Cycle introduced w/ create_before_destroy

[gposton]

I get the following error when using 'create_before_destroy'

1 error(s) occurred:

* Cycle: aws_launch_configuration.consul_asg_conf (destroy), aws_launch_configuration.consul_asg_conf, aws_autoscaling_group.consul_asg, aws_autoscaling_group.consul_asg (destroy)

Removing the create_before_destroy lifecycle from the asg resolves the issue.

Here is my template:

resource "terraform_remote_state" "vpc" {
    backend = "atlas"
    config {
        name = "${var.atlas_account}/${var.environment}-vpc"
    }
}

provider "aws" {
  region = "${var.region}"
}

resource "aws_route53_record" "dns" {
  zone_id = "${var.route53_zone_id}"
  name = "${var.environment}-consul.clearcare.it"
  type = "CNAME"
  ttl = "300"
  records = ["${aws_elb.elb.dns_name}"]
}

resource "aws_elb" "elb" {
  name               = "consul-elb"
  internal           = true
  security_groups    = ["${aws_security_group.consul_elb.id}"]
  subnets            = [
    "${element(split(\",\", terraform_remote_state.vpc.output.private_subnets), 0)}",
    "${element(split(\",\", terraform_remote_state.vpc.output.private_subnets), 1)}",
    "${element(split(\",\", terraform_remote_state.vpc.output.private_subnets), 2)}"
  ]
  listener {
    instance_port     = 8500
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }
  health_check {
    healthy_threshold = 2
    unhealthy_threshold = 2
    timeout = 3
    target = "HTTP:8500/ui/"
    interval = 10
  }
}

resource "aws_security_group" "consul_elb" {
  name        = "consul_elb"
  description = "Used for consul elb"
  vpc_id      = "${terraform_remote_state.vpc.output.vpc_id}"
  ingress {
    from_port   = 80
    to_port     = 80
    protocol    = "tcp"
    cidr_blocks = [ "10.0.0.0/8" ]
  }
}

resource "aws_security_group" "consul_server" {
  name        = "consul_server"
  description = "Used for all consul servers"
  vpc_id      = "${terraform_remote_state.vpc.output.vpc_id}"
  ingress { #Web UI
    from_port       = 8500
    to_port         = 8500
    protocol        = "tcp"
    security_groups = [ "${aws_security_group.consul_elb.id}" ]
  }
  ingress { #SSH in from the VPC
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [ "10.0.0.0/8" ]
  }
  ingress {
    from_port   = 8600
    to_port     = 8600
    protocol    = "udp"
    cidr_blocks = [ "10.0.0.0/8" ]
  }
  ingress {
    from_port   = 8400
    to_port     = 8400
    protocol    = "tcp"
    cidr_blocks = [ "10.0.0.0/8" ]
  }
  ingress {
    from_port   = 8300
    to_port     = 8300
    protocol    = "tcp"
    cidr_blocks = [ "10.0.0.0/8" ]
  }
  ingress {
    from_port   = 8301
    to_port     = 8301
    protocol    = "tcp"
    cidr_blocks = [ "10.0.0.0/8" ]
  }
  ingress {
    from_port   = 8302
    to_port     = 8302
    protocol    = "tcp"
    cidr_blocks = [ "10.0.0.0/8" ]
  }
  ingress {
    from_port   = 4190
    to_port     = 4190
    protocol    = "tcp"
    cidr_blocks = [ "10.0.0.0/8" ]
  }
}

resource "aws_launch_configuration" "consul_asg_conf" {
  image_id      = "${var.ami}"
  instance_type = "${var.instance_size}"
  key_name      = "ClearCareVPC"
  security_groups = ["${aws_security_group.consul_server.id}"]
  user_data     = "{\"run_env\":\"${var.environment}\",  \"role\": \"consul\",  \"atlas_token\": \"${var.atlas_token}\", \"atlas_account\": \"${var.atlas_account}\"}"
}

resource "aws_autoscaling_group" "consul_asg" {
  name                      = "consul_asg"
  max_size                  = 3
  min_size                  = 3
  health_check_grace_period = 300
  load_balancers            = ["${aws_elb.elb.name}"]
  health_check_type         = "EC2"
  desired_capacity          = 3
  force_delete              = true
  launch_configuration      = "${aws_launch_configuration.consul_asg_conf.name}"
  vpc_zone_identifier       = [
    "${element(split(\",\", terraform_remote_state.vpc.output.private_subnets), 0)}",
    "${element(split(\",\", terraform_remote_state.vpc.output.private_subnets), 1)}",
    "${element(split(\",\", terraform_remote_state.vpc.output.private_subnets), 2)}"
  ]
  availability_zones        = [
    "${element(split(\",\", terraform_remote_state.vpc.output.availability_zones), 0)}",
    "${element(split(\",\", terraform_remote_state.vpc.output.availability_zones), 1)}",
    "${element(split(\",\", terraform_remote_state.vpc.output.availability_zones), 2)}"
  ]
  tag {
    key                 = "Name"
    value               = "consul"
    propagate_at_launch = true
  }
  tag {
    key                 = "environment"
    value               = "${var.environment}"
    propagate_at_launch = true
  }
  tag {
    key                 = "role"
    value               = "consul"
    propagate_at_launch = true
  }
  tag {
    key                 = "owner"
    value               = "${var.owner}"
    propagate_at_launch = true
  }
  lifecycle {
    create_before_destroy = true
  }
}

[mitchellh]

When you introduce CBD, you need to introduce it to every resource up to the root. We're working on better error messaging around this that we're tracking in another such issue.

If you sit and think about the cycle for like an hour (it took me about that long to figure it out :( ), it starts to make sense: in that case it actually is an impossible to solve equation and truly is a cycle.

We'll improve the messaging and get it out.

[nevir]

I'm wondering if create_before_destroy should be the default behavior (and opt out). Seems like it's something you frequently want

[mitchellh]

@nevir It doesn't work for every resource and can introduce cycles in some cases where you don't want it (real cycles that require an operator to just choose what to start with). It is safer to keep it off for now.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.