fix: Ignore alias IP changes

[kjagiello]

This PR aims to fix the issue with alias IPs being cleared out on reapplication.

The approach suggested in #257, i.e. ignore_changes = [network.alias_ips] will unfortunately not work, since network is a set, so we won't be able to target alias_ips that way.

This PR attempts to solve this issue by switching from the inline network definition to using the hcloud_server_network resource and then ignoring the alias IP changes on that resource instead.

Caveats

Applying this change on an already provisioned cluster will likely cause issues like this:

Error: Provider produced inconsistent result after apply

When applying changes to
module.talos.hcloud_server_network.control_planes["prod-aivi-k8s-control-plane-1"],
provider
"module.talos.provider[\"registry.terraform.io/hetznercloud/hcloud\"]"
produced an unexpected new value: .alias_ips: actual set element
cty.StringVal("10.0.1.100") does not correlate with any element in plan.

This is a bug in the provider, which should be reported in the provider's
own issue tracker.

Error: Provider produced inconsistent result after apply

When applying changes to
module.talos.hcloud_server_network.control_planes["prod-aivi-k8s-control-plane-1"],
provider
"module.talos.provider[\"registry.terraform.io/hetznercloud/hcloud\"]"
produced an unexpected new value: .alias_ips: length changed from 0 to 1.

This is a bug in the provider, which should be reported in the provider's
own issue tracker.

This likely happens because the plan expects the alias IPs to be empty, but Talos assigns VIP after the network attaches, leading to a mismatch between the plan and the outcome of the operation. I tried omitting alias_ips, but that did not work – the provider defaults to an empty list anyway.

I managed to overcome this hurdle by using terraform untaint – I suspect Terraform marked the resource as tainted when it noticed the inconsistency.

This is a non-issue when provisioning a new cluster.

[github-actions]

Commitlint-Check

Thanks for your contribution ❤️

commitlint has detected that all commit messages in this PR follow the conventional commit format 🎉

[github-actions]

Terraform-Check (version: 1.8.5): ✅

🖌 Terraform Format: ✅

# Outputs:


# Errors:

⚙️ Terraform Init: ✅

# Outputs:

Initializing the backend...

Initializing provider plugins...
- Finding hetznercloud/hcloud versions matching ">= 1.59.0"...
- Finding siderolabs/talos versions matching ">= 0.10.0"...
- Finding hashicorp/http versions matching ">= 3.5.0"...
- Finding hashicorp/helm versions matching ">= 3.1.1"...
- Finding alekc/kubectl versions matching ">= 2.1.3"...
- Finding hashicorp/tls versions matching ">= 4.1.0"...
- Installing hashicorp/helm v3.1.1...
- Installed hashicorp/helm v3.1.1 (signed by HashiCorp)
- Installing alekc/kubectl v2.1.3...
- Installed alekc/kubectl v2.1.3 (self-signed, key ID 772FB27A86DAFCE7)
- Installing hashicorp/tls v4.1.0...
- Installed hashicorp/tls v4.1.0 (signed by HashiCorp)
- Installing hetznercloud/hcloud v1.59.0...
- Installed hetznercloud/hcloud v1.59.0 (signed by a HashiCorp partner, key ID 5219EACB3A77198B)
- Installing siderolabs/talos v0.10.0...
- Installed siderolabs/talos v0.10.0 (signed by a HashiCorp partner, key ID AF0815C7E2EC16A8)
- Installing hashicorp/http v3.5.0...
- Installed hashicorp/http v3.5.0 (signed by HashiCorp)

Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.


# Errors:

🤖 Terraform Validate: ✅

# Outputs:
Success! The configuration is valid.



# Errors:

[github-actions]

Terraform-Check (version: 1.9.8): ✅

🖌 Terraform Format: ✅

# Outputs:


# Errors:

⚙️ Terraform Init: ✅

# Outputs:
Initializing the backend...
Initializing provider plugins...
- Finding alekc/kubectl versions matching ">= 2.1.3"...
- Finding hashicorp/tls versions matching ">= 4.1.0"...
- Finding hetznercloud/hcloud versions matching ">= 1.59.0"...
- Finding siderolabs/talos versions matching ">= 0.10.0"...
- Finding hashicorp/http versions matching ">= 3.5.0"...
- Finding hashicorp/helm versions matching ">= 3.1.1"...
- Installing alekc/kubectl v2.1.3...
- Installed alekc/kubectl v2.1.3 (self-signed, key ID 772FB27A86DAFCE7)
- Installing hashicorp/tls v4.1.0...
- Installed hashicorp/tls v4.1.0 (signed by HashiCorp)
- Installing hetznercloud/hcloud v1.59.0...
- Installed hetznercloud/hcloud v1.59.0 (signed by a HashiCorp partner, key ID 5219EACB3A77198B)
- Installing siderolabs/talos v0.10.0...
- Installed siderolabs/talos v0.10.0 (signed by a HashiCorp partner, key ID AF0815C7E2EC16A8)
- Installing hashicorp/http v3.5.0...
- Installed hashicorp/http v3.5.0 (signed by HashiCorp)
- Installing hashicorp/helm v3.1.1...
- Installed hashicorp/helm v3.1.1 (signed by HashiCorp)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.


# Errors:

🤖 Terraform Validate: ✅

# Outputs:
Success! The configuration is valid.



# Errors:

[mrclrchtr]

Thank you very much.

This would be a breaking change. I have to test it and add instructions, how to migrate, if we will merge it.

[mrclrchtr]

I tried your change and unfortunately it seems to cause another problem: When you want to add another node to the cluster, the provider tries to recreate and reassign all networks. At first glance, this looks worse than the drifts and temporary removal of the alias IP on apply.

Unfortunately, I was also unable to reproduce your bug.