The ingress policies list is sorted alphabetically when import existing GCP resource (Module)

terraform-google-modules / terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments

https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google

Apache License 2.0

61 stars 70 forks source link

The ingress policies list is sorted alphabetically when import existing GCP resource (Module) #100

Closed XuejiaoZhang closed 1 year ago

XuejiaoZhang commented 1 year ago

TL;DR

When importing the existing ingress policies (module), the ingress policies list is sorted alphabetically, i.e. the original order: "storage.googleapis.com", "pubsub.googleapis.com" the order after importing the resource: "pubsub.googleapis.com", "storage.googleapis.com"

Though there are no differences in terns of resources, the order changes will be identified as changes when running "terraform plan" Our concern is that the deployment/update of "Terraform apply" will cause downtime of GCP resources (i.e. removing the ingress policies and creating the new ones).

Expected behavior

a Terraforn state of 0 difference

Observed behavior

The order changes will be identified as changes when running "terraform plan"

Terraform Configuration

To update

Terraform Version

To update

Additional information

No response

ghost commented 1 year ago

Thanks for Xuejiao Zhang. When we import original resources into a module, the original resources are not sorted alphabetically in ingress_policies and egress_policies. Writing ingress_policies and egress_policies through the module will automatically do alphabetical sorting.

the original order: Service name = "pubsub.googleapis.com" Service name = "storage.googleapis.com" Service name = "container.googleapis.com"

After passing through the module, the ingress list will become: service_name = "container.googleapis.com" service_name = "pubsub.googleapis.com" service_name = "storage.googleapis.com"

Execute terraform plan: ~ ingress_policies { ~ ingress_to { ~ operations { ~ service_name = "pubsub.googleapis.com" -> "container.googleapis.com" } ~ operations { ~ service_name = "storage.googleapis.com" -> "pubsub.googleapis.com" } ~ operations { ~ service_name = "container.googleapis.com" -> "storage.googleapis.com" } } )

Will the execution of Terraform apply to affect the existing resources? (deleting old ones before creating new ones), or other suggested ways to avoid affecting original resources? Thanks.

ericyz commented 1 year ago

The implementation uses for_each and it doesn't maintain the order it passes in. From my understanding, this is part of migration process as you mentioned you're using terraform import. As a once-off approach, I think I would directly update the Terraform state file to match the order it displays in the terraform plan.

bharathkkb commented 1 year ago

Like @ericyz mentioned, this does seems like a side affect of the dynamic blocks created using for_each. Does TF report the update as in place? If so it should be safe to apply as it will patch the existing resource rather than delete and recreate.

XuejiaoZhang commented 1 year ago

@bharathkkb @ericyz Thanks for the clarifications!