6b6b5a43c3
Because `aws_security_group_rule` resources are an abstraction on top of Security Groups, they must interact with the AWS Security Group APIs in a pattern that often results in lots of parallel requests interacting with the same security group. We've found that this pattern can trigger race conditions resulting in inconsistent behavior, including: * Rules that report as created but don't actually exist on AWS's side * Rules that show up in AWS but don't register as being created locally, resulting in follow up attempts to authorize the rule failing w/ Duplicate errors Here, we introduce a per-SG mutex that must be held by any security group before it is allowed to interact with AWS APIs. This protects the space between `DescribeSecurityGroup` and `Authorize*` / `Revoke*` calls, ensuring that no other rules interact with the SG during that span. The included test exposes the race by applying a security group with lots of rules, which based on the dependency graph can all be handled in parallel. This fails most of the time without the new locking behavior. I've omitted the mutex from `Read`, since it is only called during the Refresh walk when no changes are being made, meaning a bunch of parallel `DescribeSecurityGroup` API calls should be consistent in that case. |
||
---|---|---|
builtin | ||
command | ||
communicator | ||
config | ||
contrib | ||
dag | ||
deps | ||
digraph | ||
dot | ||
examples | ||
flatmap | ||
helper | ||
plugin | ||
rpc | ||
scripts | ||
state | ||
terraform | ||
test-fixtures | ||
website | ||
.gitignore | ||
.travis.yml | ||
BUILDING.md | ||
CHANGELOG.md | ||
CONTRIBUTING.md | ||
LICENSE | ||
Makefile | ||
README.md | ||
Vagrantfile | ||
checkpoint.go | ||
commands.go | ||
config.go | ||
config_test.go | ||
config_unix.go | ||
config_windows.go | ||
log.go | ||
main.go | ||
make.bat | ||
panic.go | ||
version.go |
README.md
Terraform
- Website: http://www.terraform.io
- IRC:
#terraform-tool
on Freenode - Mailing list: Google Groups
Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Terraform can manage existing and popular service providers as well as custom in-house solutions.
The key features of Terraform are:
-
Infrastructure as Code: Infrastructure is described using a high-level configuration syntax. This allows a blueprint of your datacenter to be versioned and treated as you would any other code. Additionally, infrastructure can be shared and re-used.
-
Execution Plans: Terraform has a "planning" step where it generates an execution plan. The execution plan shows what Terraform will do when you call apply. This lets you avoid any surprises when Terraform manipulates infrastructure.
-
Resource Graph: Terraform builds a graph of all your resources, and parallelizes the creation and modification of any non-dependent resources. Because of this, Terraform builds infrastructure as efficiently as possible, and operators get insight into dependencies in their infrastructure.
-
Change Automation: Complex changesets can be applied to your infrastructure with minimal human interaction. With the previously mentioned execution plan and resource graph, you know exactly what Terraform will change and in what order, avoiding many possible human errors.
For more information, see the introduction section of the Terraform website.
Getting Started & Documentation
All documentation is available on the Terraform website.
Developing Terraform
If you wish to work on Terraform itself or any of its built-in providers, you'll first need Go installed on your machine (version 1.4+ is required). Alternatively, you can use the Vagrantfile in the root of this repo to stand up a virtual machine with the appropriate dev tooling already set up for you.
For local dev first make sure Go is properly installed, including setting up a GOPATH. You will also need to add $GOPATH/bin
to your $PATH
. Next, install the following software packages, which are needed for some dependencies:
Next, clone this repository into $GOPATH/src/github.com/hashicorp/terraform
. Install the necessary dependencies by running make updatedeps
and then just type make
. This will compile some more dependencies and then run the tests. If this exits with exit status 0, then everything is working!
$ make updatedeps
...
$ make
...
To compile a development version of Terraform and the built-in plugins, run make dev
. This will put Terraform binaries in the bin
and $GOPATH/bin
folders:
$ make dev
...
$ bin/terraform
...
If you're developing a specific package, you can run tests for just that package by specifying the TEST
variable. For example below, onlyterraform
package tests will be run.
$ make test TEST=./terraform
...
Acceptance Tests
Terraform also has a comprehensive acceptance test suite covering most of the major features of the built-in providers.
If you're working on a feature of a provider and want to verify it is functioning (and hasn't broken anything else), we recommend running the acceptance tests. Note that we do not require that you run or write acceptance tests to have a PR accepted. The acceptance tests are just here for your convenience.
Warning: The acceptance tests create/destroy/modify real resources, which may incur real costs. In the presence of a bug, it is technically possible that broken providers could corrupt existing infrastructure as well. Therefore, please run the acceptance providers at your own risk. At the very least, we recommend running them in their own private account for whatever provider you're testing.
To run the acceptance tests, invoke make testacc
:
$ make testacc TEST=./builtin/providers/aws TESTARGS='-run=Vpc'
go generate ./...
TF_ACC=1 go test ./builtin/providers/aws -v -run=Vpc -timeout 90m
=== RUN TestAccVpc_basic
2015/02/10 14:11:17 [INFO] Test: Using us-west-2 as test region
[...]
[...]
...
The TEST
variable is required, and you should specify the folder where the provider is. The TESTARGS
variable is recommended to filter down to a specific resource to test, since testing all of them at once can take a very long time.
Acceptance tests typically require other environment variables to be set for things such as access keys. The provider itself should error early and tell you what to set, so it is not documented here.