Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] elasticstack_fleet_output produces inconsistent result after 0.11.8 upgrade #836

Open
mag-mkorn opened this issue Oct 9, 2024 · 9 comments
Labels
bug Something isn't working fleet-improvements
Milestone

Comments

@mag-mkorn
Copy link

Describe the bug
After upgrading the provider from 0.11.7 to 0.11.8 the provider plans to perform an in-place update to a pre-existing elasticstack_fleet_output-resource and ultimately fails.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # elasticstack_fleet_output.<redacted> will be updated in-place
  ~ resource "elasticstack_fleet_output" "cribl" {
        id                     = "<redacted>"
        name                   = "<redacted>"
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
elasticstack_fleet_output.cribl: Modifying... [id=<redacted>]

Error: Provider produced inconsistent result after apply

When applying changes to elasticstack_fleet_output.<redacted>, provider
"provider[\"registry.terraform.io/elastic/elasticstack\"]" produced an
unexpected new value: .ca_trusted_fingerprint: was null, but now
cty.StringVal("").

This is a bug in the provider, which should be reported in the provider's own
issue tracker.
Error: Terraform exited with code 1.
Error: Process completed with exit code 1.

To Reproduce
Resource config:

resource "elasticstack_fleet_output" "<redacted>" {
  name = "<redacted>"
  type = "elasticsearch"
  config_yaml = yamlencode({
    "ssl.verification_mode" : "full",
    "ssl.certificate_authorities" : <<EOF
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
EOF
  })
  default_integrations = true
  default_monitoring   = true
  hosts                = [var.<redacted>]
}

Expected behavior
Don't perform any changes without showing the reason for the change. Don't fail on comparing null values to empty strings.

Debug output
Currently not possible to provide, as TF is executed as CI Pipeline with not easily accessible secrets.

Versions (please complete the following information):

  • OS: [e.g. Linux]
  • Terraform Version tag "latest" on GHA hashicorp/setup-terraform@v2
  • Provider version 0.11.8
  • Elasticsearch Version 8.15.2
@mag-mkorn mag-mkorn added the bug Something isn't working label Oct 9, 2024
@daemitus
Copy link
Contributor

Since I authored it, figured I would take a stab at this. Did you continue to have the error afterwards, or was it only transient during the upgrade?

fwiw, I can't replicate this with the following:

terraform {
  required_version = "1.8.2"
  required_providers {
    elasticstack = {
      source  = "elastic/elasticstack"
      // version = "= 0.11.7"
      version = "= 0.11.8"
    }
  }
}

provider "elasticstack" {
  elasticsearch {
    username  = "elastic"
    password  = "password"
    endpoints = ["http://localhost:9200"]
    insecure  = true
  }
  kibana {
    username  = "elastic"
    password  = "password"
    endpoints = ["http://localhost:5601"]
    insecure  = true
  }
  fleet {}
}

resource "elasticstack_fleet_output" "test" {
  name = "test"
  type = "elasticsearch"
  config_yaml = yamlencode({
    "ssl.verification_mode"       = "full",
    "ssl.certificate_authorities" = <<EOF
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF
  })
  default_integrations = true
  default_monitoring   = true
  hosts                = ["http://localhost:9200"]
}

@MichalMarchewka
Copy link

MichalMarchewka commented Oct 10, 2024

I confirm this bug in "0.11.8" version.

resource "elasticstack_fleet_integration_policy" "pfsense_routers_lan" {
    name                = "pfSense- routers lan"
    namespace           = "default"
    description         = "pfSense integrations for routers in lan network"
    agent_policy_id     = elasticstack_fleet_agent_policy.routers_lan.policy_id
    integration_name    = elasticstack_fleet_integration.pfsense.name
    integration_version = elasticstack_fleet_integration.pfsense.version
    input {
        input_id = "pfsense-udp"
        enabled = true
        streams_json = jsonencode({
            "pfsense.log" : {
                "ennabled" : true,
                "vars" : {
                    "syslog_host": "localhost",
                    "syslog_port": 9001,
                    "internal_networks": [
                    "private"
                    ],
                    "tz_offset": "local",
                    "tags": [
                    "pfsense",
                    "forwarded"
                    ],
                    "preserve_original_event": false,
                    "udp_options": "#read_buffer: 100MiB\n#max_message_size: 50KiB\n#timeout: 300s\n"
                }
            }
        })
    }
    input {
        input_id = "pfsense-tcp"
        enabled = false
        streams_json = jsonencode({
            "pfsense.log": {
                "enabled": false,
                "vars": {
                    "syslog_host": "localhost",
                    "syslog_port": 9001,
                    "internal_networks": [
                    "private"
                    ],
                    "tz_offset": "local",
                    "tags": [
                    "pfsense",
                    "forwarded"
                    ],
                    "preserve_original_event": false
                }
            }
        })
    }
}
Plan: 1 to add, 0 to change, 0 to destroy.
elasticstack_fleet_integration_policy.pfsense_routers_lan: Creating...

 Error: Provider produced inconsistent result after apply

 When applying changes to elasticstack_fleet_integration_policy.pfsense_routers_lan, provider "provider[\"registry.terraform.io/elastic/elasticstack\"]" produced an unexpected new value: .input[0].streams_json:  inconsistent values for sensitive attribute.

 This is a bug in the provider, which should be reported in the provider's own issue tracker.

Successful in 0.11.7

@mag-mkorn
Copy link
Author

Since I authored it, figured I would take a stab at this. Did you continue to have the error afterwards, or was it only transient during the upgrade?

fwiw, I can't replicate this with the following:

terraform {
  required_version = "1.8.2"
  required_providers {
    elasticstack = {
      source  = "elastic/elasticstack"
      // version = "= 0.11.7"
      version = "= 0.11.8"
    }
  }
}

provider "elasticstack" {
  elasticsearch {
    username  = "elastic"
    password  = "password"
    endpoints = ["http://localhost:9200"]
    insecure  = true
  }
  kibana {
    username  = "elastic"
    password  = "password"
    endpoints = ["http://localhost:5601"]
    insecure  = true
  }
  fleet {}
}

resource "elasticstack_fleet_output" "test" {
  name = "test"
  type = "elasticsearch"
  config_yaml = yamlencode({
    "ssl.verification_mode"       = "full",
    "ssl.certificate_authorities" = <<EOF
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
EOF
  })
  default_integrations = true
  default_monitoring   = true
  hosts                = ["http://localhost:9200"]
}

The error remained until I added ca_trusted_fingerprint = "" as a workaround.

@tobio
Copy link
Member

tobio commented Oct 14, 2024

@MichalMarchewka looking into your configuration you have "ennabled" : true, in the UDP input. Fixing up the typo (i.e "enabled": true) fixes the error. This is a tricky one to improve in the provider at the moment since Fleet is simply ignoring the unknown key.

@tobio
Copy link
Member

tobio commented Oct 14, 2024

@mag-mkorn I'm also not able to reproduce this and have tried a few permutations around the 0.11.8 upgrade path.

Are you able to reproduce this in a test setup where you're able to get debug logs?

Elasticsearch Version 8.15.2

Just checking this is accurate?

@mag-mkorn
Copy link
Author

@mag-mkorn I'm also not able to reproduce this and have tried a few permutations around the 0.11.8 upgrade path.

Are you able to reproduce this in a test setup where you're able to get debug logs?

Elasticsearch Version 8.15.2

Just checking this is accurate?

Hi tobio,

i tried to reproduce the error on a fresh deployment. First, I didn't get the error as well. But after opening the Output Settings on the UI and clicking save, the error occurs.

So apparently saving in the UI adds the empty string variable that leads to the error.

@daemitus
Copy link
Contributor

daemitus commented Oct 24, 2024 via email

@tobio
Copy link
Member

tobio commented Nov 27, 2024

Duplcated by #931

@tobio
Copy link
Member

tobio commented Nov 27, 2024

From the dupe:

Describe the bug

Updating elasticstack_fleet_output seems to break with the following error:

elasticstack_fleet_output.elasticsearch_output: Modifying... [id=8f6b6c2a-1d63-4acd-bb2d-ea653dd53168]
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to elasticstack_fleet_output.elasticsearch_output, provider "provider["registry.terraform.io/elastic/elasticstack"]" produced
│ an unexpected new value: .ca_trusted_fingerprint: was null, but now cty.StringVal("").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

To Reproduce
Steps to reproduce the behavior:

update hosts array with a new entry

resource "elasticstack_fleet_output" "elasticsearch_output" {
name = "elasticsearch"
type = "elasticsearch"
config_yaml = yamlencode({})
default_integrations = true
default_monitoring = true
hosts = [
"https://${data.terraform_remote_state.eck_elasticsearch.outputs.elasticsearch_name}-es-http.elastic-system.svc:9200",
"https://elasticsearch.acme.test.com:443" # added
]
depends_on = [
helm_release.fleet_server
]
}

Expected behavior

Expect for the fleet_output to be updated

Debug output
Run terraform command with TF_LOG=trace and provide extended information on TF operations. Please ensure you redact any base64 encoded credentials from your output.
eg

[DEBUG] provider.terraform-provider-elasticstack_v0.11.0: Authorization: Basic xxxxx==

Screenshots

Image

Versions (please complete the following information):

OS: [e.g. Linux]: Ubuntu
Terraform Version [e.g. 1.0.0]
Provider version [e.g. v0.1.0]: v0.11.11
Elasticsearch Version [e.g. 7.16.0]: 8.16.1

Additional context

I updated the fleet server from 8.15.4 to 8.16.1 at the same time

@Kushmaro Kushmaro added this to the 0.14.0 milestone Jan 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working fleet-improvements
Projects
None yet
Development

No branches or pull requests

5 participants