Issues with Terraform Moved block forcing replacement

Terraform
1

Hi All,

I am trying to move some existing resource to another module within Terraform code. I currently have some Azure machines that have been deployed via an old local module named ‘newvm’:

module "newvm" {
  for_each                      = local.myvms.vms
  source                        = "./modules/new-virtualmachine"
  ...more code
}

I now have a newer version of that module published to the Terraform Private Registry (HCL Cloud).

I have edited my code to use the new module with a similar (but different) name:

module "vm" {
  source  = "app.terraform.io/xxx"
  ...more code
}

I’ve added a moved block to try to change the TF state over:

moved {
  from = module.newvm
  to   = module.vm
}

When running a tf plan, it wants to recreate the VM’s due to a change to admin_password which is forcing a replacement.

~ admin_password : Sensitive value Forces replacement

admin_password is set using a random_string resource, which uses exactly the same settings as the previous version of the module:

resource "random_string" "this" {
  count       = var.config.os_type == "Windows" ? 1 : 0
  length      = 12
  lower       = true
  numeric     = true
  special     = true
  upper       = true
  min_lower   = 1
  min_numeric = 1
  min_special = 1
  min_upper   = 1
}

Am I doing something wrong here? I am assuming this is due to the password being a sensitive string, however I would have expected Terraform to still just be able to change the reference in it’s state data without wanting to recreate the VM?

Any help is appreciated,

Thanks.

2

Hi @gary.kirton,

Are there any other changes indicated in the plan?
Where is the random_string resource? How does it connect to the configuration of the VM?

It would probably be more clear what’s going on if you made the changes one at a time. First move the module and update any references, which should produce no changes since you are only refactoring existing configuration. Then go ahead and upgrade the module. This way you can tell the difference between mistakes you may have made in refactoring, vs mistakes in configuring the new module version.

3

Hi @jbardin,

There are other changes indicated in the plan, but they all stem from the password change, for example we save passwords as a key vault secret therefore that secret wants to be deleted and re-created. Our secrets expire after x amount of time so a new time_offset_secret_expiration object wants to be created. I use the domain_join extension so this wants to be removed / reinstalled since the VM wants to be rebuilt and so on.

In terms of changes in the module, they are all insignificant really; it’s more of a centralisation / management change that I am trying to do. The module is published and used elsewhere so making module changes will have further impacts.

The random_string resource is defined as shown above in my main.tf. It is then used as shown below:

resource "azurerm_windows_virtual_machine" "this" {
  admin_password = random_string.this.result
}

In terms of the amount of changes, the admin password is the only one I am trying to get working right now. Once tf can accept the existing value I can move on to getting the other changes working!.

4

Unfortunately without the plan output and/or a more complete example I really can’t tell what is going on. I would start by eliminating variables between the changes you are making, and that you can get an empty plan between each step. Make sure Terraform is up to date and you have not changed any provider versions; then move the module name in the configuration and apply the result; then update the module.