-
Notifications
You must be signed in to change notification settings - Fork 9.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds ignore/skip in any resource #17274
Comments
+1, similar issue where we have to created resources from an excel where we need to skip certain resources if someone leaves the cell blank |
It might be worth unpacking the use case in a bit more detail. In the example you have provided - you are creating 184 virtual machines under the same virtual machine resource using count. Within Terraform, it is an anti-pattern to use count across resources that are defining different virtual machine roles/application/components. For example, instead of:
This logic becomes especially complex if you are using Terraform to apply your custom_data for bootstrapping, or referencing immutable images. You would generally split up by:
You can then use a module to wrap up the logic to create/not-create a managed disk. This becomes particularly important as you scale out the infrastructure as each of your applications should really be residing in separate state files (or workspaces if you are using Terraform Enterprise). My fear is that introducing a feature like this will encourage bad architectural patterns, such as mixing resource roles (hard to manage growth, and a nightmare to manage day 2 operations), or lumping your entire datacentre definition in a single terraform file (really bad if your state becomes corrupt, or somebody becomes trigger happy on a terraform deletion action!) Are you able to provide some more information as to why we can't achieve the same results with a mix of modules & splitting up roles? |
Thank you, this is the answer that I wanted. We fixed this already with a script, but it is so nasty and unclear that we don't like it. Even if we were using modules and splitting up roles, I could say that the code would have been more complicated, just for few things. Honestly we are considering to switch to Ansible where at least conditions and loops are easier to manage... but we will lack all the features that Terraform has. 😭 I am a person that loves clean code and structures; what we have done to achieve this not clean: modules, script, looping nasty data structures, splitting up roles: a lot of unhuman, unreadable lines of code; only way to interact with TF is by other scripts; a lot of more line of code just for things to "skip/ignore". Case: We have around ~100 beefy machines, you can group them under different sizes, different storage, the kind/amount of disks attached, but you will end up in always different kind of groups and after starting writing the terraform setup for each "group" of similar machine, we thought that there must be a simpler way as doing very similar tf files for 3-4 machines each time was painful, put them for different repositories and manually enable CICD for them... no. That is not possible. So somebody came with the idea of iterating over the actual amount of resources we need (ex: 100 machines, 80 disks, 42 IP etc etc etc). So we have a set of arrays generated by a script. Each element of these arrays have the VM original INDEX ID and other stuff. It works.
Now, if you are worried that somebody will use bad patterns I can say that we used a bad pattern intentionally anyway. But we need to get shit done and the current Terraform is not helping when talking about big infrastructure, loops and conditions. I guess that this feature that we are looking for was requested more than once; Just googling you can find a shitload of people. Solutions ahead of us:
I think solution number 1 is easier, as would "philosophically" make more sense. @rorychatt what do you say? |
Not necessarily. Less LoC isn't necessarily less complicated, especially if you are attempting to encapsulate additional information about the particular VMs being managed. Is:
a huge upgrade over:
For single dimensional data, tables are totally cool - but we aren't dealing with single dimensional data in provisioning. Bending a table to manage Security Groups/DNS/database connectivity/users/playbooks/etc is complex, and is going to be ultra fragile as Terraform does lazy evaluation of logic and won't pickup configuration errors.
Both are great tools, and to be honest, I don't see it as an Ansible vs Terraform debate. With my customers, I tend to describe:
Depending on your complexity, you may want both. When used in tandem, a typical deployment will do something like:
Allowing each tool to focus on what it's good at. That said - if you are only doing virtual machine management, and not deploying much in the way of PaaS services, you might be better just simplifying to one tool. That said, do it for the right reasons.
This is where we can agree to disagree. There is alot that can be done to simplify the definition of modules, and encourage DRY code through modules, while not nerfing your ability to manage day two operations around virtual machines. I don't want this to turn into an essay for the ages, but I am happy to talk through your use cases over PM later if wanted.
Yep - This is exactly what modules are for. As far as separate repositories: honestly the safety of knowing that a simple F&ckup on one of my definitions isn't going to screw up my entire 180 vms, all to save 30 seconds of time to cd /repo/dir is enough for me! If that isn't enough, there is also the complexity of:
Irrespective of whether running Ansible, Terraform, salt, etc - putting all your eggs in one basket is going to end in disaster, and the time spent troubleshooting will far outweigh the additional overhead of separating out repositories.
We automate on-boarding for Jenkins, Bitbucket and Terraform to do exactly this, alongside pre-configured templates for different types of deployments.
See earlier comments
Terraform is used by thousands of companies, across hundreds of thousands of machines. The biggest implementation I have seen has over 8,000 applications and 25,000 machines under management. I'm a big believe in get shit done. I'm a big believer in saving future me (or whoever is managing my infrastructure) time and heartache for the sake for a bit of readability early on. To get back to the original question: I don't work for Hashicorp, so I don't represent them. However - I'm not convinced that adding a skip-like function will be net positive for the Terraform community. It encourages bad practices in architecting infrastructure as code. We are better off educating the community, through Reference Architecture models and similar, on how to manage 100's & 1000's of machines in a way that provides the desired flexibility but doesn't bite them in the arse. |
Thank you for your reply! After reading, I do agree with what you are saying. It makes sense, except for the "bad practice" side: it is a lazy way to justify the lack of I prefer to give people the opportunity to make mistakes and learn from them, rather than forcing them to use the tool in one way or another. Philosophically speaking you can achieve great things and discover new cool way by allowing mistakes. Would you ever create a new knife if you are aware that it can cut things but also kill pepole? I prefer to instruct people to not use it for killing, but I would still provide the new knife blade. So now we don't have skip, and because of that we are painfully creating a lot of things. We have no other way to do it. And EVEN with Modules it is massively messy, a lot of code duplicated and variables here and there... just because our knife could kill people. Is that making sense to you? Try to understand our frustrated point of view of end users from a big company with massive request for a single project. as an example, using Modules is not really practical due also to this: #5480 |
@rorychatterton - I have a vpc module. It uses all available AZ's. There are scenarios where I may want to skip an AZ because an instance type isn't available. Your suggestions is that:
|
Hi all! Thanks for the great discussion here. Terraform 0.12 has introduced a new feature that includes a means to filter the elements of a collection: locals {
smaller_list = [for x in var.larger_list : x if x.foo == "baz"]
} This general building block can in turn be used to produce a list to use with However, it's still good to be cautious of the fact that Implementation of #17179 is in progress right now and will be included in a near-future Terraform CLI release. Once that is complete, the resource "aws_instance" "example" {
for_each = { for x in var.list : x.name => x if x.foo = "baz" }
} Because we already have #17179 representing the |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I have been using quite a while terraform and I love it, but sometimes I fight against its limits.
Count is amazing way to create multiple resources and have conditions... but there are cases when you have a Count, but you still need to ignore the resource.
We are creating 100+ vms... but some of them don't need a azure data_disk and some others do, some others needs more than one. To easily skip some them, or create more, we are forced to:
The option number 2 is not practical as the amount of resources would be too much, The option number 1, is more practical but the variables must be generated from a script in order to do this properly (yes, CSV -> tfvars)... but it is not human readable; and the only way to use it is to update the CSV and let the script do the magic of creating this structure.
To create data_disks we found useful to create variables/maps of the ones that we have to create... but it is.
We could avoid this madness probably if there was a:
Basically the ternary operator can skip some of the 184 resources.
Why has something like this not been implemented? I guess this is a more philosophical reason that I am curious to know.
BTW, #2831 is probably similar but this is specific case.
The text was updated successfully, but these errors were encountered: