search

hashicorp / terraform-aws-consul-ecs

Consul Service Mesh on AWS ECS (Elastic Container Service)
https://www.consul.io/docs/ecs
Mozilla Public License 2.0
52 stars 30 forks source link

v0.8.0 tf perpetual drift when enable_transparent_proxy is false #318

Open v-rosa opened 5 months ago

v-rosa commented 5 months ago

Hey, we're testing the Consul ECS v0.8.0 terraform module, more specifically the mesh-task.

While testing we've found that after applying the changes, subsequent plans will keep displaying perpetual diffs in the container definitions about default values not being present. This doesn't happens in the v0.7.1 at least.

Terraform version: v1.3.7 AWS Provider version: v5.50.0 ECS deployment model: Fargate (meaning variable enable_transparent_proxy is set to false, this is relevant as per my findings).

Perpetual drift:

# module.ecs_services["consul-test-module-clt-test-task"].module.consul_mesh_template[0].aws_ecs_task_definition.this must be replaced
-/+ resource "aws_ecs_task_definition" "this" {
      ~ arn                      = "arn:aws:ecs:us-east-1:redacted:task-definition/stg-consul-test-module-clt-test-task-template:5" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:redacted:task-definition/stg-consul-test-module-clt-test-task-template" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [ # forces replacement
              ~ {
                  - cpu              = 0 -> null
                    name             = "some-container-injected"
                  - portMappings     = [] -> null
                  - systemControls   = [] -> null
                  - volumesFrom      = [] -> null
                    # (6 unchanged elements hidden)
                } # forces replacement,
              ~ {
                    name             = "consul-dataplane"
                  - systemControls   = [] -> null
                    # (14 unchanged elements hidden)
                } # forces replacement,
              ~ {
                    name             = "consul-ecs-health-sync"
                  - systemControls   = [] -> null
                    # (13 unchanged elements hidden)
                } # forces replacement,
              ~ {
                  ~ linuxParameters  = {
                      ~ capabilities       = {
                          - add  = [] -> null
                          - drop = [] -> null
                        }
                        # (1 unchanged element hidden)
                    }
                    name             = "consul-ecs-mesh-init"
                  - portMappings     = [] -> null
                  - systemControls   = [] -> null
                    # (9 unchanged elements hidden)
                } # forces replacement,
              ~ {
                  - cpu              = 0 -> null
                    name             = "consul-test-module-clt-test-task"
                  - systemControls   = [] -> null
                  - volumesFrom      = [] -> null
                    # (8 unchanged elements hidden)
                } # forces replacement,
              ~ {
                  - cpu              = 0 -> null
                    name             = "some-container-injected"
                  - portMappings     = [] -> null
                  - systemControls   = [] -> null
                  - volumesFrom      = [] -> null
                    # (7 unchanged elements hidden)
                } # forces replacement,
            ]
        )
      ~ id                       = "stg-consul-test-module-clt-test-task-template" -> (known after apply)
      ~ revision                 = 5 -> (known after apply)
        tags                     = {
            "Module"                              = "consul-test-module-clt"
            "Name"                                = "consul-test-module-clt-test-task"
            "consul.hashicorp.com/mesh"           = "true"
            "consul.hashicorp.com/module"         = "terraform-aws-consul-ecs"
            "consul.hashicorp.com/module-version" = "0.8.0"
            "consul.hashicorp.com/namespace"      = "default"
            "consul.hashicorp.com/partition"      = "stg"
            "consul.hashicorp.com/service-name"   = "consul-test-module-clt-test-task"
        }
        # (10 unchanged attributes hidden)
        # (3 unchanged blocks hidden)
    }

From my investigation, basically the issue seems related to the empty dictionary capabilities inside linuxParameters.

The initial apply creates this an empty capabilities dict inside linuxParameters dict:

           ~ {
                  ~ linuxParameters  = {
                      + capabilities       = {}
                        # (1 unchanged element hidden)
                    }
                    name             = "consul-ecs-mesh-init"
                  - portMappings     = [] -> null
                  - systemControls   = [] -> null
                    # (9 unchanged elements hidden)
                } # forces replacement,

The subsequent plan tries to change it to null:

# module.ecs_services["consul-test-module-clt-test-task"].module.consul_mesh_template[0].aws_ecs_task_definition.this must be replaced
-/+ resource "aws_ecs_task_definition" "this" {
      ~ arn                      = "arn:aws:ecs:us-east-1:redacted:task-definition/stg-consul-test-module-clt-test-task-template:5" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-east-1:redacted:task-definition/stg-consul-test-module-clt-test-task-template" -> (known after apply)
      ~ container_definitions    = jsonencode(
          ~ [ # forces replacement
              ~ {
                  - cpu              = 0 -> null
                    name             = "some-container-injected"
                  - portMappings     = [] -> null
                  - systemControls   = [] -> null
                  - volumesFrom      = [] -> null
                    # (6 unchanged elements hidden)
                } # forces replacement,
              ~ {
                    name             = "consul-dataplane"
                  - systemControls   = [] -> null
                    # (14 unchanged elements hidden)
                } # forces replacement,
              ~ {
                    name             = "consul-ecs-health-sync"
                  - systemControls   = [] -> null
                    # (13 unchanged elements hidden)
                } # forces replacement,
              ~ {
                  ~ linuxParameters  = {
                      ~ capabilities       = {
                          - add  = [] -> null
                          - drop = [] -> null
                        }
                        # (1 unchanged element hidden)
                    }
                    name             = "consul-ecs-mesh-init"
                  - portMappings     = [] -> null
                  - systemControls   = [] -> null
                    # (9 unchanged elements hidden)
                } # forces replacement,
              ~ {
                  - cpu              = 0 -> null
                    name             = "consul-test-module-clt-test-task"
                  - systemControls   = [] -> null
                  - volumesFrom      = [] -> null
                    # (8 unchanged elements hidden)
                } # forces replacement,
              ~ {
                  - cpu              = 0 -> null
                    name             = "some-container-injected"
                  - portMappings     = [] -> null
                  - systemControls   = [] -> null
                  - volumesFrom      = [] -> null
                    # (7 unchanged elements hidden)
                } # forces replacement,
            ]
        )
      ~ id                       = "stg-consul-test-module-clt-test-task-template" -> (known after apply)
      ~ revision                 = 5 -> (known after apply)
        tags                     = {
            "Module"                              = "consul-test-module-clt"
            "Name"                                = "consul-test-module-clt-test-task"
            "consul.hashicorp.com/mesh"           = "true"
            "consul.hashicorp.com/module"         = "terraform-aws-consul-ecs"
            "consul.hashicorp.com/module-version" = "0.8.0"
            "consul.hashicorp.com/namespace"      = "default"
            "consul.hashicorp.com/partition"      = "stg"
            "consul.hashicorp.com/service-name"   = "consul-test-module-clt-test-task"
        }
        # (10 unchanged attributes hidden)
        # (3 unchanged blocks hidden)
    }

To avoid this, I need to slighty adjust the linuxParameters: https://github.com/hashicorp/terraform-aws-consul-ecs/pull/319