v0.8.0 tf perpetual drift when enable_transparent_proxy is false #318
Description
Hey, we're testing the Consul ECS v0.8.0 terraform module, more specifically the mesh-task.
While testing we've found that after applying the changes, subsequent plans will keep displaying perpetual diffs in the container definitions about default values not being present. This doesn't happens in the v0.7.1 at least.
Terraform version: v1.3.7
AWS Provider version: v5.50.0
ECS deployment model: Fargate (meaning variable enable_transparent_proxy is set to false, this is relevant as per my findings).
Perpetual drift:
# module.ecs_services["consul-test-module-clt-test-task"].module.consul_mesh_template[0].aws_ecs_task_definition.this must be replaced
-/+ resource "aws_ecs_task_definition" "this" {
~ arn = "arn:aws:ecs:us-east-1:redacted:task-definition/stg-consul-test-module-clt-test-task-template:5" -> (known after apply)
~ arn_without_revision = "arn:aws:ecs:us-east-1:redacted:task-definition/stg-consul-test-module-clt-test-task-template" -> (known after apply)
~ container_definitions = jsonencode(
~ [ # forces replacement
~ {
- cpu = 0 -> null
name = "some-container-injected"
- portMappings = [] -> null
- systemControls = [] -> null
- volumesFrom = [] -> null
# (6 unchanged elements hidden)
} # forces replacement,
~ {
name = "consul-dataplane"
- systemControls = [] -> null
# (14 unchanged elements hidden)
} # forces replacement,
~ {
name = "consul-ecs-health-sync"
- systemControls = [] -> null
# (13 unchanged elements hidden)
} # forces replacement,
~ {
~ linuxParameters = {
~ capabilities = {
- add = [] -> null
- drop = [] -> null
}
# (1 unchanged element hidden)
}
name = "consul-ecs-mesh-init"
- portMappings = [] -> null
- systemControls = [] -> null
# (9 unchanged elements hidden)
} # forces replacement,
~ {
- cpu = 0 -> null
name = "consul-test-module-clt-test-task"
- systemControls = [] -> null
- volumesFrom = [] -> null
# (8 unchanged elements hidden)
} # forces replacement,
~ {
- cpu = 0 -> null
name = "some-container-injected"
- portMappings = [] -> null
- systemControls = [] -> null
- volumesFrom = [] -> null
# (7 unchanged elements hidden)
} # forces replacement,
]
)
~ id = "stg-consul-test-module-clt-test-task-template" -> (known after apply)
~ revision = 5 -> (known after apply)
tags = {
"Module" = "consul-test-module-clt"
"Name" = "consul-test-module-clt-test-task"
"consul.hashicorp.com/mesh" = "true"
"consul.hashicorp.com/module" = "terraform-aws-consul-ecs"
"consul.hashicorp.com/module-version" = "0.8.0"
"consul.hashicorp.com/namespace" = "default"
"consul.hashicorp.com/partition" = "stg"
"consul.hashicorp.com/service-name" = "consul-test-module-clt-test-task"
}
# (10 unchanged attributes hidden)
# (3 unchanged blocks hidden)
}
From my investigation, basically the issue seems related to the empty dictionary capabilities inside linuxParameters.
The initial apply creates this an empty capabilities dict inside linuxParameters dict:
~ {
~ linuxParameters = {
+ capabilities = {}
# (1 unchanged element hidden)
}
name = "consul-ecs-mesh-init"
- portMappings = [] -> null
- systemControls = [] -> null
# (9 unchanged elements hidden)
} # forces replacement,
The subsequent plan tries to change it to null:
# module.ecs_services["consul-test-module-clt-test-task"].module.consul_mesh_template[0].aws_ecs_task_definition.this must be replaced
-/+ resource "aws_ecs_task_definition" "this" {
~ arn = "arn:aws:ecs:us-east-1:redacted:task-definition/stg-consul-test-module-clt-test-task-template:5" -> (known after apply)
~ arn_without_revision = "arn:aws:ecs:us-east-1:redacted:task-definition/stg-consul-test-module-clt-test-task-template" -> (known after apply)
~ container_definitions = jsonencode(
~ [ # forces replacement
~ {
- cpu = 0 -> null
name = "some-container-injected"
- portMappings = [] -> null
- systemControls = [] -> null
- volumesFrom = [] -> null
# (6 unchanged elements hidden)
} # forces replacement,
~ {
name = "consul-dataplane"
- systemControls = [] -> null
# (14 unchanged elements hidden)
} # forces replacement,
~ {
name = "consul-ecs-health-sync"
- systemControls = [] -> null
# (13 unchanged elements hidden)
} # forces replacement,
~ {
~ linuxParameters = {
~ capabilities = {
- add = [] -> null
- drop = [] -> null
}
# (1 unchanged element hidden)
}
name = "consul-ecs-mesh-init"
- portMappings = [] -> null
- systemControls = [] -> null
# (9 unchanged elements hidden)
} # forces replacement,
~ {
- cpu = 0 -> null
name = "consul-test-module-clt-test-task"
- systemControls = [] -> null
- volumesFrom = [] -> null
# (8 unchanged elements hidden)
} # forces replacement,
~ {
- cpu = 0 -> null
name = "some-container-injected"
- portMappings = [] -> null
- systemControls = [] -> null
- volumesFrom = [] -> null
# (7 unchanged elements hidden)
} # forces replacement,
]
)
~ id = "stg-consul-test-module-clt-test-task-template" -> (known after apply)
~ revision = 5 -> (known after apply)
tags = {
"Module" = "consul-test-module-clt"
"Name" = "consul-test-module-clt-test-task"
"consul.hashicorp.com/mesh" = "true"
"consul.hashicorp.com/module" = "terraform-aws-consul-ecs"
"consul.hashicorp.com/module-version" = "0.8.0"
"consul.hashicorp.com/namespace" = "default"
"consul.hashicorp.com/partition" = "stg"
"consul.hashicorp.com/service-name" = "consul-test-module-clt-test-task"
}
# (10 unchanged attributes hidden)
# (3 unchanged blocks hidden)
}
To avoid this, I need to slighty adjust the linuxParameters: #319