-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Print whole container_definitions in aws_ecs_task_definition instead of checksum in the plan #1195
Conversation
This would be an incredible improvement - it would solve our current visibility issues during the plan stage. |
Hi @radeksimko! Is there a chance to merge this soon? I took a look at the latest Hashicorp blog post (https://www.hashicorp.com/blog/continuous-deployment-with-nomad-and-terraform/) and even Nomad provider uses full jobspec instead of hash :) |
Hey folks, In my opinion, this is a great addition. The thing that bothers me is that people will see a diff when migrating from the hash-ed version to this plain-text one. What do you think @radeksimko, is it worth it? |
Hi @s-maj
Yep, that's exactly my concern, too. We can't merge this as is otherwise we'd upset many users that have existing task definitions in their state and schema change like this would cause recreation of the whole TD because hash != content from diff perspective. Just try creating TD with current stable version of Terraform/AWS provider, then run The best (and idiomatic) way to address this is to add a state migration. Take a look at existing state migrations and tests if you need any inspiration and/or let me know if anything's unclear in regards to migrations. Here's full diff (hopefully) explaining what it takes to do the whole migration: e253f88 |
Hi @radeksimko Yep, totally. About schema migration, from what I understand, task definition "blob" is being reduced to sha1 hash and this is stored in state file as an attribute of the resource. By doing migration I can only operate on the hash which might quite hard to reverse :) I guess I need to replace old value in this field with new value from the input, but I don't if this is possible or if it's a good approach. |
There isn't any way to get access to the config, which is probably by design. I think the best way forward is to pull down the current body from the ECS API. The migration function interface has It may not always be accurate, because state may be drifted from the reality, but Terraform should refresh the state automatically as part of |
Alright, I guess it should look like this:
but I am getting tons of nulls or empty lists (fields not present in Terraform) in the output:
which is more or less exptected since I tried to work on string output from SDK but even AWS API responds with empty fields:
where orginal task definion is:
@radeksimko could you please advise how to approach this? |
I see - that's annoying - it might have been the reason why I originally decided to use hash instead 😄 However we now have some ways to deal with equivalent JSON structures which aren't exactly same in string-based match. Take a look at https://github.com/terraform-providers/terraform-provider-aws/blob/fd6ad1d8c976ee779ff9a543d1ad128166959d01/aws/resource_aws_cloudwatch_dashboard.go#L40 which should prevent spurious diffs from appearing. I hope the problem is generic enough we can use the existing generic JSON helper. Eventually we'd need to create a custom one, similar to the one we did for IAM policies https://github.com/terraform-providers/terraform-provider-aws/blob/fd6ad1d8c976ee779ff9a543d1ad128166959d01/aws/resource_aws_iam_policy.go#L42 which is work worth its own package/repository. |
Existing diff suppression functions won't help in this case and fixing this is a bit beyond my skill set :) But it seems NLB will be part of 1.0.0 which will break backward compatibility for ECS services (at least web based containers) so it might good moment to add this PR to this mix (maybe along with #1476) |
@s-maj I just pushed a few enhancements to your branch:
Can you take a look at those changes and try them out to see if it's working for you as expected in your context? btw. the reason you were getting the odd diff with |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 from me. Will defer for another 👍 from @s-maj as Radek has asked them to review as well
FYI: I will merge this on Monday, 13th if there's no further feedback. |
I'll take a look over weekend. Thanks!
…On Thu, Nov 9, 2017 at 3:43 PM, Radek Simko ***@***.***> wrote:
FYI: I will merge this on Monday, 13th if there's no further feedback.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1195 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AOhaWsz6Dz6Y4a2rk7bL72UlqUdDqkLVks5s0x26gaJpZM4OeTS7>
.
|
@radeksimko All grand, thanks a million! |
Hey guys, we're seeing terraform recreate the task definitions on every plan and all that changed is the version of the AWS provider on our end. Is anybody else experiencing this issue? |
We are also seeing this same behavior. |
Also seeing it here. This code needs to be amended so that empty arrays coming back from AWS are treated the same as the JSON missing the empty array. Also, the |
likewise! |
Hi @radeksimko This change is good, but I prefer the chksum way. In my case, my container definition contains some credential information, I don't want them to be printed out on screen when doing plan. Could you please at least offer an option to make it still print chksum number instead of whole JSON text? |
I wouldn't recommend putting secrets in the task definition. I presume you're injecting them as environment variables? You might want to consider fetching them from SSM parameter store or something like Vault at runtime in an entrypoint script. |
@tomelliff, yes, you guess right. I know it is not a good idea to use environment variables for such thing. But anyway, I think it still might be useful to print and store chksum in some situations (?). I will appreciate it very much if you can think about it. :) |
This change also has a sad side effect of making the plan output so large that its truncated in the terraform enterprise web view, making the plan impossible to review. It’s kind of a TFE issue but making it somehow an opt-in feature would be useful in that case. |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
Currently, when aws_ecs_task_definition is updated, people can see only container_definitions checksum in the plan. There is no visibility what exactly is being pushed to ECS and I think this quite confusing. In other resources, like aws_iam_policy, old version of policy and new version policy is visible in the plan. Also, this change would allow to utilize terraform-landspace to produce a pretty plan for ECS tasks (screenshot).
Tests: