Ability to prevent taints on create errors #330
Comments
|
I'm not sure if it would work in this case, but would the ability to just return a warning and not an error solve your need? The warning lets you persist the state without a taint but still message to the users (FYI 0.12 diagnostics/warnings are not exposed directly in the SDK yet but are on our near term list to do so, see #74). |
|
I guess in this case you probably want to halt further downstream usage of computed attributes though, which a warning will not do. |
|
Exactly- a warning would be a very good solution, but not a fully comprehensive one. This FR becomes more of a nice-to-have if warnings are coming down the road, though. Looking forward to that :) |
|
Just as an FYI, we have also noticed in the OCI provider that tainting on create errors leads to other side-effects if the tainted resource no longer exists in the service. Upon a destroy, the refresh operation invalidates the resource, but then causes config validation errors if other downstream resources were dependent on the tainted resource: hashicorp/terraform#23886 |
|
After we have called A warning instead of error would be nice. Not sure if it would cover the situation where we must inform the user with a terminating error that something went wrong and that the Terraform apply shouldn't make any progress, but we still want Terraform to track the resources that may have been created (for a future destroy). |
|
@alexng-canuck the main problem as I understand it is that provisioners haven't been run and there is nowhere that information is tracked, as they are just run for create, so we'd need a mechanism to track that info to make this work without the taint I think. |
|
What is the status on this enhancement. We have a similar requirement to conditionally avoid taint on create errors. As our create operation is an asynchronous operation, it first returns the id and we poll on it with id for the status. |
When a new hostname with a certificate was created and uploading the certificate failed, the local state was invalid. The hostname was created successfully at bunny.net but it was missing from the state. This resulted in hostname already exist errors on following applies for the hostname. Change the provider to not return an error immediately when uploading a certificate fails. Following independent API operations for the same hostname are still run, the state is set according and at the end the error about the failed certificate upload is returned. This results in a correct state. The hostname resource will still be tainted by Terraform. This has the unwanted effect that also when the broken certificate section is removed and therefore the state and definition are the same the hostname resource is unnecessary recreated. This can prevented manually by the user by untainting the resource. There seems to be no good solution for this kind of issue[1]. Returning a warning instead of an error will result in a misleading success and the warning would be easy to miss. - [1]: hashicorp/terraform-plugin-sdk#330.
When a new hostname with a certificate was created and uploading the certificate failed, the local state was invalid. The hostname was created successfully at bunny.net but it was missing from the state. This resulted in hostname already exist errors on following applies for the hostname. Change the provider to not return an error immediately when uploading a certificate fails. Following independent API operations for the same hostname are still run, the state is set according and at the end the error about the failed certificate upload is returned. This results in a correct state. The hostname resource will still be tainted by Terraform. This has the unwanted effect that also when the broken certificate section is removed and therefore the state and definition are the same the hostname resource is unnecessary recreated. This can prevented manually by the user by untainting the resource. There seems to be no good solution for this kind of issue[1]. Returning a warning instead of an error will result in a misleading success and the warning would be easy to miss. - [1]: hashicorp/terraform-plugin-sdk#330.
bflad
added
the
upstream-protocol
|
Discuss reference: https://discuss.hashicorp.com/t/partial-resource-create-tainted-state/48905 |
SDK version
Use-cases
Some resources in the Google provider have multiple steps that happen on create. For example, google_project creates a project, but then it also adds a billing account to it and potentially deletes a network from the project. If the project gets created successfully but one of the other steps fails, the resource is tainted, which means retrying the apply after fixing whatever caused it to fail will destroy the project and recreate it, even though it's a perfectly good project. See terraform-google-modules/terraform-google-project-factory#373 for further discussion.
Attempted Solutions
d.SetPartialseems vaguely relevant to what we want, but it's been deprecated (and I'm not positive that it would have actually worked).Proposal
Basically anything where we, in the provider code, can tell Terraform to please not taint the resource (just like how a failed update doesn't taint it).
References
hashicorp/terraform#21652 (which was solved in a different way)
The text was updated successfully, but these errors were encountered: