Make application_host - session.enable dependent from network_domain - bastion.create

Question

Make application_host - session.enable dependent from network_domain - bastion.create

Closed this issue 3 years ago · 7 comments

In application_host/ssh.tf the resource "oci_bastion_session" "ssh" only verifies whether var.session.enable has been set to true or false.
To avoid unnecessary troubleshooting sessions it would be helpful to make sessions dependent on the existence of a bastion service. This could be either done by checking the bastion.create value or by querying for the bastion service.

Answer 1 · 2021-09-15T10:44:26.000Z

Suggestion:

Return the ID directly from the app_domain output, so you would not have to navigate inside a null value in case the bastion service has not been deployed when bastion.create is false:

output "bastion_id" {
  description = "Bastion Service OCID"
  value       = length(data.oci_bastion_bastions.domain.bastions) > 0 ? data.oci_bastion_bastions.domain.bastions[0].id : null
}

Replace the data source element in application_host/config.tf to use the plural, not the singular version:

data "oci_bastion_bastions" "hosts" {
  compartment_id    = < id of compartment of the bastion service, should be outputted from the app_domain module >
  bastion_id              = var.config.bastion_id
}

Then we can set up in application_host/ssh.tf for the count parameter:

resource "oci_bastion_session" "ssh" {
  depends_on                                   = [ oci_core_instance.instance[0] ]
  count                                        = (var.session.enable ? 1 : 0) * length(data.oci_bastion_bastions.hosts)
  bastion_id                                   = length(data.oci_bastion_bastions.hosts) > 0 ? data.oci_bastion_bastions.hosts[0].id : null
  (...)

Answer 2 · 2021-09-19T17:17:06.000Z

Please review the code, I dopted ingo's proposal with a few adjustments

Answer 3 · 2021-09-21T08:00:21.000Z

Terraform apply fails with the current error message:

The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the count depends on.
It seems that datasource elements are not allowed in the count expressions, Terraform expects to be able to know the number of instances of a resource to be built already at the plan phase, but can evaluate the datasource element only during the apply phase.

I tried with several alternatives to "hide" the data element away from count through a local variable. It always leads to the same error.

So I guess we need to evaluate a different way to detect whether a bastion host exists or not, so use some explizit Boolean variable similar to session.enable.

Answer 4 · 2021-09-21T10:06:22.000Z

I'm afraid I have to drop the second conditional to make it work. At least that is suggested here: hashicorp/terraform#26078 and here: hashicorp/terraform#22131

var.session.enable ? 1 : 0

Ingo, can you check?

Answer 5 · 2021-09-21T13:08:39.000Z

Same problem:

Error: Invalid count argument on component/application_host/ssh.tf line 6, in resource "oci_bastion_session" "ssh" 6: count =(var.session.enable?1 0) * (var.config.bastion_id != "" ?1 0) The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the count depends on.

var.config.bastion_id gets defined in application.tf line 90

bastion_id = module.app_domain.bastion.id

module.app_domain.bastion.id gets defined in component/network_domain/output.tf line 45

output "bastion" { description = "Bastion Service" value = length(data.oci_bastion_bastions.domain.bastions) > 0 ? data.oci_bastion_bastions.domain.bastions[0] : null }

So at the end: the variable gets defined from a datasources element. And it seems that datasources are not allowed to be used for the count parameter, because Terraform cannot determine in the plan phase how many instances controlled by this count parameter should be initialized. The datasource elements can only be evaluated during the apply phase.

So we need to get away to use a datasource element (direct or indirect) inside an expression for the cloud parameter.

Answer 6 · 2021-09-21T13:15:27.000Z

Yepp, came to the same conclusion - dropped the line entirely and running the tests right now

Answer 7 · 2021-09-21T13:23:06.000Z

I'm afraid verifying the bastion existence directly in the statement that creates the session is not working. There is an indirect check returning the ID though.
' bastion_id = length(data.oci_bastion_bastions.host.bastions) > 0 ? data.oci_bastion_bastions.host.bastions[0].id : null'
@calorbeer can you check whether this addresses the troubleshooting requirement sufficiently?