search

fivexl / terraform-aws-sso-elevator

Slack bot to temporary assign AWS SSO Permission set to a user
https://registry.terraform.io/modules/fivexl/sso-elevator/aws/latest
Apache License 2.0
34 stars 2 forks source link

Terraform with remote state always wants to replace everything #64

Closed oleksandrsv closed 4 months ago

oleksandrsv commented 11 months ago

Hi, if I apply locally - Terraform sees no difference with remote state. All resources are present in state. But if I remove local cache and then try to run plan - terraform wants to replace everything.

My guess is this causing:

  # module.aws_sso_elevator.module.access_revoker.local_file.archive_plan[0] must be replaced
-/+ resource "local_file" "archive_plan" {
      ~ content              = jsonencode(
          ~ {
              ~ filename      = "builds/c88c71cd99f71d6deb0a46969c1584ca1e2899cb3d765ce1429cb558d8abfb90.zip" -> "builds/ea77b66cded6aa48746807d9ae14d5778eb410a58ce354f177b855ddcb9b44d5.zip"
                # (4 unchanged attributes hidden)
            } # forces replacement

Other changes are triggered by above change:

  # module.aws_sso_elevator.module.access_requester_slack_handler.local_file.archive_plan[0] must be replaced
-/+ resource "local_file" "archive_plan" {
      ~ content              = jsonencode(
          ~ {
              ~ filename      = "builds/440c17238b2c1372e39edfcd5cfa32e30734dc8bc55e231aa5709b9ecf8c2603.zip" -> "builds/8c84fb1091d4a4619cd0f5d723de0b9b3f07307c3b9dda4e3f28f13253408f1e.zip"
                # (4 unchanged attributes hidden)
            } # forces replacement
  # module.aws_sso_elevator.module.access_requester_slack_handler.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
      ~ id       = "7943143754658354399" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "filename"  = "builds/440c17238b2c1372e39edfcd5cfa32e30734dc8bc55e231aa5709b9ecf8c2603.zip" -> "builds/8c84fb1091d4a4619cd0f5d723de0b9b3f07307c3b9dda4e3f28f13253408f1e.zip"
          ~ "timestamp" = "1696931179506613000" -> "1699558849737953000"
  # module.aws_sso_elevator.module.access_requester_slack_handler.null_resource.sam_metadata_aws_lambda_function[0] must be replaced
-/+ resource "null_resource" "sam_metadata_aws_lambda_function" {
      ~ id       = "3858702888759506643" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "built_output_path"    = "builds/440c17238b2c1372e39edfcd5cfa32e30734dc8bc55e231aa5709b9ecf8c2603.zip" -> "builds/8c84fb1091d4a4619cd0f5d723de0b9b3f07307c3b9dda4e3f28f13253408f1e.zip"
  # module.aws_sso_elevator.module.access_revoker.aws_lambda_permission.current_version_triggers["check_inconsistency"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "check_inconsistency" -> (known after apply)
      ~ qualifier           = "9" # forces replacement -> (known after apply) # forces replacement
  # module.aws_sso_elevator.module.access_revoker.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
      ~ id       = "1049804038215205338" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "filename"  = "builds/c88c71cd99f71d6deb0a46969c1584ca1e2899cb3d765ce1429cb558d8abfb90.zip" -> "builds/ea77b66cded6aa48746807d9ae14d5778eb410a58ce354f177b855ddcb9b44d5.zip"
          ~ "timestamp" = "1696931179505630000" -> "1699558849737952000"
  # module.aws_sso_elevator.module.access_revoker.null_resource.sam_metadata_aws_lambda_function[0] must be replaced
-/+ resource "null_resource" "sam_metadata_aws_lambda_function" {
      ~ id       = "107939786678733627" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "built_output_path"    = "builds/c88c71cd99f71d6deb0a46969c1584ca1e2899cb3d765ce1429cb558d8abfb90.zip" -> "builds/ea77b66cded6aa48746807d9ae14d5778eb410a58ce354f177b855ddcb9b44d5.zip"

I have found that changing source.content instead of the local filepath could possibly be a solution for it, but I didn't manage to find how this archive is created.

oleksandrsv commented 11 months ago

result of apply: `Releasing state lock. This may take a few moments...

Apply complete! Resources: 6 added, 2 changed, 2 destroyed.

Outputs:

aws_sso_elevator_lambda_function_url = "https://*.lambda-url.us-east-1.on.aws/"`

And then plan:

`No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. Releasing state lock. This may take a few moments...`

Removing cache:

➜ ls -la total 24 drwxr-xr-x 5 oleksandr staff 160 Oct 20 17:13 . drwxr-xr-x 46 oleksandr staff 1472 Nov 9 20:02 .. -rw-r--r-- 1 oleksandr staff 5741 Nov 9 20:22 .terraform.lock.hcl drwx------ 3 oleksandr staff 96 Oct 10 12:14 .terragrunt-cache -rw-r--r-- 1 oleksandr staff 979 Nov 9 20:21 terragrunt.hcl ➜ rm -rf .terraform.lock.hcl ➜ rm -rf .terragrunt-cache ➜ ls -la total 8 drwxr-xr-x 3 oleksandr staff 96 Nov 9 21:56 . drwxr-xr-x 46 oleksandr staff 1472 Nov 9 20:02 .. -rw-r--r-- 1 oleksandr staff 979 Nov 9 20:21 terragrunt.hcl

Running plan:

  # module.aws_sso_elevator.module.access_requester_slack_handler.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
      ~ id       = "1499301416522525763" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "timestamp" = "1699559646967497200" -> "1699559899453123000"
            # (1 unchanged element hidden)
        }
    }

  # module.aws_sso_elevator.module.access_revoker.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
      ~ id       = "4878218948847264937" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "timestamp" = "1699559646967499000" -> "1699559899454879000"
            # (1 unchanged element hidden)
        }
    }

  # module.aws_sso_elevator.module.sso_elevator_dependencies.null_resource.archive[0] must be replaced
-/+ resource "null_resource" "archive" {
      ~ id       = "6951739542518006098" -> (known after apply)
      ~ triggers = { # forces replacement
          ~ "timestamp" = "1696931179495508000" -> "1699559899455141000"
            # (1 unchanged element hidden)
        }
    }

Plan: 3 to add, 0 to change, 3 to destroy.
Andrey9kin commented 11 months ago

@oleksandrsv, thanks for reporting this. The issue originates from the open-source lambda module we use inside to create lambdas. Here you can find a similar issue reported to the module https://github.com/terraform-aws-modules/terraform-aws-lambda/issues/339

Let us look into what we can do but can't promise anything at the moment

Andrey9kin commented 5 months ago

To be addressed in #75

Andrey9kin commented 4 months ago

@oleksandrsv we implemented the use of pre-build docker images that will remove the local build and should solve the issue you reported