terraform-provider-bigip

terraform-provider-bigip copied to clipboard

We have shared datagroups that are used for redirection and pool mapping. Person 1 might manually add an entry to datagroup test z.abc.com pool0

Person 2 might do a terraform of resource "bigip_ltm_datagroup" "datagroup" { name = "/Common/test" type = "string"

record { name = "a.abc.com" data = "pool1" }

record { name = "b.abc.com" data = "pool2" } }

Instead of just adding the items and getting a result of z.abc.com pool0 a.abc.com pool1 b.abc.com pool2

We get a.abc.com pool1 b.abc.com pool2

Also if other people deploy their own terraform template with other entries, the last one deployed is is the result.

There are two main issues with what you describe:

1. resources managed by Terraform shouldn't be modified manually on the managed device, since terraform is not aware of the 3rd record you/someone else added manually it will get removed since it will show up as a change when Terraform calculates the diff.

2. you can't manage the same device resource from multiple terraform configuration/resources, that makes no sense and will indeed override the device config based on the last time executed command.

Above goes against standard IaC principals, you should ensure that all your configuration is properly described in your code, as well as manage the configuration in a central and unified way.

I am new to terraform and thought this might be the viewpoint. If you have other ways that this might be done, please let me know.

I thought I would ask, because there are cases where different parts of a single configuration might be owned by multiple groups in a large organization, Centralizing of all configurations is not always easy as it would require redoing structure and process of the organization. After I wrote it, I was thinking what I wrote was kind of stupid. Infrastructure as code would not have anyone manually editing it. However, I do have multiple groups that need to add entries to the datagroup. I only wanted them to be able to update their stuff via the terraform template.

I was thinking afterwards it would be better to look at the configuration more like each item within a datagroup as an individual resource. Similar to what you have done with nodes in a pool. The pool is one resource that is separate from the nodes attached,

Is there a way that I could run each groups individual tf files to combine all of their items into the single datagroup?

something like this for instance where the item is separate from the datagroup and each group could have their own entries that they maintain in their own files.

resource "bigip_ltm_datagroup_item" "itema" { datagroup = "/Common/test" name="a.abc.com" data="pool1" }

resource "bigip_ltm_datagroup_item" "itemb" { datagroup = "/Common/test" name="b.abc.com" data="pool2" }

On Sat, Jul 27, 2019 at 9:18 AM Danny Kulchinsky [email protected] wrote:

There are two main issues with what you describe:

resources managed by Terraform shouldn't be modified manually on the managed device, since terraform is not aware of the 3rd record you/someone else added manually it will get removed since it will show up as a change when Terraform calculates the diff. 2.

you can't manage the same device resource from multiple terraform configuration/resources, that makes no sense and will indeed override the device config based on the last time executed command.

Above goes against standard IaC principals, you should ensure that all your configuration is properly described in your code, as well as manage the configuration in a central and unified way.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/terraform-providers/terraform-provider-bigip/issues/136?email_source=notifications&email_token=ADRQM2TNIVTPDR7MPYXPKRDQBRRMNA5CNFSM4IHIIKMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD26NJUI#issuecomment-515691729, or mute the thread https://github.com/notifications/unsubscribe-auth/ADRQM2RGZTLLAYVFNRLPAIDQBRRMNANCNFSM4IHIIKMA .

I am new to terraform and thought this might be the viewpoint. If you have other ways that this might be done, please let me know. I thought I would ask, because there are cases where different parts of a single configuration might be owned by multiple groups in a large organization, Centralizing of all configurations is not always easy as it would require redoing structure and process of the organization.

No doubt, this is a challenge, but in order to effectively use either IaC or a CM tool, synchronisation across all involved teams and proper change/review process is a must, otherwise you're just going to hit even more issues down the line.

We have a complex organization as well, numerous datacenters worldwide with different environments in different stages (pre, prod, test, dev, etc...), building a configuration structure in a centralised Git repository for all the Terraform configuration (and modules), reusing code and building a review/approval process was key to making this technology work for us. You should check https://www.runatlantis.io/ it's a great tool to enable collaboration and having a unified pipeline for deployment changes.

After I wrote it, I was thinking what I wrote was kind of stupid. Infrastructure as code would not have anyone manually editing it. However, I do have multiple groups that need to add entries to the datagroup. I only wanted them to be able to update their stuff via the terraform template. I was thinking afterwards it would be better to look at the configuration more like each item within a datagroup as an individual resource. Similar to what you have done with nodes in a pool. The pool is one resource that is separate from the nodes attached, Is there a way that I could run each groups individual tf files to combine all of their items into the single datagroup? something like this for instance where the item is separate from the datagroup and each group could have their own entries that they maintain in their own files. resource "bigip_ltm_datagroup_item" "itema" { datagroup = "/Common/test" name="a.abc.com" data="pool1" } resource "bigip_ltm_datagroup_item" "itemb" { datagroup = "/Common/test" name="b.abc.com" data="pool2" }

a datagroup is a resource with records as sub-resources, decoupling them doesn't seem likely since in order to update the datagroup you will need to merge all the records that will be in separate resources, the pool attachment is an intermediary resource since this is how BigIP handles things internally so the Terraform implementation mimics that. However, this is not the case for the datagroup records - the schema here is quite different.

We have several datagroup records that different teams collaborate on introducing changes to their respective records, through a review process and version control of the configuration this is really not an issue.

if it is, you should look into breaking the datagroups you use into multiple resources and have each team manage their own, otherwise it's a recipe for a downtime...

… On Sat, Jul 27, 2019 at 9:18 AM Danny Kulchinsky @.***> wrote: There are two main issues with what you describe: 1. resources managed by Terraform shouldn't be modified manually on the managed device, since terraform is not aware of the 3rd record you/someone else added manually it will get removed since it will show up as a change when Terraform calculates the diff. 2. you can't manage the same device resource from multiple terraform configuration/resources, that makes no sense and will indeed override the device config based on the last time executed command. Above goes against standard IaC principals, you should ensure that all your configuration is properly described in your code, as well as manage the configuration in a central and unified way. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#136?email_source=notifications&email_token=ADRQM2TNIVTPDR7MPYXPKRDQBRRMNA5CNFSM4IHIIKMKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD26NJUI#issuecomment-515691729>, or mute the thread <github.com/notifications/unsubscribe-auth/ADRQM2RGZTLLAYVFNRLPAIDQBRRMNANCNFSM4IHIIKMA> .

Hi, closing this request now. Please re-open if required or send an email to [email protected]. Thanks!