Intermittent output helper

exoaturner · April 26, 2023, 9:09am

Where to begin…

I have tagged this topic up with multiple tags because I feel all of them are relevant.

Has anyone else experienced the output() helper function in the tfvars return the mock value intermittently when the value from the terraform state should be available?

I am deeply concerned about this problem we are experiencing on one of our projects, we use this output() helper function to fetch a KMS key in another stack for some ec2, databases, etc

Example tfvars:
kms_key_id = <%= output(‘kms.key_id’, mock: ‘arn:aws:kms:::key/mock-key2’) %>

However, intermittently we see terraspace fail to get the real value from state and rather then fail, just default to the mock value. When using terraspace all up this leads to terraform seeing the kms key as changed and forces a replace, deleting the resources and failing because the mock isn’t valid.

I think this is dangerous because the mock value should never be used in a deploy/up scenario, maybe only for planning when a stack depends on another stacks output that hasn’t been created yet.

I am not really sure why this is happening.

I think there is few ways this can be solved and would like to gather feedback.

Terraspace ouput() helper function has configurable number of retries to attempt to get the value from state.
Terraspace has an option to fail a deploy if it detects a mock in the compiled terraform code.

Currently this problem makes things very very difficult for us because we can’t trust terraspace all up because it may destroy some resources we really don’t want it too.

As mentioned before, I would be really interested to hear back from terraspace veterans about this problem.

tung · May 2, 2023, 7:07pm

This is a bummer. Yup. Will have to dig into this one.

At least, from the sounds of it, it’s reproducible. Just need create an example project that a KMS key and use the output helper. If you have an example, that’ll be appreciate. If not, no sweat.

RE: * I think there is few ways this can be solved and would like to gather feedback. Terraspace output() helper function has configurable number of retries to attempt to get the value from state.

Sure.

RE: Terraspace has an option to fail a deploy if it detects a mock in the compiled terraform code.

Yup. It should fail hard.

So generally speaking, think:

It should fail hard if a mock is somehow used
The output should return null when values are not found instead if the string value with a warning message. Think that was a mistake. Related: Azure KeyVault Secrets and Azure Secrets · Issue #7 · boltops-tools/terraspace_plugin_azurerm · GitHub The person who created the issue does a good job of detailing the cases.

Hoping to get to it as part of this major version Unsure if will get to it though Happy to take a look PRs. Of course no sweat either way

exoaturner · June 5, 2023, 10:20am

Hi @tung, sadly my ruby knowledge leaves a lot to be desired, else I would.

I have import information to add. I managed to capture the problem (though its intermittent).Here is what I found.

The temporary state files that terraspace generated in /tmp/terraspace do contain the values.

(I had to change the directory because of CICD)

[Album] imgur.com

So this means terraform is getting the state correctly, however, it appears terraspace is not always loading it correctly. This is inconsistent across the deployment when other stacks are using the same outputs.

[Album] Imgur: The magic of the Internet

You can see that the output helper is setup correctly:

(See next comment: ext1)

I believe there is some race condition occurring when terraspace is pulling the state vs deploying a stack.

exoaturner · June 5, 2023, 10:22am

@tung not sure why this was ignored/flagged.

exoaturner · June 5, 2023, 10:48am

I have created an official bug report for this.

github.com/boltops-tools/terraspace

[BUG] Intermittent output helper destroying resources

opened 10:47AM - 05 Jun 23 UTC

exoaturner

bug

## Checklist - [ x ] Upgrade Terraspace: Are you using the latest version of …Terraspace? This allows Terraspace to fix issues fast. There's an Upgrading Guide: https://terraspace.cloud/docs/misc/upgrading/ - [ x ] Reproducibility: Are you reporting a bug others will be able to reproduce and not asking a question. If you're unsure or want to ask a question, do so on https://community.boltops.com - [ x ] Code sample: Have you put together a code sample to reproduce the issue and make it available? Code samples help speed up fixes dramatically. If it's an easily reproducible issue, then code samples are not needed. If you're unsure, please include a code sample. ## My Environment | Software | Version | | ---------------- | ------- | | Operating System | Ubuntu 22.04 | | Terraform | 1.4.6 | | Terraspace | 2.2.6 | | Ruby | 3.1.2p20 | --- ## Expected Behaviour During `terraspace all (plan|up)` the output helper for tfvars should consistently find values in the terraform statefile. ## Current Behavior Under unknown conditions the output helper doesn't alway find existing values in the terraform statefile. Which can result in resources being destroyed unintentionally. For example if a KMS key ID defaults to a mock. ## Step-by-step reproduction instructions Run `terraspace all up`. ## Code Sample Picture of problem: ![tfvars_compiled](https://i.imgur.com/3LoTJnl.png) Unable to share the exact producible steps because its intermittent. I am also unable to share the code sample because of companies security policies. However, I have done my own investigation and found some interesting things that will help with implementing a fix, see the below. The temporary statefiles that terraspace pull from terraform state (in /tmp/terraspace/remote_state/ directory do contain the values. This suggests that terraspace either isn't reading them correctly or isn't reading them at the correct time (possible race condition). The below image is a snapshot of on of the values in the statefile that wasn't populated in my most recent expieriance of the problem: As you can see the value for `vpc_endpoint_ec2messages_id` is in the statefile: (I had to change the directory because of CICD) ![state](https://i.imgur.com/1Cf75Q0.png) So this means terraspace/terraform is getting the state correctly, however, it appears terraspace is not always loading it correctly. This is inconsistent across the deployment when other stacks are using the same outputs (This is why I believe it's a race condition). As you can see from the below code snapshot the output helps are setup correctly: ![tfvars_template](https://i.imgur.com/LN1NyJ0.png) ## Solution Suggestion I have two things to mention regarding this issue. 1. Obviously the above is a problem and should be addressed some how (Not sure exactly). 2. Terraspace should fail hard if mocks are detected in the compiled terraform code (after templating).

tung · June 5, 2023, 1:34pm

It’s the auto-moderation system. Guess it detects similar text and mis-flags For the most part it works well, this time not so much. Unflagged it.

As for the report. Thanks spending the time and providing the details. Sure it’ll help when have time to dig into this. Also, glad you were able to figure out a workaround for now.