-
Notifications
You must be signed in to change notification settings - Fork 25
Removing a specific OPC compute instance is causing the security list association to be removed from other instances #42
Comments
Hey @ubersol, thanks for the issue! Just to clarify though, this happens when you have your config written with the |
hi @grubernaut thank you for your quick reply , the only element function I have in this whole configuration is in this line at secrule.tf:
and as you can see above I did try to change this, into the following ( commented out above ):
which resulted some kind of an index out of range error when I was testing yesterday....I'll go ahead and change that line to report the exact error I saw shortly. |
hi @grubernaut , if in the config file I change the seclist line to
then I see the following error during plan:
|
Ah interesting. Thanks for the additional information! |
Hi @ubersol! Sorry things aren't working well here. The root cause of your original problem is that referring to In future we intend to extend Terraform with a new way of creating related collections of resources that doesn't depend on the "splat variable" mechanism and thus doesn't run into this problem. Unfortunately there's a lot of other work to do before we can make that happen, so this won't help address your issue in the short term. My advice for now would be to use In your later comment I see that you had some trouble with the list bracket syntax. Based on your config, it looks like neither seclist = "${opc_compute_security_list.allow-ssh-access.name}" Sorry for all the confusing interactions here. We have started planning some configuration language features that should make this sort of thing easier and less error-prone to express in future. (In a future version we intend to merge #12289, which will change the syntax of the above |
Hi @apparentlymart , thank you so much for the detailed and quick response! I really appreciate all of this...I am afraid the workflow is not very clear to me! Could you be so kind to verify the following steps for me? And thank you for your patience !: So first create the instances as usual:
Then taint the instance I want to destroy as you mentioned in this case I am gonna remove the second instance
and when I do this step, I get this output:
so is the next step then:
and this will remove the second instance and leave the ssh association for the first instance intact for now? Is this right ? |
Hi @ubersol! The Hope that helps! Thanks again! |
This was all correct until the final step. Instead of running
Since the resource is tainted, Terraform will plan to destroy it and make a new one in its place. After verifying that Terraform did indeed produce a plan like that, and doesn't intend to replace or destroy anything else along with it, you can apply the plan:
The |
Hi @grubernaut & @apparentlymart , thank you for the information and detailed explanations!. So as I understand, using the taint option will recreate the instance, but this is not going to solve my original problem, where I want to get rid off an instance among the many instances. Is that correct ? |
@ubersol correct, if you only wish to remove the instance fully, and not replace the instance on a subsequent Terraform apply, |
Indeed, to remove an instance and not recreate removing it from configuration. That then tells Terraform that you don't want that resource anymore. This is trickier when
To expand on my previous statement, the reason we recommend this approach of tainting and/or updating the config, rather than just destroying with target, is that it makes your intent clearer. If you run Doing these operations in these multiple steps also gives you the ability to check that the correct behavior is planned before applying, and to undo/revert these changes if things don't work out, before making any changes to real infrastructure. (By |
Ok, This is great information! Thank you so much! I'll give this a try! In the meantime, could you guys be kind enough to point me the right place about what "tfplan" is supposed to do or give some more information? Looks like I am creating an out file called tfplan with the following: ```terraform plan -out=tfplan`` When I look at the contents of the file, I see some data ( some encrypted ? ) that contains something similar to the output of I will post the steps of what I did here when I am done. |
Hey @ubersol,
https://www.terraform.io/docs/commands/plan.html#out-path
Then you can use the pre-generated planfile during a Terraform apply to ensure that the actions listed inside the generated planfile are the only actions taken by Terraform. https://www.terraform.io/docs/commands/apply.html
Hope this helps, thanks! |
@ubersol for now, I'm going to close this issue, as the initial problem is now solved. In the future, though, it might be more beneficial to direct questions to either the Mailing List, Stack Exchange, or the IRC channel. The Terraform community has been amazing when it comes to either usability questions, or configuration questions; while we would prefer to keep the Issue Tracker mainly for bugs and enhancement requests. This is mainly because general questions have a tendency to be overlooked or lost, whereas the Mailing List and IRC can often yield very detailed and accurate answers to questions. See https://www.terraform.io/community.html, for more details. Thanks again! |
Hi again!, thank you so much for all of this. I'd be happy to move this conversation to email lists etc, but before I do that, I think I am still having issues with this approach, and it does not seem to be doing what I am expecting, and it is very very possible that I am doing something wrong! The following is just for trying to remove/destroy three instances out of five: Plan out for creating five instances:
Apply this plan
These will create my 5 instances as expected, no problem. Now I am going to taint three instances between instance 0 and instance 5:
This is also good, then reduce the number of count from 5 to 2 since I am getting rid off three instances:
and apply this plan:
At this point what happens is that TF will stop and destroy Thank you again with your patience with me here! |
Hi @ubersol, This is what I was trying to say above, but didn't explain clearly: since the instances are identified by index, it's not possible to destroy ones that aren't at the end of the sequence. That is, in your case you could start off with five instances and reduce to two, losing the ones numbered In many cases this is acceptable because all of the instances in the set are "equivalent", and thus it doesn't matter which ones get deleted. If you have the need to specify a specific one to delete, a different design would be better: either specify each instance as a separate resource block, or move the set of resources related to an instance into a module and have a separate |
Hi @apparentlymart , ok I do understand that but if I have 5 instances and If I am attempting to remove 3 of them, why does TF attempt to recreate the last instance ( the fifth instance in this case ). Note, it is not touching the first instance at all. I am only tainting three and TF is destroying four and recreate the last instance it destroyed. |
Hi Guys, does the problem I described above merit a new BUG ? |
Hi @ubersol, I'm not sure I entirely follow here. But note that in my earlier advice I wasn't meaning to suggest that you should both taint the instances and remove them from config, but rather that these are two separate things you can do:
Tainting something that is also removed from config is not very useful, since it's redundant... both of these things cause Terraform to produce a destroy diff on the next It's possible that there's a strange interaction here if you try to do both of these things at once... possibly the index shifting caused by removing some of the items is causing Terraform to get a bit confused. Whether or not Terraform is confused, I will say that I'm confused 😀 . If you'd like to pursue this as a core bug (in the main terraform repo) then I'm happy to dig into it with you further; ideally to understand better what's going on I'd like to see a terminal transcript showing the steps you followed in order and in detail, since it's otherwise a bit hard to keep track of what's changing at which point. |
Hello, I was hoping that you guys might be able to shed some light to the following issue I am running into.
Currently I am working on developing a deployment infrastructure with terraform-provider-opc. One of the problem we are seeing with our current TF config is that when we wanted to remove a specific resource, in this case a compute instance, some other dependencies also get deleted/removed from other instances. In this case it is the opc_compute_security_association from the other instances too.
For example, I have two instances, and I try to remove second one with the following
$ terraform plan -destroy -target=opc_compute_instance.test[1]
The plan execution then shows me the following:
As the output shows, TF is going to attempt to remove opc_compute_security_association.associate_SSH.0.
How do I prevent opc_compute_security_association.associate_SSH.0 being removed? That has to stay with the first instance ( opc_compute_instance.test.0 ) or any other undeleted instances. If I execute this, indeed the opc_compute_security_association.associate_SSH.0 gets deleted:
So since, opc_compute_security_association.associate_SSH.0 gets removed, this breaks my ssh access to the first instance
Moreover, when I go back to the compute UI, I also see from the Storage tab that "data-1" storage volume is not deleted but only its association with the instance is removed. This is as opposed to terraform destroy default behaviour where it really deletes every single resource and removes all of the associations.
Terraform Version
terraform -v
Terraform v0.9.11
Affected Resource(s)
Please list the resources as a list, for example:
Terraform Configuration Files
Debug Output
https://gist.github.com/ubersol/7b338ddf00457e2b3b04fbfc8603d7a8
Panic Output
No panic
Expected Behavior
The second instance should have been deleted with its security association removed without touching other instances' association. The storage volume should be destroyed associated with this instance.
Actual Behavior
The second instance indeed gets deleted, but in the process the security association for the other unrelated instances to be removed, which breaks ssh access. The storage volume does not get deleted and it is shown as online. However, its instance association gets removed.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
First create couple instances
terraform apply -var instance_count=2
Then remove the second instance
terraform destroy -target=opc_compute_instance.test[1]
Important Factoids
Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?
References
There are couple of similar bugs as below, but honestly the solution is really not clear to me for the instance deletion:
hashicorp/terraform#10952
The issue above is then merged into this following one:
hashicorp/terraform#3449
The text was updated successfully, but these errors were encountered: