[#115320097] Terraform 0.6.13

[saliceti]

What

This was created to investigate issue AWS: Can't update certificate associated with ELB in story ELB for access to logs.

This has not fixed that particular issue, but the whole pipeline was tested on that terraform version and it worked fine.

There is a also a minor improvement as the Alpine version is now pinned to 3.3.

How to review

Use image: docker:///governmentpaas/terraform#115320097-terraform-0.6.13 in the pipeline and deploy.

Who can review

Anyone but @henrytk or myself

[alext]

I'm not sure I see the value in testing this. Do we care what version of alpine this is? All we care about is that the container has the necessary tools, and that they work.

[saliceti]

I feel more comfortable pinning the versions of dependencies so upgrading terraform version is a minimal change, instead or risking unexpected behaviour due to dependencies.

[dcarley]

I'm 👍 for pinning the version, but 👎 for testing the specific version.

[Jonty]

If we stop checking the Alpine version should we also remove the Terraform version check on line 55?

[combor]

I'm not sure what's the value of pinning the version and running tests that do not check it?
If we want to be sure that terraform is in specific version as it contains fixes that we want then we should check if this specific version was installed. And in my opinion the same applies to any other software that we use including OS.

[dcarley]

If we stop checking the Alpine version should we also remove the Terraform version check on line 55?

We shouldn't remove it, because we care about the specific version of Terraform and have written code in the Dockerfile to use the version in the environment variable. We'd want to know if (hypothetically) someone changed the URL to "latest" (if that exists) or the Terrraform website provided the wrong version.

Colin and I talked a bit about testing the Alpine version. I think it makes more sense to test that it's Alpine (because we want a minimal container and ability to use apk commands) rather than the specific version (which we want for pinning but not because of that specific version).

Though there's a separate can of worms about whether we should be pinning the versions of packages within an Alpine series.

[alext]

It would be good to also update the version of terraform installed in the paas-cf Travis.yml file so that the unit tests use the same version.

[mtekel]

This version has a lot of good fixes, e.g.:

• provider/aws: aws_instance now allows changes to security groups without force new resource (#5193)
• core: Includes upstream HCL fix to properly detect unbalanced braces and throw an error (#5400)

[dcarley]

The build is failing for some reason that I don't understand:

Step 2 : RUN apk add --update $PACKAGES && rm -rf /var/cache/apk/*
 ---> Running in 8550d96c7efd
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.3/community/x86_64/APKINDEX.tar.gz
ERROR: unsatisfiable constraints:
  openssh-client-7.2_p2-r0:
    breaks: world[openssh-client=7.1_p2-r0]
The command '/bin/sh -c apk add --update $PACKAGES && rm -rf /var/cache/apk/*' returned a non-zero code: 1

@saliceti could you look at this and address the comments. I'm 👍 for upgrading

[mtekel]

There is some indication that 0.6.13 might fix the "flapping" NAT gateway route table updates, see latest comments in hashicorp/terraform#4097 (comment) and our story Fix issue with Terraform always updating routing tables for better description of the issue.

[saliceti]

The build issue was due to the git-ssh container. It depends on openssh-client package, but the version it relies upon was removed from the index. Bumping the version fixes the build.

It questions wether we should pin versions at all as it looks like Alpine doesn't keep previous versions.

[saliceti]

Comments addressed