Skip to content

[fix](modules/vmseries): added lifecycle ignore_change for boot_disk #61

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[fix](modules/vmseries): added lifecycle ignore_change for boot_disk #61

wants to merge 1 commit into from

Conversation

jochristian
Copy link

Potential fix for #49

Description

To fix the issue with image change I haved added a lifecycle ignore_changes = [boot_disk.0.initialize_params.0.image]
for the vmseries module.
While might be solved in a better way. I have not found any better ways now.
As already known referencing a module does not currently support lifecyle options,

Motivation and Context

Changing the image variable for a newer version of PANos should NOT destroy what has already been created by terraform. This will fix this issue

I can't see any reasons why this should be an part of the module.
Why would you want terraform to destroy an already created infrastructure using this module?
And if this is what you really want the destroy should be done with changing some other variables (region, number of vm's etc).

How Has This Been Tested?

I tested in my own environment where I changed my current PANos image to something else.
With this fix terraform does not destroy any already created vm-series created.

Screenshots (if appropriate)

Types of changes

lifecycle was added in the vmseries modules under google_compute_instance.

Checklist

  • I have updated the documentation accordingly. Not sure how this can be documented?!
  • [ x] I have read the CONTRIBUTING document.
  • [ x] I have added tests to cover my changes if appropriate.
  • [ x] All new and existing tests passed.

@jochristian jochristian requested a review from a team as a code owner February 19, 2025 08:43
@jochristian jochristian changed the title added lifecycle ignore_change for boot_disk [fix]added lifecycle ignore_change for boot_disk Feb 19, 2025
@jochristian jochristian changed the title [fix]added lifecycle ignore_change for boot_disk [fix](modules/vmseries): added lifecycle ignore_change for boot_disk Feb 19, 2025
@pavelrn
Copy link
Contributor

pavelrn commented Feb 19, 2025
edited
Loading

@jochristian What is the solution for the users, that would like to re-deploy VM-Series when the disk image changes?

@jochristian
Copy link
Author

jochristian commented Feb 19, 2025
edited
Loading

@jochristian What is the solution for the users, that would like to re-deploy VM-Series when the disk image changes?

Well you could do a terraform destroy? Since this is what will actually happen with the "old" solution?

My question is. What is the solution for users that want this to be solved:
You have a huge deployment, but you want to keep the VM-Series that is already deployed.
But at the same time you want to create new VM-Series but with the new image. Currently this is not supported since terraform will destroy what has already been deployed.

@pavelrn
Copy link
Contributor

pavelrn commented Feb 19, 2025

Well you could do a terraform destroy? Since this is what will actually happen with the "old" solution?

-destroy is usually used to destroy everything, that is likely undesired. The use of -destroy step might be complicated if you are running Terraform from the pipeline.

What is the solution for users that want this to be solved

You can use a local copy of the module with the lifecycle block, until Hashicorp comes with a better solution like applying lifecycle block with some conditions.
We will also discuss internally if adding lifecycle with ignore_changes = [boot_disk.0.initialize_params.0.image] is something that should be in the module by default.

@jochristian
Copy link
Author

jochristian commented Feb 19, 2025
edited
Loading

Well you could do a terraform destroy? Since this is what will actually happen with the "old" solution?

-destroy is usually used to destroy everything, that is likely undesired. The use of -destroy step might be complicated if you are running Terraform from the pipeline.

What is the solution for users that want this to be solved

You can use a local copy of the module with the lifecycle block, until Hashicorp comes with a better solution like applying lifecycle block with some conditions. We will also discuss internally if adding lifecycle with ignore_changes = [boot_disk.0.initialize_params.0.image] is something that should be in the module by default.

Yes, that is what we did previously.
But this introduces "technical debt", keeping the modules updated when you release new updates.

So yes, local modules is of course a solution. But we would prefer to use the modules that Palo Alto keeps updated.
Of course we lock our modules with

module "vmseries" {
source = "PaloAltoNetworks/swfw-modules/google//modules/vmseries"
version = "2.0.10" <<<---

So we don't loose control on new changes :-)
Regarding terraform and support for this. This has been a feature request for several years already.
"Not holding my breath"

@jochristian
Copy link
Author

@pavelrn

After thinking some more about this.
There is one thing that would force redeployment off the VMseries. And that is changing the name of the VM.
Maybe creating something around that, would be a feasible way to fix this in environments where you want to do a redeployment when changing the image? But at the same time also have lifcecycle for the boot disk.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jochristian @pavelrn