俺です。
AWS SSM便利ですねよ。
CloudFormation WrapperとなるAWS CDKがリリースされたのでこっちつかってもええなあと思いつつも、
学習コストが低く、様々なProviderをサポートしているterraformをまだまだ使い続けるよ僕たちは。
な方向けのtipsです。
task_parametersの記述順序やパラメータ値を変更していないにもかかわらず new resource required
になる
AWS SSM Maintenance Window Taskを寺で登録したい。というときに若干うるさいことが起こりえます。
多分受けのAPIが順序意識してないんだよね多分..
なにもしてないのに...
-/+ aws_ssm_maintenance_window_task.task-group01 (new resource required)
id: "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" => <computed> (forces new resource)
logging_info.#: "1" => "1"
logging_info.0.s3_bucket_name: "XXX" => "XXX"
logging_info.0.s3_bucket_prefix: "AWS-GatherSoftwareInventory" => "AWS-GatherSoftwareInventory"
logging_info.0.s3_region: "XXX" => "XXX"
max_concurrency: "300" => "300"
max_errors: "10" => "10"
priority: "1" => "1"
service_role_arn: "arn:aws:iam::XXXXXXXXXXX:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM" => "arn:aws:iam::XXXXXXXXXXX:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM"
targets.#: "1" => "1"
targets.0.key: "InstanceIds" => "InstanceIds"
targets.0.values.#: "6" => "6"
targets.0.values.0: "i-123456789ABCDEF" => "i-123456789ABCDEF"
task_arn: "AWS-GatherSoftwareInventory" => "AWS-GatherSoftwareInventory"
task_parameters.#: "8" => "8"
task_parameters.0.name: "Windows Updates" => "Applications" (forces new resource)
task_parameters.0.values.#: "1" => "1"
task_parameters.0.values.0: "Enabled" => "Enabled"
task_parameters.1.name: "Applications" => "Aws Components" (forces new resource)
task_parameters.1.values.#: "1" => "1"
task_parameters.1.values.0: "Enabled" => "Enabled"
task_parameters.2.name: "Aws Components" => "Network Config" (forces new resource)
task_parameters.2.values.#: "1" => "1"
task_parameters.2.values.0: "Enabled" => "Enabled"
task_parameters.3.name: "Custom Inventory" => "Windows Updates" (forces new resource)
task_parameters.3.values.#: "1" => "1"
task_parameters.3.values.0: "Enabled" => "Enabled"
task_parameters.4.name: "Instance Detailed Information" => "Instance Detailed Information"
task_parameters.4.values.#: "1" => "1"
task_parameters.4.values.0: "Enabled" => "Enabled"
task_parameters.5.name: "Network Config" => "Services" (forces new resource)
task_parameters.5.values.#: "1" => "1"
task_parameters.5.values.0: "Enabled" => "Enabled"
task_parameters.6.name: "Services" => "Windows Roles" (forces new resource)
task_parameters.6.values.#: "1" => "1"
task_parameters.6.values.0: "Enabled" => "Enabled"
task_parameters.7.name: "Windows Roles" => "Custom Inventory" (forces new resource)
task_parameters.7.values.#: "1" => "1"
task_parameters.7.values.0: "Enabled" => "Enabled"
task_type: "RUN_COMMAND" => "RUN_COMMAND"
window_id: "mw-1234567890" => "mw-123456789011"
terraform resource lifecycleのignore_changes
小うるさい反応をするaws_ssm_maintenance_window_taskに対してlifecycleを設定します。
task_parametersの変更を検知してもterraformでの書き換えを行わないようにします。
※この場合個別にtask_parametersを変更してもapply対象にならないので注意です。
resource "aws_ssm_maintenance_window_task" "task-group01" {
window_id = "${aws_ssm_maintenance_window.task-group01.id}"
task_type = "RUN_COMMAND"
task_arn = "AWS-GatherSoftwareInventory"
priority = 1
service_role_arn = "arn:aws:iam::XXXXXXXXXXXX:role/aws-service-role/ssm.amazonaws.com/AWSServiceRoleForAmazonSSM"
max_concurrency = "300"
max_errors = "10"
targets {
key = "InstanceIds"
values = [
"${aws_instance.svsv1.id}",
]
}
task_parameters {
name = "Applications"
values = ["Enabled"]
}
task_parameters {
name = "Aws Components"
values = ["Enabled"]
}
task_parameters {
name = "Network Config"
values = ["Enabled"]
}
task_parameters {
name = "Windows Updates"
values = ["Enabled"]
}
task_parameters {
name = "Instance Detailed Information"
values = ["Enabled"]
}
task_parameters {
name = "Services"
values = ["Enabled"]
}
task_parameters {
name = "Windows Roles"
values = ["Enabled"]
}
task_parameters {
name = "Custom Inventory"
values = ["Enabled"]
}
logging_info {
s3_bucket_name = "${aws_s3_bucket.XXX.id}"
s3_region = "${aws_s3_bucket.XXX.region}"
s3_bucket_prefix = "AWS-GatherSoftwareInventory"
}
lifecycle {
ignore_changes = ["task_parameters"]
}
}
静かなterraformライフを!
完