Ignore AMI updates on etcd/master nodes, and disallow destroying etcd…

… nodes resource Currently if a new version of CoreOS comes out on a user's configured channel after they've already deployed, and they re-run terraform apply, Terraform will detect the new AMI, and when reconciling desired state, it will attempt to destroy existing nodes to update the AMI. In order to avoid this, I added a prevent_destroy hook to the etcd nodes resource. I also added a ignore_changes to both the etcd node resource, and the master launch configuration resource, to avoid updating masters/etcd nodes if the AMI changes. Longer term, I would expect the Container Linux Update Operator, or a terraform operator could resolve this, but this seems like a reasonable change to prevent accidental destruction of a cluster.
coreos · Apr 25, 2017 · a40b4b4 · a40b4b4
1 parent cbe1d2c
commit a40b4b4
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/modules/aws/etcd/nodes.tf b/modules/aws/etcd/nodes.tf
@@ -32,6 +32,11 @@ resource "aws_instance" "etcd_node" {
   user_data              = "${ignition_config.etcd.*.rendered[count.index]}"
   vpc_security_group_ids = ["${var.sg_ids}"]
 
+  lifecycle {
+    prevent_destroy = true
+    ignore_changes = ["ami"]
+  }
+
   tags = "${merge(map(
       "Name", "${var.cluster_name}-etcd-${count.index}",
       "KubernetesCluster", "${var.cluster_name}"

diff --git a/modules/aws/master-asg/master.tf b/modules/aws/master-asg/master.tf
@@ -61,8 +61,10 @@ resource "aws_launch_configuration" "master_conf" {
   associate_public_ip_address = "${var.public_vpc}"
   user_data                   = "${var.user_data}"
 
+
   lifecycle {
     create_before_destroy = true
+    ignore_changes = ["image_id"]
   }
 
   root_block_device {