-
-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Addresses persistent diff with manage_default_network_acl #737
fix: Addresses persistent diff with manage_default_network_acl #737
Conversation
a7a2f18
to
a7dae98
Compare
As noted in the [terraform docs][0], subnets using the default network acl will generate a persistent diff if they are not specified to the aws_default_network_acl resource. This module was handling subnets created by the module, but of course is not aware of subnets created externally to the module. The docs suggest using lifecycle ignore_changes as an option to avoid the persistence diff, which is the approach implemented in this patch. Fixes terraform-aws-modules#736 [0]: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl#managing-subnets-in-a-default-network-acl
a7dae98
to
77aaedf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
@bryantbiggs What do you think?
Could you also fix the issue introduced by #742 here? :) |
Haha, sure, on my phone, gimme 30 min too get back to a computer |
@antonbabenko Ok, should be good now! |
Also, not sure if you are tracking this already, but there is some kind of issue going on with the cidr_blocks outputs for unused features. After first apply, they are lists of nulls, but the second apply they are reported as a planned change, becoming lists of empty strings...
|
### [3.11.5](v3.11.4...v3.11.5) (2022-01-28) ### Bug Fixes * Addresses persistent diff with manage_default_network_acl ([#737](#737)) ([d247d8e](d247d8e))
This PR is included in version 3.11.5 🎉 |
Regarding the issue with outputs you are seeing, I don't think we have seen such behavior before. |
Roger, I'll create a separate issue for that and see if I can track it down. |
@@ -208,7 +202,7 @@ data "aws_iam_policy_document" "dynamodb_endpoint_policy" { | |||
test = "StringNotEquals" | |||
variable = "aws:sourceVpce" | |||
|
|||
values = [data.vpc.vpc_id] | |||
values = [module.vpc.vpc_id] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oy, this is still wrong! it should be
values = [module.vpc.vpc_id] | |
values = [data.aws_vpc_endpoint.dynamodb.id] |
because the condition is "source VPC endpoint" not "source VPC"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's what it was before #742 (attempted to) change it to the vpc id! Oi! Revert and revert and revert!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can leave it as is now, but the condition is wrong - should be "aws:SourceVpc"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at it again now, the data source is a race condition. The comment makes no sense. This whole thing is confusing to me. Why not just get the vpce id from an output of the vpc endpoint module?
### [3.11.5](terraform-aws-modules/terraform-aws-vpc@v3.11.4...v3.11.5) (2022-01-28) ### Bug Fixes * Addresses persistent diff with manage_default_network_acl ([terraform-aws-modules#737](terraform-aws-modules#737)) ([d247d8e](terraform-aws-modules@d247d8e))
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
As noted in the terraform docs, subnets using the default network acl
will generate a persistent diff if they are not specified to the aws_default_network_acl
resource. This module was handling subnets created by the module, but
of course is not aware of subnets created externally to the module.
The docs suggest using lifecycle ignore_changes as an option to avoid
the persistent diff, which is the approach implemented in this patch.
Fixes #736
Breaking Changes
None
How Has This Been Tested?
examples/*
projects