Terraform - google_redis_instance with auth_enabled is true

在 google_redis_instance 裡面是這樣寫的:

auth_enabled - (Optional) Optional. Indicates whether OSS Redis AUTH is enabled for the instance.
If set to "true" AUTH is enabled on the instance. Default value is "false" meaning AUTH is disabled.

auth_string - (Optional) AUTH String set on the instance. This field will only be populated if auth_enabled is true.

redis 還是打開 auth 才安全, 所以當然就這樣設定:

resource "google_redis_instance" "this" {
  ...
  auth_enabled = true
  auth_string  = "023dbce5e060641d09218027704ca4b3"
  ...
}

接著 terraform apply 下去打開 auth...

Error: Value for unconfigurable attribute

  with module.redis.module.redis-general.google_redis_instance.this, on modules/redis/main.tf line 24, in resource
  "google_redis_instance" "this":
  24:   auth_string  = "023dbce5e060641d09218027704ca4b3"

Can't configure a value for "auth_string": its value will be decided automatically based on the result of applying
this configuration.

所以是會自動生成的意思? 那拿掉 auth_string 的設定, 先 terraform apply 上去之後, 再 terraform show 出來看 auth_string 的內容...

# module.redis.module.redis-general.google_redis_instance.this:
resource "google_redis_instance" "this" {
    alternative_location_id  = "us-west1-c"
    auth_enabled             = true
    auth_string              = (sensitive value)
    ...

竟然看不到... oroz

查了一下, 得用 terraform show -json 才看得到, 執行下去會得到一行很長很長的 json, 那就多用 jq 轉一下: terraform show -json | jq .

"resources": [
  {
    "address": "module.redis.module.redis-general.google_redis_instance.this",
    "mode": "managed",
    "type": "google_redis_instance",
    "name": "this",
    "provider_name": "registry.terraform.io/hashicorp/google",
    "schema_version": 0,
    "values": {
      "alternative_location_id": "us-west1-c",
      "auth_enabled": true,
      "auth_string": "ded6f8e9-5c32-4ebb-b0fb-086a444baa7f",
      ...
    }
  }

然後在上面這一段終於看到啦~

Terraform - provider google version upgrade

起因是為了 resource google_redis_instance 要用到 replica 的功能...

根據 CHANGELOG 文件, provider google 需用 4.17.0 以上版本. (此時最新版是 v4.18.0)

在 versions.tf 裡面原本是這樣設定一個版本來用:

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "3.58.0"
    }
  }

  required_version = "~> 1.0.0"
}

就把 version 改成 ">= 4.17.0"

順便把 required_version 也升級成 "~> 1.1.0" (此時 homebrew terraform 是 v1.1.9)

terraform {
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = ">= 4.17.0"
    }
  }

  required_version = "~> 1.1.0"
}

---

一般情況下來說, 這樣改完之後再執行 terraform init -upgrade 就會看到原本裝好的 provider google:

- Using previously-installed hashicorp/google v3.58.0

被更新中...

- Installing hashicorp/google v4.18.0...
- Installed hashicorp/google v4.18.0 (signed by HashiCorp)

之後的 terraform init 動作就看到都是 v4.18.0

- Using previously-installed hashicorp/google v4.18.0

然後因為 provider 跨了大版本, 遇到 state file 格式變動, 還要再執行 terraform refresh 更新一遍.

---

但是實際上...

Initializing provider plugins...
- Finding hashicorp/google versions matching ">= 2.12.0, >= 3.45.0, < 4.0.0, >= 4.17.0"...

然後 terraform init -upgrade 就抓不到能用的升級版本.

後來發現是在某個 resource 裡面有設定 version = "~> 3.0", 莫名其妙多出上面的 < 4.0.0 的條件卡關. 直接把這個改成 version = "~> 4.0" 跟著升級上去, terraform init -upgrade 版本條件就變成:

Initializing provider plugins...
- Finding hashicorp/google-beta versions matching ">= 3.45.0, < 5.0.0"...

就有抓到可用版本(v4.18.0)升級上去了.