes recreation of instance

Possible solution

A bit tricky as we need the wildcard in the data lookup. Probably some regex needed.

Steps to reproduce

AWS CLI using the same lookup to lookup AMI showing two matches

$ aws ec2 describe-images --filters Name=name,Values=PA-VM-AWS-10.1.6* Name=product-code,Values=6njl1pau431dv1qxipg63mvah  --region us-east-1 --query 'Images[].{id : ImageId, name: Name, description: Description}'
[
    {
        "id": "ami-02fa654aa5ac0bc40",
        "name": "PA-VM-AWS-10.1.6-7064e142-2859-40a4-ab62-8b0996b842e9",
        "description": "[Copied ami-0fdeb43b7a7e1c9f3 from us-east-1] PA-VM-AWS-10.1.6"
    },
    {
        "id": "ami-027013329ba3f0aa1",
        "name": "PA-VM-AWS-10.1.6-h6-7064e142-2859-40a4-ab62-8b0996b842e9",
        "description": "[Copied ami-01ed6fc7b93298669 from us-east-1] PA-VM-AWS-10.1.6-h6"
    }
]

Screenshots

module.obew_vmseries["EW-AND-EGRESS-PROD-FW-A"].aws_instance.this must be replaced
1149-/+ resource "aws_instance" "this" {
1150      ~ ami                                  = "ami-02fa654aa5ac0bc40" -> "ami-027013329ba3f0aa1" # forces replacement
1151      ~ arn                                  = "arn:aws:ec2:us-east-1:12345:instance/i-12345 -> (known after apply)
1152      ~ associate_public_ip_address          = false -> (known after apply)
1153      ~ availability_zone                    = "us-east-1a" -> (known after apply)
1154      ~ cpu_core_count                       = 2 -> (known after apply) (edited)

Context

Your Environment

welcome-to-palo-alto-networks[bot] commented 2 years ago

:tada: Thanks for opening your first issue here! Welcome to the community!

github-actions[bot] commented 2 years ago

:tada: This issue has been resolved in version 0.3.0 :tada:

The release is available on Terraform Registry and GitHub release

Posted by semantic-release bot