Terraform 始终尝试在不进行更改的情况下替换 gcp 计算实例
Terraform always tries to replace gcp compute instance without changes
早上好
我的 Terraform 代码有问题。我在特定模块中以下列方式定义了两个 gcp 计算实例:
resource "google_compute_instance" "dev_machine" {
name = "dev-machine-${var.tag}"
deletion_protection = true
machine_type = "e2-standard-2"
boot_disk {
initialize_params {
image = "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts"
size = 200
}
}
network_interface {
network = var.vpc.name
subnetwork = var.subnet.name
access_config {
}
}
tags = ["dev-vm-${var.tag}"]
}
resource "google_compute_instance" "dev_machine-minor" {
name = "dev-machine-minor-${var.tag}"
deletion_protection = true
machine_type = "n1-standard-1"
boot_disk {
initialize_params {
image = "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts"
size = 30
}
}
network_interface {
network = var.vpc.name
subnetwork = var.subnet.name
access_config {
}
}
tags = ["dev-vm-${var.tag}"]
}
resource "google_compute_firewall" "ssh_access" {
name = "allow-ssh-access-${var.tag}"
network = var.vpc.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = [ "0.0.0.0/0" ]
target_tags = ["dev-vm-${var.tag}"]
}
变量定义如下:
variable "vpc" {
description = "vpc to deploy instance"
}
variable "subnet" {
description = "subnet to deploy the subnet"
}
variable "tag" {
description = "general project tag"
}
当我 运行 命令 'terraform apply' 时,一切都按预期工作,但如果我再次 运行 它总是声明必须更换实例,即使我没有对代码的任何更改。当我通过 ssh 连接到实例时,我注意到所有内容都被清除了。
这是 'terraform plan' 的输出,没有更改代码:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
# module.dev_environment.google_compute_instance.dev_machine must be replaced
-/+ resource "google_compute_instance" "dev_machine" {
~ cpu_platform = "Intel Broadwell" -> (known after apply)
~ current_status = "RUNNING" -> (known after apply)
~ deletion_protection = false -> true
- enable_display = false -> null
~ guest_accelerator = [] -> (known after apply)
~ id = "<id with project>" -> (known after apply)
~ instance_id = "<instance id>" -> (known after apply)
~ label_fingerprint = "<label fingerprint>" -> (known after apply)
- labels = {} -> null
- metadata = {} -> null
~ metadata_fingerprint = "<metadata fingerprint>=" -> (known after apply)
+ min_cpu_platform = (known after apply)
name = "dev-machine-pweather"
~ project = "<project id>" -> (known after apply)
- resource_policies = [] -> null
~ self_link = "<project id url>/instances/dev-machine-pweather" -> (known after apply)
tags = [
"dev-vm-pweather",
]
~ tags_fingerprint = "<tag fingerprint>" -> (known after apply)
~ zone = "us-east4-a" -> (known after apply)
# (2 unchanged attributes hidden)
~ boot_disk {
~ device_name = "persistent-disk-0" -> (known after apply)
+ disk_encryption_key_sha256 = (known after apply)
+ kms_key_self_link = (known after apply)
~ source = "<project id url>/us-east4-a/disks/dev-machine-pweather" -> (known after apply)
# (2 unchanged attributes hidden)
~ initialize_params {
~ image = "https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210720" -> "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts" # forces replacement
~ labels = {} -> (known after apply)
~ type = "pd-standard" -> (known after apply)
# (1 unchanged attribute hidden)
}
}
+ confidential_instance_config {
+ enable_confidential_compute = (known after apply)
}
~ network_interface {
~ name = "nic0" -> (known after apply)
~ network = "<project id url>/global/networks/pweather-vpc" -> "pweather-vpc"
~ network_ip = "10.0.0.17" -> (known after apply)
~ subnetwork = "<project id url>/subnetworks/pweather-subnet" -> "pweather-subnet"
~ subnetwork_project = "<project>" -> (known after apply)
~ access_config {
~ nat_ip = "<NAT IP> -> (known after apply)
~ network_tier = "PREMIUM" -> (known after apply)
}
}
+ reservation_affinity {
+ type = (known after apply)
+ specific_reservation {
+ key = (known after apply)
+ values = (known after apply)
}
}
~ scheduling {
~ automatic_restart = true -> (known after apply)
~ min_node_cpus = 0 -> (known after apply)
~ on_host_maintenance = "MIGRATE" -> (known after apply)
~ preemptible = false -> (known after apply)
+ node_affinities {
+ key = (known after apply)
+ operator = (known after apply)
+ values = (known after apply)
}
}
- shielded_instance_config {
- enable_integrity_monitoring = true -> null
- enable_secure_boot = false -> null
- enable_vtpm = true -> null
}
}
# module.dev_environment.google_compute_instance.dev_machine-minor must be replaced
-/+ resource "google_compute_instance" "dev_machine-minor" {
~ cpu_platform = "Intel Broadwell" -> (known after apply)
~ current_status = "RUNNING" -> (known after apply)
~ deletion_protection = false -> true
- enable_display = false -> null
~ guest_accelerator = [] -> (known after apply)
~ id = "<project id url>/instances/dev-machine-minor-pweather" -> (known after apply)
~ instance_id = "<instance id>" -> (known after apply)
~ label_fingerprint = "<label fingerprint>" -> (known after apply)
- labels = {} -> null
- metadata = {} -> null
~ metadata_fingerprint = "udK04sf2kcQ=" -> (known after apply)
+ min_cpu_platform = (known after apply)
name = "dev-machine-minor-pweather"
~ project = "<project name>" -> (known after apply)
- resource_policies = [] -> null
~ self_link = "<project id url>/us-east4-a/instances/dev-machine-minor-pweather" -> (known after apply)
tags = [
"dev-vm-pweather",
]
~ tags_fingerprint = "<tag fingerprint>" -> (known after apply)
~ zone = "us-east4-a" -> (known after apply)
# (2 unchanged attributes hidden)
~ boot_disk {
~ device_name = "persistent-disk-0" -> (known after apply)
+ disk_encryption_key_sha256 = (known after apply)
+ kms_key_self_link = (known after apply)
~ source = "<project id url>/us-east4-a/disks/dev-machine-minor-pweather" -> (known after apply)
# (2 unchanged attributes hidden)
~ initialize_params {
~ image = "https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210720" -> "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts" # forces replacement
~ labels = {} -> (known after apply)
~ type = "pd-standard" -> (known after apply)
# (1 unchanged attribute hidden)
}
}
+ confidential_instance_config {
+ enable_confidential_compute = (known after apply)
}
~ network_interface {
~ name = "nic0" -> (known after apply)
~ network = "<project id url>>/global/networks/pweather-vpc" -> "pweather-vpc"
~ network_ip = "10.0.0.16" -> (known after apply)
~ subnetwork = "<project id url>/us-east4/subnetworks/pweather-subnet" -> "pweather-subnet"
~ subnetwork_project = "<project>" -> (known after apply)
~ access_config {
~ nat_ip = "<NAT IP>" -> (known after apply)
~ network_tier = "PREMIUM" -> (known after apply)
}
}
+ reservation_affinity {
+ type = (known after apply)
+ specific_reservation {
+ key = (known after apply)
+ values = (known after apply)
}
}
~ scheduling {
~ automatic_restart = true -> (known after apply)
~ min_node_cpus = 0 -> (known after apply)
~ on_host_maintenance = "MIGRATE" -> (known after apply)
~ preemptible = false -> (known after apply)
+ node_affinities {
+ key = (known after apply)
+ operator = (known after apply)
+ values = (known after apply)
}
}
- shielded_instance_config {
- enable_integrity_monitoring = true -> null
- enable_secure_boot = false -> null
- enable_vtpm = true -> null
}
}
Plan: 2 to add, 0 to change, 2 to destroy.
Changes to Outputs:
~ vm_ip = "<VM IP>" -> (known after apply)
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
我试图查看文档,但(据我所知)我没有找到任何可以帮助我的东西。是我做错了什么还是提供商中的错误?谢谢!
编辑 1:添加了 'terraform plan' 命令的输出。
根据计划输出,强制替换的参数值为:
~ boot_disk {
...
~ initialize_params {
~ image = "https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210720" -> "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts" # forces replacement
}
}
如果您愿意将值从 ubuntu-os-pro-cloud/ubuntu-pro-2004-lts 更新为 https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210720,那么这将阻止对资源应用 Delete/Create 操作。
但是,这里的另一个问题是为什么 image 的参数值会发生变化。如果您更改了配置或有人手动更改了资源的属性,那么这些都会导致更改。但是,你说那没有发生。提供商可能会尝试在验证期间自动更正和修改该值,但根据 documentation,您的值是完全有效的。因此,这可能是该资源架构的提供程序中的错误。
补充 Matt Schuchard 的回答:
可能有用的是添加生命周期元参数以忽略 属性 上会导致替换 (destroy/apply) 的更改。
示例:
lifecycle {
ignore_changes = [ boot_disk ]
}
https://www.terraform.io/docs/language/meta-arguments/lifecycle.html
早上好
我的 Terraform 代码有问题。我在特定模块中以下列方式定义了两个 gcp 计算实例:
resource "google_compute_instance" "dev_machine" {
name = "dev-machine-${var.tag}"
deletion_protection = true
machine_type = "e2-standard-2"
boot_disk {
initialize_params {
image = "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts"
size = 200
}
}
network_interface {
network = var.vpc.name
subnetwork = var.subnet.name
access_config {
}
}
tags = ["dev-vm-${var.tag}"]
}
resource "google_compute_instance" "dev_machine-minor" {
name = "dev-machine-minor-${var.tag}"
deletion_protection = true
machine_type = "n1-standard-1"
boot_disk {
initialize_params {
image = "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts"
size = 30
}
}
network_interface {
network = var.vpc.name
subnetwork = var.subnet.name
access_config {
}
}
tags = ["dev-vm-${var.tag}"]
}
resource "google_compute_firewall" "ssh_access" {
name = "allow-ssh-access-${var.tag}"
network = var.vpc.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = [ "0.0.0.0/0" ]
target_tags = ["dev-vm-${var.tag}"]
}
变量定义如下:
variable "vpc" {
description = "vpc to deploy instance"
}
variable "subnet" {
description = "subnet to deploy the subnet"
}
variable "tag" {
description = "general project tag"
}
当我 运行 命令 'terraform apply' 时,一切都按预期工作,但如果我再次 运行 它总是声明必须更换实例,即使我没有对代码的任何更改。当我通过 ssh 连接到实例时,我注意到所有内容都被清除了。
这是 'terraform plan' 的输出,没有更改代码:
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
# module.dev_environment.google_compute_instance.dev_machine must be replaced
-/+ resource "google_compute_instance" "dev_machine" {
~ cpu_platform = "Intel Broadwell" -> (known after apply)
~ current_status = "RUNNING" -> (known after apply)
~ deletion_protection = false -> true
- enable_display = false -> null
~ guest_accelerator = [] -> (known after apply)
~ id = "<id with project>" -> (known after apply)
~ instance_id = "<instance id>" -> (known after apply)
~ label_fingerprint = "<label fingerprint>" -> (known after apply)
- labels = {} -> null
- metadata = {} -> null
~ metadata_fingerprint = "<metadata fingerprint>=" -> (known after apply)
+ min_cpu_platform = (known after apply)
name = "dev-machine-pweather"
~ project = "<project id>" -> (known after apply)
- resource_policies = [] -> null
~ self_link = "<project id url>/instances/dev-machine-pweather" -> (known after apply)
tags = [
"dev-vm-pweather",
]
~ tags_fingerprint = "<tag fingerprint>" -> (known after apply)
~ zone = "us-east4-a" -> (known after apply)
# (2 unchanged attributes hidden)
~ boot_disk {
~ device_name = "persistent-disk-0" -> (known after apply)
+ disk_encryption_key_sha256 = (known after apply)
+ kms_key_self_link = (known after apply)
~ source = "<project id url>/us-east4-a/disks/dev-machine-pweather" -> (known after apply)
# (2 unchanged attributes hidden)
~ initialize_params {
~ image = "https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210720" -> "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts" # forces replacement
~ labels = {} -> (known after apply)
~ type = "pd-standard" -> (known after apply)
# (1 unchanged attribute hidden)
}
}
+ confidential_instance_config {
+ enable_confidential_compute = (known after apply)
}
~ network_interface {
~ name = "nic0" -> (known after apply)
~ network = "<project id url>/global/networks/pweather-vpc" -> "pweather-vpc"
~ network_ip = "10.0.0.17" -> (known after apply)
~ subnetwork = "<project id url>/subnetworks/pweather-subnet" -> "pweather-subnet"
~ subnetwork_project = "<project>" -> (known after apply)
~ access_config {
~ nat_ip = "<NAT IP> -> (known after apply)
~ network_tier = "PREMIUM" -> (known after apply)
}
}
+ reservation_affinity {
+ type = (known after apply)
+ specific_reservation {
+ key = (known after apply)
+ values = (known after apply)
}
}
~ scheduling {
~ automatic_restart = true -> (known after apply)
~ min_node_cpus = 0 -> (known after apply)
~ on_host_maintenance = "MIGRATE" -> (known after apply)
~ preemptible = false -> (known after apply)
+ node_affinities {
+ key = (known after apply)
+ operator = (known after apply)
+ values = (known after apply)
}
}
- shielded_instance_config {
- enable_integrity_monitoring = true -> null
- enable_secure_boot = false -> null
- enable_vtpm = true -> null
}
}
# module.dev_environment.google_compute_instance.dev_machine-minor must be replaced
-/+ resource "google_compute_instance" "dev_machine-minor" {
~ cpu_platform = "Intel Broadwell" -> (known after apply)
~ current_status = "RUNNING" -> (known after apply)
~ deletion_protection = false -> true
- enable_display = false -> null
~ guest_accelerator = [] -> (known after apply)
~ id = "<project id url>/instances/dev-machine-minor-pweather" -> (known after apply)
~ instance_id = "<instance id>" -> (known after apply)
~ label_fingerprint = "<label fingerprint>" -> (known after apply)
- labels = {} -> null
- metadata = {} -> null
~ metadata_fingerprint = "udK04sf2kcQ=" -> (known after apply)
+ min_cpu_platform = (known after apply)
name = "dev-machine-minor-pweather"
~ project = "<project name>" -> (known after apply)
- resource_policies = [] -> null
~ self_link = "<project id url>/us-east4-a/instances/dev-machine-minor-pweather" -> (known after apply)
tags = [
"dev-vm-pweather",
]
~ tags_fingerprint = "<tag fingerprint>" -> (known after apply)
~ zone = "us-east4-a" -> (known after apply)
# (2 unchanged attributes hidden)
~ boot_disk {
~ device_name = "persistent-disk-0" -> (known after apply)
+ disk_encryption_key_sha256 = (known after apply)
+ kms_key_self_link = (known after apply)
~ source = "<project id url>/us-east4-a/disks/dev-machine-minor-pweather" -> (known after apply)
# (2 unchanged attributes hidden)
~ initialize_params {
~ image = "https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210720" -> "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts" # forces replacement
~ labels = {} -> (known after apply)
~ type = "pd-standard" -> (known after apply)
# (1 unchanged attribute hidden)
}
}
+ confidential_instance_config {
+ enable_confidential_compute = (known after apply)
}
~ network_interface {
~ name = "nic0" -> (known after apply)
~ network = "<project id url>>/global/networks/pweather-vpc" -> "pweather-vpc"
~ network_ip = "10.0.0.16" -> (known after apply)
~ subnetwork = "<project id url>/us-east4/subnetworks/pweather-subnet" -> "pweather-subnet"
~ subnetwork_project = "<project>" -> (known after apply)
~ access_config {
~ nat_ip = "<NAT IP>" -> (known after apply)
~ network_tier = "PREMIUM" -> (known after apply)
}
}
+ reservation_affinity {
+ type = (known after apply)
+ specific_reservation {
+ key = (known after apply)
+ values = (known after apply)
}
}
~ scheduling {
~ automatic_restart = true -> (known after apply)
~ min_node_cpus = 0 -> (known after apply)
~ on_host_maintenance = "MIGRATE" -> (known after apply)
~ preemptible = false -> (known after apply)
+ node_affinities {
+ key = (known after apply)
+ operator = (known after apply)
+ values = (known after apply)
}
}
- shielded_instance_config {
- enable_integrity_monitoring = true -> null
- enable_secure_boot = false -> null
- enable_vtpm = true -> null
}
}
Plan: 2 to add, 0 to change, 2 to destroy.
Changes to Outputs:
~ vm_ip = "<VM IP>" -> (known after apply)
------------------------------------------------------------------------
Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.
我试图查看文档,但(据我所知)我没有找到任何可以帮助我的东西。是我做错了什么还是提供商中的错误?谢谢!
编辑 1:添加了 'terraform plan' 命令的输出。
根据计划输出,强制替换的参数值为:
~ boot_disk {
...
~ initialize_params {
~ image = "https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210720" -> "ubuntu-os-pro-cloud/ubuntu-pro-2004-lts" # forces replacement
}
}
如果您愿意将值从 ubuntu-os-pro-cloud/ubuntu-pro-2004-lts 更新为 https://www.googleapis.com/compute/v1/projects/ubuntu-os-pro-cloud/global/images/ubuntu-pro-2004-focal-v20210720,那么这将阻止对资源应用 Delete/Create 操作。
但是,这里的另一个问题是为什么 image 的参数值会发生变化。如果您更改了配置或有人手动更改了资源的属性,那么这些都会导致更改。但是,你说那没有发生。提供商可能会尝试在验证期间自动更正和修改该值,但根据 documentation,您的值是完全有效的。因此,这可能是该资源架构的提供程序中的错误。
补充 Matt Schuchard 的回答:
可能有用的是添加生命周期元参数以忽略 属性 上会导致替换 (destroy/apply) 的更改。
示例:
lifecycle {
ignore_changes = [ boot_disk ]
}
https://www.terraform.io/docs/language/meta-arguments/lifecycle.html