Checksum is still recalculated every time even without any change

upbound / provider-terraform

A @crossplane provider for Terraform

Apache License 2.0

142 stars 56 forks source link

Checksum is still recalculated every time even without any change #230

Closed headyj closed 3 months ago

headyj commented 8 months ago

I'm opening a new ticket as I cannot re-open this one which didn't solved the initial issue: I'm still seeing changes on lineage even if nothing changed:

diff -r --exclude=.git before/e7c1772d-ed18-4152-b377-76e772881dfd after/e7c1772d-ed18-4152-b377-76e772881dfd
diff -r '--exclude=.git' before/e7c1772d-ed18-4152-b377-76e772881dfd/.terraform/terraform.tfstate after/e7c1772d-ed18-4152-b377-76e772881dfd/.terraform/terraform.tfstate
4c4
<     "lineage": "9ea5911a-af97-2a17-e6de-02744de7a523",
---
>     "lineage": "26605bb9-21a7-840b-58cd-00c67697da34",

Crossplane Version: v1.14.5
Provider Version: v0.13.0
Kubernetes Version: v1.27
Kubernetes Distribution: EKS

bobh66 commented 8 months ago

I think it's reasonable to exclude the .terraform/terraform.tfstate file from the checksum calculation, since we are really just trying to checksum the desired state to see if it changed. We might even be able to exclude the entire .terraform directory since that should only be modified by the CLI and not by the user. Thoughts @ytsarev ?

ytsarev commented 8 months ago

@bobh66 yes, that sounds good to me 👍

headyj commented 8 months ago

@ytsarev for sure it will fix the issue, but is it really safe? I mean according to terraform documentation:

Differing lineage: The "lineage" is a unique ID assigned to a state when it is created. If a lineage is different, then it means the states were created at different times and its very likely you're modifying a different state. Terraform will not allow this.

https://developer.hashicorp.com/terraform/language/state/backends#manual-state-pull-push

bobh66 commented 8 months ago

Does lineage change every time terraform plan is run? Or only when terraform apply is run? If it changes on every plan execution then we will never be able to assume no changes (which doesn't really make sense). If it is only changing on apply then it should be safe to include the tfstate file since we're (hopefully) not running apply on every reconciliation.

headyj commented 8 months ago

I cannot answer this one as I'm not an expert of terraform. But anyway the behavior should not be different if the sources are local or coming from a git repository I assume, which was originally the problem of the first ticket I opened: https://github.com/upbound/provider-terraform/issues/198

headyj commented 4 months ago

@bobh66 any news on that issue? As said I'm not an expert of terraform so I cannot guarantee that it's a safe to ignore lineage.

project-administrator commented 3 months ago

I think this prevents us from using the concurrency (--max-reconcile-rate set to more than "1") because every workspace tries to run "terraform init" while any other workspace might already be running the "terraform plan/apply", and that usually results with a "text file busy" error. Disabling the shared plugin cache is also a bad option because the provider-terraform will start re-downloading all TF providers for each TF workspace with every "terraform init" with each reconciliation...