chef_environment resource always modified

[hashibot]

This issue was originally opened by @mengesb as hashicorp/terraform#13696. It was migrated here as part of the provider split. The original body of the issue is below.

---

I believe this started with 0.8.x series, though it's tough to recall. I had initially pawned this off as configuration drift, however on nearly every invocation of terraform, I'm seeing a diff operation on the chef_environment resource. While I can't see anything immediately different, it's always determining a diff and thus my destroy provisioner executes. Even when I run subsequent applies one right after the other, it detects a diff and must re-upload the environment and fire the triggered resource.

Terraform Version

0.9.2

Affected Resource(s)

• chef_environment

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

# Chef provider settings
provider "chef" {
  server_url      = "https://${var.chef["server"]}${length(var.chef["org"]) > 0 ? "/organizations/${var.chef["org"]}" : ""}"
  client_name     = "${var.chef["user"]}"
  key_material    = "${file("${var.chef["key"]}")}"
}
# environment template
data "template_file" "cheffy_env" {
  depends_on = ["aws_efs_mount_target.model_store"]
  template   = "${file("${path.module}/files/chef-environment.tpl")}"

  vars = {
    ....
  }
}
resource "chef_environment" "cheffy" {
  name                    = "${var.environment}"
  description             = "REDACTED Environment"
  default_attributes_json = "${data.template_file.cheffy_env.rendered}"

  cookbook_constraints {
    ....
  }
}
resource "null_resource" "cheffy_env" {
  depends_on = ["chef_environment.cheffy"]
  triggers {
    attributes_json = "${chef_environment.cheffy.default_attributes_json}"
  }
  provisioner "local-exec" {
    command = "[ -d .chef ] || mkdir -p .chef ; echo Directory .chef exists"
  }
  provisioner "local-exec" {
    command = "[ -f .chef/${var.environment}.json ] && rm -f .chef/${var.environment}.json ; echo Environment file purged"
  }
  provisioner "local-exec" {
    command = "knife environment show ${var.environment} -F json > .chef/${var.environment}.json"
  }
  provisioner "local-exec" {
    when    = "destroy"
    command = "rm -rf .chef"
  }
}

Debug Output

Small snipped segment shows the diff is nil, which is where i think it has the problem.

2017/04/16 14:53:09 [DEBUG] dag/walk: walking "chef_environment.cheffy"
2017/04/16 14:53:09 [DEBUG] vertex 'root.chef_environment.cheffy': walking
2017/04/16 14:53:09 [DEBUG] vertex 'root.chef_environment.cheffy': evaluating
2017/04/16 14:53:09 [TRACE] [walkApply] Entering eval tree: chef_environment.cheffy
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalSequence
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalInstanceInfo
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalReadDiff
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalIf
2017/04/16 14:53:09 [DEBUG] root: eval: terraform.EvalNoop
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalIf
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalInterpolate
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalGetProvider
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalReadState
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalValidateResource
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalDiff
2017/04/16 14:53:09 [DEBUG] plugin: terraform: chef-provider (internal) 2017/04/16 14:53:09 [DEBUG] Instance Diff is nil in Diff()
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalReadDiff
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalCompareDiff
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalGetProvider
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalReadState
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalApplyPre
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalApply
2017/04/16 14:53:09 [DEBUG] apply: chef_environment.cheffy: diff is empty, doing nothing.
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalWriteState
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalApplyProvisioners
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalIf
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalWriteState
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalWriteDiff
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalApplyPost
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalUpdateStateHook
chef_environment.cheffy: Modifying... (ID: kesha)
2017/04/16 14:53:09 [DEBUG] dag/walk: walking "meta.count-boundary (count boundary fixup)"
2017/04/16 14:53:09 [DEBUG] vertex 'root.meta.count-boundary (count boundary fixup)': walking
2017/04/16 14:53:09 [DEBUG] vertex 'root.meta.count-boundary (count boundary fixup)': evaluating
2017/04/16 14:53:09 [DEBUG] root: eval: *terraform.EvalCountFixZeroOneBoundaryGlobal
chef_environment.cheffy: Modifications complete (ID: kesha)

Panic Output

None

Expected Behavior

Subsequent runs where no environment attributes change result in no diff, and no action, and no trigger firing

Actual Behavior

Nearly always, there's a computed diff and thus the trigger fires

Steps to Reproduce

1. terraform apply
2. terraform apply

Important Factoids

Nothing comes to mind

References

None

[planet]

cookbook_constraints {
....
}

Can someone give me an example of how cookbook_constraints is formatted? I looked through the docs and searched for examples and could not find any.

For example if I wanted to constrain the cookbook "chef-vault" to be greater than "1.0", what would be the formatting to define that?

[mengesb]

@planet

"cookbook": "~> 1.0.0" for instance is cookbook as key, value includes a version constraint operator plus a semver version. Constraint operators can be many, but include things like pessimistic greater (~>), equality, greater than, less than, greater than or equal, etc. You get the idea.