Hello,
I need some help to figure out why does terraform show changes (ie parameters are replaced by something “known after apply”).
The main source of data is map of maps having a list of users as attribute, affected to each projects:
projects = {
"one": {
"users": [ "john", "albert"]
},
"two":{
"users": [ "john", "frank"]
},
}
module "grafana_user" {
for_each = local.data.groups.grafana_users # this locals adds all users found as subkeys in projects
source = "git@git.local:terraform-modules/terraform-grafana-user.git"
ldap_login = each.key # it takes a username and retrieve information from ldap
}
# Each grafana_* property is a list like "users"
module "tenant_grafana_org" {
for_each = local.data.projects
source = "git@git.local:terraform-modules/terraform-grafana-org.git"
grafana_org_name = each.key
ldap_login_admins = contains(keys(each.value), "grafana_admins") ? keys(each.value.grafana_admins) : (
keys(each.value.members)
)
ldap_login_editors = contains(keys(each.value), "grafana_editors") ? keys(each.value.grafana_editors) : []
ldap_login_viewers = contains(keys(each.value), "grafana_viewers") ? keys(each.value.grafana_viewers) : []
depends_on = [
module.grafana_user
]
}
If I change the project one’s user list, I don’t expect such a change on other projects, but the plan shows changes within the second module:
# module.tenant_grafana_org["two"].data.ldap_object.ldap_admins_attributes[0] will be read during apply
# (config refers to values not yet known)
<= data "ldap_object" "ldap_admins_attributes" {
! attributes = [
--- {
--- "mail" = "john@example.com"
},
] -> (known after apply)
! attributes_json = {
--- "mail" = jsonencode(
[
--- "john@example.com",
]
)
} -> (known after apply)
--- depth = "subtree" -> null
! dn = "uid=john,ou=people,dc=example,dc=com" -> (known after apply)
! id = "-" -> (known after apply)
# (3 unchanged attributes hidden)
}
# module.tenant_grafana_org["two"].data.ldap_object.ldap_admins_attributes[1] will be read during apply
# (config refers to values not yet known)
<= data "ldap_object" "ldap_admins_attributes" {
! attributes = [
--- {
--- "mail" = "frank@example.com"
},
] -> (known after apply)
! attributes_json = {
--- "mail" = jsonencode(
[
--- "frank@example.com",
]
)
} -> (known after apply)
--- depth = "subtree" -> null
! dn = "uid=frank,ou=people,dc=example,dc=com" -> (known after apply)
! id = "-" -> (known after apply)
# (3 unchanged attributes hidden)
}
- The two modules don’t iterate over the same list of objects (because users could be in many projects and i deduplicate the list)
- Adding the dependency to the first module triggers a re-read of all projects when we remove a user from a single project in module #2
- The module #2 use a ldap data source with the logins but is not linked to the user’s list passed to #1
What could I do to avoid such plans (that does nothing in the end) who scares the project users (one change in a project triggers a change in all project) ?
Thanks