[Feature] allow force creation of consul_key_prefix resource with existing keys #77
Comments
|
Hi @plaisted, thanks for opening an issue. It is good to keep and version Terraform scenarios in git. As you have noted, loosing or corrupting the terraform state will lead to messy situations. To avoid such situations, I usually use the S3 backend (https://www.terraform.io/docs/backends/types/s3.html) with locking in DynamoDB. Sharing the state with your team can simplify operations and the locking with DynamoDB will prevent multiple person to apply changes at the same time. Activating versionning in the S3 bucket should also help you to recover a previous state when an issue arise. If you use a local state file, backups should also be made and could be use to recover from such situations without having to delete the whole Consul KV path. Also, the Terraform state should not usually get corrupted, does this happen often?
If you want to delete all at once, you can use
This is what |
|
Thanks for the comments. I can't recall TF state getting corrupt without someone doing something dumb, but we are new to TF so have been experimenting with a lot of different setups which have led to state issues (lost state, multiple sets of state from different groups, etc). Most of these issues were part of our operational learning curve. I'm planning out our disaster recovery strategy for the consul configuration which is why I raised this issue. Theoretically losing the TF state shouldn't be a hard scenario to recover from if just using consul_keys_prefix as all the data is redundant. It sounds like We use consul-template with lots of "keyOrDefault" so purging keys isn't really an option as it'd have fallout with applications as you mentioned. For now I think we'd have to create a clean consul environment and push the terraform values there and then manually copy the state created doing that to our real production setup (would take some research as the state version/lineage/serial may need to be adjusted). |
`consul_key_prefix` protect operators against unwanted key deletions by requiring the choosen path to be empty. While this is a nice default behavior, it can be intrusive to force it. This change makes add import support to `consul_key_prefix` so the operator can manually initialize Terraform state and override the default behavior. Close hashicorp#77
|
Hi @plaisted, the new changeset in #78 should do what you are looking for. EDIT: By the way, having the Terraform state is a start but some keys may not appear in it, like Vault's data if you are using Consul as the backend or the data from consul-esm. Have a look at https://www.consul.io/docs/commands/snapshot.html to make periodic backups of Consul data and catalog. Here is an example: |
Terraform Version
Terraform v0.11.10
Affected Resource(s)
consul_key_prefix
Enhancement
I use terraform to manage configuration stored in consul using the consul_key_prefix resource. Terraform configuration is stored in a git repo and promotion of config changes are managed using pull requests. The git repo is meant to the the source of truth.
With the current setup of the consul provider, if the terraform state is ever lost or corrupted, it requires a complete key purge of the consul_key_prefix resources in order for terraform to control this prefix again. If keys exist, the following error is given:
I understand this is done to prevent accidentally destroying existing consul KV's. I also understand TF state is important and shouldn't be lost. However with a consul_key_prefix resource it is very disruptive to have to purge all existing keys in a live environment because the TF state was lost / corrupt. It would be very useful to have the ability to force the resource creation even with existing keys. Alternatively a way to "bootstrap" tfstate with an existing consul_keys_prefix would solve this as well.
The text was updated successfully, but these errors were encountered: