XYZ.google_compute_instance.forseti-server must be replaced
36 views
Skip to first unread message
Mike Williams
Oct 16, 2020, 8:47:41 AM10/16/20
to Forseti Security Discussion
Hi all,
Every time I apply a change to the terraform call to terraform-google-modules/forseti/google that changes the forseti configuration my server compute instance is replaced.
I was wonder if this is expected and/or required behaviour.
The item that makes the replacement required is this;
```
Step #3: -/+ resource "google_compute_instance" "forseti-server" {
...
Step #3: ~ metadata_startup_script = <<~EOT # forces replacement
...
Step #3: - # forseti_conf_server digest: S1FaNIGa1HXhw4ehpoPLBEEIpgjoiO7lWqWY7a5O4y0=
Step #3: + # forseti_conf_server digest: /3QS91KmN44t7pAK9zxeRzf+rMH/YK2Lcdr/DS/01hs=
..
```
On that run the only change to metadata_startup_script was as above.
I'm 50/50 on the need for including the value in the startup scripts.
On the one hand the value is a comment so doesn't have any immediate practical value, however changes to the configuration could need the server to be restarted.
On the other hand, if restarts of the server are needed for configuration changes and it isn't knowable if a restart or reload or noop is needed for that change, couldn't a restart of the server process be triggered instead?
This is a minor annoyance for sure, it took me by surprise the first time it happened as the client VM suddenly couldn't reach the server for a solid minute or more.
The chance of someone wanting to directly interact with the server from the client at the same time someone else making a config change is slim.
The chance of someone wanting to directly interact with the server from the client at the same time someone else making a config change is slim.
Mike
Reply all
Reply to author
Forward
0 new messages