search

riboseinc / terraform-aws-iam-authenticating-group

Dynamically manage IAM group membership through an authenticated HTTPS endpoint
1 stars 2 forks source link

Applying from different machines will cause unnecessary changes due to lambda upload file path #19

Closed kwkwan closed 6 years ago

kwkwan commented 6 years ago

Right now the local lambda package paths and last_modified times are causing unnecessary additional applies.

@phuonghuynh could you help fix this issue just like the other lambda module? Thanks!

First issue:

-/+ module.global.module.dyn-iam-access.aws_api_gateway_deployment.this (new resource required)
      id:                                    "7zayi6" => <computed> (forces new resource)
      created_date:                          "2018-06-11T08:44:24Z" => <computed>
      execution_arn:                         "arn:aws:execute-api:us-east-1:aws-account-id:[PROBLEM-ID]/" => <computed>
      invoke_url:                            "https://[PROBLEM-ID].execute-api.us-east-1.amazonaws.com/" => <computed>
      rest_api_id:                           "[PROBLEM-ID]" => "${aws_api_gateway_rest_api.this.id}" (forces new resource)

Second issue:

-/+ module.global.module.dyn-vpn-access.aws_cloudwatch_log_group.this (new resource required)
      id:                                    "API-Gateway-Execution-Logs_mzfk8rymq9/dev" => <computed> (forces new resource)
      arn:                                   "arn:aws:logs:us-east-1: aws-account-id:log-group:API-Gateway-Execution-Logs_[PROBLEM-ID2]/dev:*" => <computed>
      name:                                  "API-Gateway-Execution-Logs_[PROBLEM-ID2]/dev" => "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.this.id}/${var.deployment_stage}" (forces new resource)
      retention_in_days:                     "0" => "0"
phuonghuynh commented 6 years ago

@kwkwan could i have some logs/error responses you are getting?

ronaldtse commented 6 years ago

Updated @kwkwan . Thanks!

ronaldtse commented 6 years ago

@phuonghuynh it looks like the "random id"s are causing a force re-create for all the lambda related resources, this leads to a problem that once we re-apply, the lambda functions can only return 403 regardless of the IDs. They seem to be un-linked after applying.

phuonghuynh commented 6 years ago

@ronaldtse I removed "random id" from https://github.com/riboseinc/terraform-aws-iam-authenticating-group/pull/9

This issue might related to the "last_modified"

ronaldtse commented 6 years ago

Somehow I'm still seeing that "random id" using the latest module -- maybe there are more "random id"s?

phuonghuynh commented 6 years ago

Searching with "uuid" or "random" showing no result.

But "uuid" can be found in version 1.0.0

New release v1.0.2 base off #18 just created.

This resource "API-Gateway-Execution-Logs_[PROBLEM-ID2]/dev" is removed in last PR #18 

-/+ module.global.module.dyn-vpn-access.aws_cloudwatch_log_group.this (new resource required)
      id:                                    "API-Gateway-Execution-Logs_mzfk8rymq9/dev" => <computed> (forces new resource)
      arn:                                   "arn:aws:logs:us-east-1: aws-account-id:log-group:API-Gateway-Execution-Logs_[PROBLEM-ID2]/dev:*" => <computed>
      name:                                  "API-Gateway-Execution-Logs_[PROBLEM-ID2]/dev" => "API-Gateway-Execution-Logs_${aws_api_gateway_rest_api.this.id}/${var.deployment_stage}" (forces new resource)
      retention_in_days:                     "0" => "0"
phuonghuynh commented 6 years ago

Applying from different machines will cause unnecessary changes due to lambda upload file path

=> @kwkwan you are getting this issue when using Terraform Remote https://www.terraform.io/intro/getting-started/remote.html ?

ronaldtse commented 6 years ago

@phuonghuynh this is from local terraform state, and we're already using v1.0.2. Thanks!

erikbor commented 6 years ago

This works now, thanks.