Open andreaskeutner opened 3 years ago
Is there an update to this topic?
any update ?
Is there any update on this topic ?
For any Pulumi users who stumble across this issue: I found that doing a targeted refresh of the resource (ie: pulumi refresh --target urn:...
) cleared the lock token long enough for me to do the update. YMMV depending on when and how frequently you're updating the WAF rules though.
Great help @inhumantsar I actually never thought about doing --refresh on single resources and always ran a full refresh across everything which takes forever. Great tip.
What is the change that Terraform is planning to do? How long is the time between the refresh (terraform plan
without --refresh=false
) and the apply, and does your Lambda run in the meantime?
I think there are two separate questions here:
If you can solve 1. you can reduce the pain but you'll be in the same situation again when Terraform has a legitimate reason to update the IP set.
Split management of one object from two systems is pretty much always fraught with peril. You can carefully reason your way through it, but there's still potential for the two to conflict. The version token mechanism in this API makes this a little more obvious. Is there a way you can refactor to have the IP set exclusively managed by the Lambda? That is, have Terraform only manage the thing that manages the IP set, rather than having it manage half of the IP set itself? This may require some fiddling with dependencies and (ugh) provisioners to make sure the IP set is there when you need it later / in other resources.
I got a WAFOptimisticLockException in aws_wafv2_ip_set. I have a lifecycle-rule "ignore_changes = [addresses]" in place. I change the addresses hourly via a lambda function.
Terraform CLI and Terraform AWS Provider Version
hashicorp/aws v3.51.0 Terraform 1.0.2
Affected Resource(s)
aws_wafv2_ip_set
Terraform Configuration Files
Debug Output
Expected Behavior
I expect that the lifecycle-rule "ignore_changes = [addresses]" overrule the "manual" changes via lambda and terraform didn't touch this resource.