Skip to content

[Bug] Idempotency issue while having multiple inputs using elasticstack_fleet_package_policy #473

Closed
@mathieu-letribot

Description

@mathieu-letribot

Describe the bug
The bug occurs when I tried to manage Kubernetes package policy using the new elasticstack_fleet_package_policy resource. With kubernetes, there are multiple intputs to configure. The elasticstack_fleet_package_policy is working fine (it can create/update/delete the package policy), but the plan is always showing some differences in the inputs (and not in the same order). I suppose that inputs order in terraform code are not the same as the input order returned by the API.

Example:

After creating the policy, I execute then plan and can see some differences:

  # module.ec.elasticstack_fleet_package_policy.kubernetes will be updated in-place
  ~ resource "elasticstack_fleet_package_policy" "kubernetes" {
        id              = "555443a0-b129-4cf9-8124-9c31b5182cef"
        name            = "kubernetes"
        # (7 unchanged attributes hidden)

      ~ input {
          ~ input_id     = "kube-scheduler-kubernetes/metrics" -> "kube-apiserver-kubernetes/metrics"
          ~ streams_json = (sensitive value)
            # (1 unchanged attribute hidden)
        }
      ~ input {
          ~ input_id     = "events-kubernetes/metrics" -> "kube-state-metrics-kubernetes/metrics"
          ~ streams_json = (sensitive value)
            # (1 unchanged attribute hidden)
        }
      ~ input {
          ~ input_id     = "audit-logs-filestream" -> "kube-proxy-kubernetes/metrics"
          ~ streams_json = (sensitive value)
            # (1 unchanged attribute hidden)
        }
      ~ input {
          ~ enabled      = true -> false
          ~ input_id     = "kube-state-metrics-kubernetes/metrics" -> "kube-controller-manager-kubernetes/metrics"
          ~ streams_json = (sensitive value)
        }
      ~ input {
          ~ enabled      = false -> true
          ~ input_id     = "kube-apiserver-kubernetes/metrics" -> "container-logs-filestream"
          ~ streams_json = (sensitive value)
        }
      ~ input {
          ~ enabled      = false -> true
          ~ input_id     = "kube-proxy-kubernetes/metrics" -> "events-kubernetes/metrics"
          ~ streams_json = (sensitive value)
        }
      ~ input {
          ~ input_id     = "kube-controller-manager-kubernetes/metrics" -> "kube-scheduler-kubernetes/metrics"
          ~ streams_json = (sensitive value)
            # (1 unchanged attribute hidden)
        }
      ~ input {
          ~ enabled      = true -> false
          ~ input_id     = "container-logs-filestream" -> "audit-logs-filestream"
          ~ streams_json = (sensitive value)
        }

        # (1 unchanged block hidden)
    }

Executing the plan again will show changes again but in different order:

  # module.ec.elasticstack_fleet_package_policy.kubernetes will be updated in-place
  ~ resource "elasticstack_fleet_package_policy" "kubernetes" {
        id              = "555443a0-b129-4cf9-8124-9c31b5182cef"
        name            = "kubernetes"
        # (7 unchanged attributes hidden)

      ~ input {
          ~ enabled      = false -> true
          ~ input_id     = "kube-controller-manager-kubernetes/metrics" -> "kubelet-kubernetes/metrics"
          ~ streams_json = (sensitive value)
        }
      ~ input {
          ~ enabled      = true -> false
          ~ input_id     = "events-kubernetes/metrics" -> "kube-apiserver-kubernetes/metrics"
          ~ streams_json = (sensitive value)
        }
      ~ input {
          ~ input_id     = "container-logs-filestream" -> "kube-state-metrics-kubernetes/metrics"
          ~ streams_json = (sensitive value)
            # (1 unchanged attribute hidden)
        }
      ~ input {
          ~ input_id     = "audit-logs-filestream" -> "kube-proxy-kubernetes/metrics"
          ~ streams_json = (sensitive value)
            # (1 unchanged attribute hidden)
        }
      ~ input {
          ~ enabled      = true -> false
          ~ input_id     = "kubelet-kubernetes/metrics" -> "kube-controller-manager-kubernetes/metrics"
          ~ streams_json = (sensitive value)
        }
      ~ input {
          ~ enabled      = false -> true
          ~ input_id     = "kube-apiserver-kubernetes/metrics" -> "container-logs-filestream"
          ~ streams_json = (sensitive value)
        }
      ~ input {
          ~ enabled      = false -> true
          ~ input_id     = "kube-proxy-kubernetes/metrics" -> "events-kubernetes/metrics"
          ~ streams_json = (sensitive value)
        }
      ~ input {
          ~ enabled      = true -> false
          ~ input_id     = "kube-state-metrics-kubernetes/metrics" -> "audit-logs-filestream"
          ~ streams_json = (sensitive value)
        }

        # (1 unchanged block hidden)
    }

To Reproduce
Steps to reproduce the behavior:

  1. Create a package policy with multiple inputs
resource "elasticstack_fleet_package_policy" "kubernetes" {
  name            = "kubernetes"
  namespace       = "default"
  description     = "Kubernetes package policy"
  agent_policy_id = elasticstack_fleet_agent_policy.kubernetes.policy_id
  package_name    = elasticstack_fleet_package.kubernetes.name
  package_version = elasticstack_fleet_package.kubernetes.version
  force           = true

  input {
    enabled  = true
    input_id = "kubelet-kubernetes/metrics"
    streams_json = jsonencode({...})
  }
  input {
    enabled  = false
    input_id = "kube-apiserver-kubernetes/metrics"
    streams_json = jsonencode({...})
  }
  input {
    enabled  = true
    input_id = "kube-state-metrics-kubernetes/metrics"
    streams_json = jsonencode({...})
  }
  input {
    enabled  = false
    input_id = "kube-proxy-kubernetes/metrics"
    streams_json = jsonencode({...})
  }
  input {
    enabled  = false
    input_id = "kube-controller-manager-kubernetes/metrics"
    streams_json = jsonencode({...})
  }
  input {
    enabled  = true
    input_id = "container-logs-filestream"
    streams_json = jsonencode({...})
  }
  input {
    enabled  = true
    input_id = "events-kubernetes/metrics"
    streams_json = jsonencode({...})
  }
  input {
    enabled  = false
    input_id = "kube-scheduler-kubernetes/metrics"
    streams_json = jsonencode({...})
  }
  input {
    enabled  = false
    input_id = "audit-logs-filestream"
    streams_json = jsonencode({...})
  }

}
  1. terraform plan will then show some differences

Expected behavior
I except this resource to be idempotent to avoid confusion while applying some (real) changes.

Versions :

  • OS: Mac OS Sonoma (M2)
  • Terraform Version 1.6.3
  • Provider version v0.10.0
  • Elasticsearch Version 8.11.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions