Do not rebuild instances when the ssh_key or user_data change.

2023-12-14 12:55:20 +01:00 · 2023-12-14 12:55:20 +01:00 · 8ef11f0446
parent bd48be7ea7
commit 8ef11f0446
26 changed files with 439 additions and 264 deletions
--- a/openstack-tf/modules/d4science_infra_setup/haproxy.tf
+++ b/openstack-tf/modules/d4science_infra_setup/haproxy.tf
@ -135,4 +135,13 @@ resource "openstack_compute_instance_v2" "main_haproxy_l7" {
  }

  user_data = file("${var.ubuntu2204_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
+
 }
--- a/openstack-tf/modules/d4science_infra_setup/internal-ca.tf
+++ b/openstack-tf/modules/d4science_infra_setup/internal-ca.tf
@ -18,4 +18,13 @@ resource "openstack_compute_instance_v2" "internal_ca" {
    fixed_ip_v4 = var.basic_services_ip.ca
  }
  user_data = file("${var.ubuntu2204_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
+
 }
--- a/openstack-tf/modules/d4science_infra_setup/postgresql.tf
+++ b/openstack-tf/modules/d4science_infra_setup/postgresql.tf
@ -77,6 +77,15 @@ resource "openstack_compute_instance_v2" "shared_postgresql_server" {
  }

  user_data = file("${var.ubuntu2204_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
+
 }

 resource "openstack_compute_volume_attach_v2" "shared_postgresql_data_attach_vol" {
--- a/openstack-tf/modules/d4science_infra_setup/prometheus.tf
+++ b/openstack-tf/modules/d4science_infra_setup/prometheus.tf
@ -24,6 +24,15 @@ resource "openstack_compute_instance_v2" "prometheus_server" {
    fixed_ip_v4 = var.basic_services_ip.prometheus
  }
  user_data = file("${var.ubuntu2204_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
+
 }

 resource "openstack_compute_volume_attach_v2" "prometheus_data_attach_vol" {
--- a/openstack-tf/modules/d4science_infra_setup/ssh-jump-proxy.tf
+++ b/openstack-tf/modules/d4science_infra_setup/ssh-jump-proxy.tf
@ -19,6 +19,15 @@ resource "openstack_compute_instance_v2" "ssh_jump_proxy" {
    fixed_ip_v4 = var.basic_services_ip.ssh_jump
  }
  user_data = file("${var.ubuntu2204_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
+
 }

 # Floating IP and DNS record
--- a/openstack-tf/modules/d4science_infra_setup/terraform-provider.tf
+++ b/openstack-tf/modules/d4science_infra_setup/terraform-provider.tf
@ -1,6 +1,6 @@
 # Define required providers
 terraform {
-required_version = ">= 0.14.0"
+  required_version = ">= 0.14.0"
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
--- a/openstack-tf/modules/docker_swarm/docker-swarm.tf
+++ b/openstack-tf/modules/docker_swarm/docker-swarm.tf
@ -127,6 +127,15 @@ resource "openstack_compute_instance_v2" "docker_swarm_managers" {

  user_data  = file("${var.ubuntu2204_data_file}")
  depends_on = [openstack_networking_subnet_v2.swarm_nfs_subnet]
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
+
 }

 # Swarm worker nodes
@ -169,6 +178,14 @@ resource "openstack_compute_instance_v2" "docker_swarm_workers" {

  user_data  = file("${var.ubuntu2204_data_file}")
  depends_on = [openstack_networking_subnet_v2.swarm_nfs_subnet]
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }

 # NFS server
--- a/openstack-tf/modules/generic_smartgears_service/generic_smartgears_service.tf
+++ b/openstack-tf/modules/generic_smartgears_service/generic_smartgears_service.tf
@ -42,6 +42,15 @@ resource "openstack_compute_instance_v2" "smartgears_service" {
    }
  }

-  #user_data script used
+  # user_data script used
  user_data = file("${each.value.image_ref.user_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
+
 }
--- a/openstack-tf/modules/generic_smartgears_service/terraform-provider.tf
+++ b/openstack-tf/modules/generic_smartgears_service/terraform-provider.tf
@ -1,6 +1,6 @@
 # Define required providers
 terraform {
-required_version = ">= 0.14.0"
+  required_version = ">= 0.14.0"
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
--- a/openstack-tf/modules/instance_with_data_volume/instance_with_data_volume.tf
+++ b/openstack-tf/modules/instance_with_data_volume/instance_with_data_volume.tf
@ -49,8 +49,16 @@ resource "openstack_compute_instance_v2" "instance_with_data_volume" {
    }
  }

-  #user_data script used
+  # user_data script used
  user_data = file("${each.value.image_ref.user_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }


--- a/openstack-tf/modules/instance_with_data_volume/terraform-provider.tf
+++ b/openstack-tf/modules/instance_with_data_volume/terraform-provider.tf
@ -1,6 +1,6 @@
 # Define required providers
 terraform {
-required_version = ">= 0.14.0"
+  required_version = ">= 0.14.0"
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
--- a/openstack-tf/modules/instance_with_data_volume/variables_generic_smartgears_service.tf
+++ b/openstack-tf/modules/instance_with_data_volume/variables_generic_smartgears_service.tf
@ -12,15 +12,15 @@ variable "instances_with_data_volume_map" {
    volume            = map(string)
  }))
  default = {
-    smartgears_service = { 
-      name = "", 
-      description = "", 
-      flavor = "", 
-      networks = [], 
-      security_groups = [], 
-      server_groups_ids = [], 
-      image_ref = {},
-      volume = {}
+    smartgears_service = {
+      name              = "",
+      description       = "",
+      flavor            = "",
+      networks          = [],
+      security_groups   = [],
+      server_groups_ids = [],
+      image_ref         = {},
+      volume            = {}
    }
  }

--- a/openstack-tf/modules/instance_without_data_volume/instance_without_data_volume.tf
+++ b/openstack-tf/modules/instance_without_data_volume/instance_without_data_volume.tf
@ -44,4 +44,12 @@ resource "openstack_compute_instance_v2" "smartgears_service" {

  #user_data script used
  user_data = file("${each.value.image_ref.user_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }
--- a/openstack-tf/modules/instance_without_data_volume/terraform-provider.tf
+++ b/openstack-tf/modules/instance_without_data_volume/terraform-provider.tf
@ -1,6 +1,6 @@
 # Define required providers
 terraform {
-required_version = ">= 0.14.0"
+  required_version = ">= 0.14.0"
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
--- a/openstack-tf/modules/instance_without_data_volume/variables_generic_smartgears_service.tf
+++ b/openstack-tf/modules/instance_without_data_volume/variables_generic_smartgears_service.tf
@ -11,14 +11,14 @@ variable "instances_without_data_volume_map" {
    image_ref         = map(string)
  }))
  default = {
-    smartgears_service = { 
-      name = "",
-      description = "",
-      flavor = "",
-      networks = [],
-      security_groups = [],
+    smartgears_service = {
+      name              = "",
+      description       = "",
+      flavor            = "",
+      networks          = [],
+      security_groups   = [],
      server_groups_ids = [],
-      image_ref = {}
+      image_ref         = {}
    }
  }

--- a/openstack-tf/modules/liferay/liferay-variables.tf
+++ b/openstack-tf/modules/liferay/liferay-variables.tf
@ -2,10 +2,10 @@ variable "liferay_data" {
  type = map(string)
  default = {
    affinity_policy = "soft-anti-affinity"
-    srv_name                 = "lr62"
-    vm_count                = 1
-    vm_flavor               = "m1.large"
-    boot_vol_size       = 30
+    srv_name        = "lr62"
+    vm_count        = 1
+    vm_flavor       = "m1.large"
+    boot_vol_size   = 30
  }
 }

--- a/openstack-tf/modules/liferay/liferay.tf
+++ b/openstack-tf/modules/liferay/liferay.tf
@ -5,19 +5,19 @@
 # Security group
 #
 resource "openstack_networking_secgroup_v2" "liferay_cluster_traffic" {
-        name = "liferay_cluster_traffic"
-        delete_default_rules = "true"
-        description = "Traffic between the Liferay cluster nodes"
+  name                 = "liferay_cluster_traffic"
+  delete_default_rules = "true"
+  description          = "Traffic between the Liferay cluster nodes"
 }

 resource "openstack_networking_secgroup_rule_v2" "traffic_between_liferay_nodes" {
-  count                   = var.liferay_data.vm_count
-        security_group_id = openstack_networking_secgroup_v2.liferay_cluster_traffic.id
-        description = "Traffic between liferay nodes"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        remote_ip_prefix = join("/", [element(var.liferay_ip_addrs.*, count.index), "32"])
+  count             = var.liferay_data.vm_count
+  security_group_id = openstack_networking_secgroup_v2.liferay_cluster_traffic.id
+  description       = "Traffic between liferay nodes"
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  remote_ip_prefix  = join("/", [element(var.liferay_ip_addrs.*, count.index), "32"])
 }

 #
@ -50,10 +50,18 @@ resource "openstack_compute_instance_v2" "liferay" {

  network {
    name        = var.main_private_network.name
-    fixed_ip_v4 = var.liferay_ip_addrs.*[count.index]
+    fixed_ip_v4 = var.liferay_ip_addrs.* [count.index]
  }
  network {
    name = var.shared_postgresql_server_data.network_name
  }
  user_data = file("${var.ubuntu1804_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }
--- a/openstack-tf/modules/liferay/terraform-provider.tf
+++ b/openstack-tf/modules/liferay/terraform-provider.tf
@ -1,6 +1,6 @@
 # Define required providers
 terraform {
-required_version = ">= 0.14.0"
+  required_version = ">= 0.14.0"
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
--- a/openstack-tf/modules/mongodb/mongodb.tf
+++ b/openstack-tf/modules/mongodb/mongodb.tf
@ -13,50 +13,50 @@ resource "openstack_compute_servergroup_v2" "mongodb" {
 # 9101 from prometheus
 # 27017 da: garr-ct1, garr-na, garr-pa1, InfraScience, S2I2S
 resource "openstack_networking_secgroup_v2" "mongodb_cluster_traffic" {
-        name = "mongodb_cluster_traffic"
-        delete_default_rules = "true"
-        description = "Traffic between the MongoDB nodes"
+  name                 = "mongodb_cluster_traffic"
+  delete_default_rules = "true"
+  description          = "Traffic between the MongoDB nodes"
 }
 resource "openstack_networking_secgroup_rule_v2" "access_to_the_mongodb_service_from_the_internal_network" {
-        security_group_id = openstack_networking_secgroup_v2.mongodb_cluster_traffic.id
-        description = "Access to the MongoDB service"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        port_range_min = 27017
-        port_range_max = 27017
-        remote_ip_prefix = var.main_private_subnet.cidr
+  security_group_id = openstack_networking_secgroup_v2.mongodb_cluster_traffic.id
+  description       = "Access to the MongoDB service"
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 27017
+  port_range_max    = 27017
+  remote_ip_prefix  = var.main_private_subnet.cidr
 }
 resource "openstack_networking_secgroup_rule_v2" "access_to_the_mongodb_service_from_the_outside" {
-        for_each = toset([var.networks_with_d4s_services.infrascience_net,var.networks_with_d4s_services.s2i2s_net,var.networks_with_d4s_services.garr_ct1_net,var.networks_with_d4s_services.garr_pa1_net,var.networks_with_d4s_services.garr_na_net])
-        security_group_id = openstack_networking_secgroup_v2.mongodb_cluster_traffic.id
-        description = "Access to the MongoDB service"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        port_range_min = 27017
-        port_range_max = 27017
-        remote_ip_prefix = each.value
+  for_each          = toset([var.networks_with_d4s_services.infrascience_net, var.networks_with_d4s_services.s2i2s_net, var.networks_with_d4s_services.garr_ct1_net, var.networks_with_d4s_services.garr_pa1_net, var.networks_with_d4s_services.garr_na_net])
+  security_group_id = openstack_networking_secgroup_v2.mongodb_cluster_traffic.id
+  description       = "Access to the MongoDB service"
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 27017
+  port_range_max    = 27017
+  remote_ip_prefix  = each.value
 }
 resource "openstack_networking_secgroup_rule_v2" "mongodb_plain_http_for_letsencrypt" {
-        security_group_id = openstack_networking_secgroup_v2.mongodb_cluster_traffic.id
-        description = "Plain HTTP for letsencrypt"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        port_range_min = 80
-        port_range_max = 80
-        remote_ip_prefix = "0.0.0.0/0"
+  security_group_id = openstack_networking_secgroup_v2.mongodb_cluster_traffic.id
+  description       = "Plain HTTP for letsencrypt"
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 80
+  port_range_max    = 80
+  remote_ip_prefix  = "0.0.0.0/0"
 }
 resource "openstack_networking_secgroup_rule_v2" "mongodb_prometheus_exporter" {
-        security_group_id = openstack_networking_secgroup_v2.mongodb_cluster_traffic.id
-        description = "Prometheus exporter for MongoDB"
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        port_range_min = 9101
-        port_range_max = 9101
-        remote_ip_prefix = var.basic_services_ip.prometheus_cidr
+  security_group_id = openstack_networking_secgroup_v2.mongodb_cluster_traffic.id
+  description       = "Prometheus exporter for MongoDB"
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  port_range_min    = 9101
+  port_range_max    = 9101
+  remote_ip_prefix  = var.basic_services_ip.prometheus_cidr
 }

 #
@ -64,12 +64,12 @@ resource "openstack_networking_secgroup_rule_v2" "mongodb_prometheus_exporter" {
 #
 # Instance
 resource "openstack_compute_instance_v2" "mongodb_cluster_nodes" {
-  count = var.mongodb_cluster_data.count
-  name = format("%s-%02d", var.mongodb_cluster_data.name, count.index+2)
+  count                   = var.mongodb_cluster_data.count
+  name                    = format("%s-%02d", var.mongodb_cluster_data.name, count.index + 2)
  availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu
-  flavor_name = var.mongodb_cluster_data.flavor
-  key_pair = var.ssh_key_file.name
-  security_groups = [var.default_security_group_name,openstack_networking_secgroup_v2.mongodb_cluster_traffic.name]
+  flavor_name             = var.mongodb_cluster_data.flavor
+  key_pair                = var.ssh_key_file.name
+  security_groups         = [var.default_security_group_name, openstack_networking_secgroup_v2.mongodb_cluster_traffic.name]
  scheduler_hints {
    group = openstack_compute_servergroup_v2.mongodb.id
  }
@ -91,38 +91,46 @@ resource "openstack_compute_instance_v2" "mongodb_cluster_nodes" {
  }

  network {
-    name = var.main_private_network.name
-    fixed_ip_v4 = var.mongodb_ip.*[count.index]
+    name        = var.main_private_network.name
+    fixed_ip_v4 = var.mongodb_ip.* [count.index]
+  }
+  user_data = file("${var.ubuntu2204_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
  }
-  user_data = "${file("${var.ubuntu2204_data_file}")}"
 }

 # Allocate a floating IP
 resource "openstack_networking_floatingip_v2" "mongodb_cluster_floating_ip" {
  count = var.mongodb_cluster_data.count
-  pool = var.floating_ip_pools.main_public_ip_pool
+  pool  = var.floating_ip_pools.main_public_ip_pool
  # The DNS association does not work because of a bug in the OpenStack API
  # dns_name = "main-lb"
  # dns_domain = var.dns_zone.zone_name
-  description = format("MongoDB cluster node %s-%02d", var.mongodb_cluster_data.name, count.index+2)
+  description = format("MongoDB cluster node %s-%02d", var.mongodb_cluster_data.name, count.index + 2)
 }

 resource "openstack_compute_floatingip_associate_v2" "mongodb_cluster_ip" {
-  count = var.mongodb_cluster_data.count
+  count       = var.mongodb_cluster_data.count
  floating_ip = element(openstack_networking_floatingip_v2.mongodb_cluster_floating_ip.*.address, count.index)
  instance_id = element(openstack_compute_instance_v2.mongodb_cluster_nodes.*.id, count.index)
-  depends_on = [openstack_networking_floatingip_v2.mongodb_cluster_floating_ip]
+  depends_on  = [openstack_networking_floatingip_v2.mongodb_cluster_floating_ip]
 }

 resource "openstack_dns_recordset_v2" "mongodb_cluster_dns_recordsets" {
-  count = var.mongodb_cluster_data.count
+  count       = var.mongodb_cluster_data.count
  zone_id     = var.dns_zone_id
  name        = join(".", [element(openstack_compute_instance_v2.mongodb_cluster_nodes.*.name, count.index), var.dns_zone.zone_name])
  description = "Mongodb public hostnames"
  ttl         = 8600
  type        = "A"
  records     = [element(openstack_networking_floatingip_v2.mongodb_cluster_floating_ip.*.address, count.index)]
-  depends_on = [openstack_networking_floatingip_v2.mongodb_cluster_floating_ip]
+  depends_on  = [openstack_networking_floatingip_v2.mongodb_cluster_floating_ip]
 }

 #
@ -130,11 +138,11 @@ resource "openstack_dns_recordset_v2" "mongodb_cluster_dns_recordsets" {
 #
 # Instance
 resource "openstack_compute_instance_v2" "mongodb_vol_node" {
-  name = "mongodb-vol"
+  name                    = "mongodb-vol"
  availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu
-  flavor_name = var.mongodb_vol_data.flavor
-  key_pair = var.ssh_key_file.name
-  security_groups = [var.default_security_group_name,openstack_networking_secgroup_v2.mongodb_cluster_traffic.name]
+  flavor_name             = var.mongodb_vol_data.flavor
+  key_pair                = var.ssh_key_file.name
+  security_groups         = [var.default_security_group_name, openstack_networking_secgroup_v2.mongodb_cluster_traffic.name]
  block_device {
    uuid                  = var.mongodb_vol_data.image_type_uuid
    source_type           = "image"
@ -153,10 +161,18 @@ resource "openstack_compute_instance_v2" "mongodb_vol_node" {
  }

  network {
-    name = var.main_private_network.name
+    name        = var.main_private_network.name
    fixed_ip_v4 = var.mongodb_vol_ip
  }
-  user_data = "${file("${var.ubuntu2204_data_file}")}"
+  user_data = file("${var.ubuntu2204_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }

 # Allocate a floating IP
@ -171,7 +187,7 @@ resource "openstack_networking_floatingip_v2" "mongodb_vol_floating_ip" {
 resource "openstack_compute_floatingip_associate_v2" "mongodb_vol_public_ip" {
  floating_ip = openstack_networking_floatingip_v2.mongodb_vol_floating_ip.address
  instance_id = openstack_compute_instance_v2.mongodb_vol_node.id
-  depends_on = [openstack_networking_floatingip_v2.mongodb_vol_floating_ip]
+  depends_on  = [openstack_networking_floatingip_v2.mongodb_vol_floating_ip]
 }

 resource "openstack_dns_recordset_v2" "mongodb_vol_dns_recordsets" {
@ -181,5 +197,5 @@ resource "openstack_dns_recordset_v2" "mongodb_vol_dns_recordsets" {
  ttl         = 8600
  type        = "A"
  records     = [openstack_networking_floatingip_v2.mongodb_vol_floating_ip.address]
-  depends_on = [openstack_networking_floatingip_v2.mongodb_vol_floating_ip]
+  depends_on  = [openstack_networking_floatingip_v2.mongodb_vol_floating_ip]
 }
--- a/openstack-tf/modules/mongodb/variables-mongodb.tf
+++ b/openstack-tf/modules/mongodb/variables-mongodb.tf
@ -1,27 +1,27 @@
 variable "mongodb_cluster_data" {
  type = map(string)
  default = {
-    count = 3
-    name = "mongodb-replica"
-    flavor = "m1.small"
-    data_disk_size = 100
+    count           = 3
+    name            = "mongodb-replica"
+    flavor          = "m1.small"
+    data_disk_size  = 100
    image_type_name = "Ubuntu-Focal-20.04"
    image_type_uuid = "75c23040-2be7-49e9-8029-a16dc9f755d1"
  }
 }

 variable "mongodb_ip" {
-  type = list(string)
+  type    = list(string)
  default = []
-  
+
 }

 variable "mongodb_vol_data" {
  type = map(string)
  default = {
-    name = "mongodb-vol"
-    flavor = "m1.small"
-    data_disk_size = 100
+    name            = "mongodb-vol"
+    flavor          = "m1.small"
+    data_disk_size  = 100
    image_type_name = "Ubuntu-Focal-20.04"
    image_type_uuid = "75c23040-2be7-49e9-8029-a16dc9f755d1"
  }
--- a/openstack-tf/modules/orientdb/orientdb.tf
+++ b/openstack-tf/modules/orientdb/orientdb.tf
@ -8,26 +8,26 @@ resource "openstack_compute_servergroup_v2" "orientdb_cluster" {
 # Network for the cluster traffic
 #
 resource "openstack_networking_network_v2" "orientdb_network" {
-  name           = var.orientdb_net.network_name
-  admin_state_up = "true"
-  external       = "false"
-  description = var.orientdb_net.network_description
-  mtu            = module.common_variables.mtu_size
+  name                  = var.orientdb_net.network_name
+  admin_state_up        = "true"
+  external              = "false"
+  description           = var.orientdb_net.network_description
+  mtu                   = module.common_variables.mtu_size
  port_security_enabled = true
-  shared = false
-  region = module.common_variables.main_region
+  shared                = false
+  region                = module.common_variables.main_region
 }

 # Subnet
 resource "openstack_networking_subnet_v2" "orientdb_subnet" {
  name            = "orientdb-subnet"
-  description = "Subnet used by the OrientDB service"
+  description     = "Subnet used by the OrientDB service"
  network_id      = openstack_networking_network_v2.orientdb_network.id
  cidr            = var.orientdb_net.network_cidr
  dns_nameservers = module.common_variables.resolvers_ip
-  ip_version = 4
-  enable_dhcp = true
-  no_gateway = true
+  ip_version      = 4
+  enable_dhcp     = true
+  no_gateway      = true
  allocation_pool {
    start = var.orientdb_net.allocation_pool_start
    end   = var.orientdb_net.allocation_pool_end
@ -38,26 +38,26 @@ resource "openstack_networking_subnet_v2" "orientdb_subnet" {
 # Network for the OrientDB SE
 #
 resource "openstack_networking_network_v2" "orientdb_se_network" {
-  name           = var.orientdb_se_net.network_name
-  admin_state_up = "true"
-  external       = "false"
-  description = var.orientdb_se_net.network_description
-  mtu            = module.common_variables.mtu_size
+  name                  = var.orientdb_se_net.network_name
+  admin_state_up        = "true"
+  external              = "false"
+  description           = var.orientdb_se_net.network_description
+  mtu                   = module.common_variables.mtu_size
  port_security_enabled = true
-  shared = false
-  region = module.common_variables.main_region
+  shared                = false
+  region                = module.common_variables.main_region
 }

 # Subnet
 resource "openstack_networking_subnet_v2" "orientdb_se_subnet" {
  name            = "orientdb-se-subnet"
-  description = "Subnet used by the OrientDB for Smart Executor"
+  description     = "Subnet used by the OrientDB for Smart Executor"
  network_id      = openstack_networking_network_v2.orientdb_se_network.id
  cidr            = var.orientdb_se_net.network_cidr
  dns_nameservers = module.common_variables.resolvers_ip
-  ip_version = 4
-  enable_dhcp = true
-  no_gateway = true
+  ip_version      = 4
+  enable_dhcp     = true
+  no_gateway      = true
  allocation_pool {
    start = var.orientdb_se_net.allocation_pool_start
    end   = var.orientdb_se_net.allocation_pool_end
@ -70,79 +70,79 @@ resource "openstack_networking_subnet_v2" "orientdb_se_subnet" {
 # Main OrientDB service
 # Between OrientDB nodes
 resource "openstack_networking_secgroup_v2" "orientdb_internal_traffic" {
-        name = "orientdb_internal_traffic"
-        delete_default_rules = "true"
-        description = "Traffic between the OrientDB nodes"
+  name                 = "orientdb_internal_traffic"
+  delete_default_rules = "true"
+  description          = "Traffic between the OrientDB nodes"
 }
 resource "openstack_networking_secgroup_rule_v2" "orientdb_ports" {
-        count = var.orientdb_nodes_count
-        security_group_id = openstack_networking_secgroup_v2.orientdb_internal_traffic.id
-        description = "TCP traffic between OrientDB nodes"
-        port_range_min = 2424
-        port_range_max = 2490
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        # remote_ip_prefix = format("%s-%02d", var.orientdb_ip, count.index+1, "/32")
-        remote_ip_prefix = var.orientdb_cidr.*[count.index]
+  count             = var.orientdb_nodes_count
+  security_group_id = openstack_networking_secgroup_v2.orientdb_internal_traffic.id
+  description       = "TCP traffic between OrientDB nodes"
+  port_range_min    = 2424
+  port_range_max    = 2490
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  # remote_ip_prefix = format("%s-%02d", var.orientdb_ip, count.index+1, "/32")
+  remote_ip_prefix = var.orientdb_cidr.* [count.index]
 }
 # Access from the clients
 resource "openstack_networking_secgroup_v2" "access_to_orientdb" {
-        name = "access_to_orientdb"
-        delete_default_rules = "true"
-        description = "Clients that talk to the OrientDB service"
+  name                 = "access_to_orientdb"
+  delete_default_rules = "true"
+  description          = "Clients that talk to the OrientDB service"
 }
 resource "openstack_networking_secgroup_rule_v2" "access_to_orient_from_clients" {
-  for_each = toset([data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.ssh_jump_cidr, openstack_networking_subnet_v2.orientdb_subnet.cidr])
-        security_group_id = openstack_networking_secgroup_v2.access_to_orientdb.id
-        description = "TCP traffic from the resource registries and the SSH jump server"
-        port_range_min = 2424
-        port_range_max = 2490
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        remote_ip_prefix = each.value
+  for_each          = toset([data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.ssh_jump_cidr, openstack_networking_subnet_v2.orientdb_subnet.cidr])
+  security_group_id = openstack_networking_secgroup_v2.access_to_orientdb.id
+  description       = "TCP traffic from the resource registries and the SSH jump server"
+  port_range_min    = 2424
+  port_range_max    = 2490
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  remote_ip_prefix  = each.value
 }
 resource "openstack_networking_secgroup_rule_v2" "access_to_orient_from_haproxy" {
-        for_each = toset( [data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.haproxy_l7_1_cidr, data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.haproxy_l7_2_cidr])
-        security_group_id = openstack_networking_secgroup_v2.access_to_orientdb.id
-        description = "TCP traffic from the load balancers"
-        port_range_min = 2480
-        port_range_max = 2480
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        remote_ip_prefix = each.value
+  for_each          = toset([data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.haproxy_l7_1_cidr, data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.haproxy_l7_2_cidr])
+  security_group_id = openstack_networking_secgroup_v2.access_to_orientdb.id
+  description       = "TCP traffic from the load balancers"
+  port_range_min    = 2480
+  port_range_max    = 2480
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  remote_ip_prefix  = each.value
 }

 # OrientDB for the Smart Executor nodes
 # Access from the clients
 resource "openstack_networking_secgroup_v2" "access_to_orientdb_se" {
-        name = "access_to_orientdb_se"
-        delete_default_rules = "true"
-        description = "Clients that talk to the OrientDB SE service"
+  name                 = "access_to_orientdb_se"
+  delete_default_rules = "true"
+  description          = "Clients that talk to the OrientDB SE service"
 }
 resource "openstack_networking_secgroup_rule_v2" "access_to_orient_se_from_clients" {
-        for_each = toset([data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.ssh_jump_cidr, openstack_networking_subnet_v2.orientdb_se_subnet.cidr])
-        security_group_id = openstack_networking_secgroup_v2.access_to_orientdb_se.id
-        description = "TCP traffic from the smart executors and the SSH jump server"
-        port_range_min = 2424
-        port_range_max = 2490
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        remote_ip_prefix = each.value
+  for_each          = toset([data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.ssh_jump_cidr, openstack_networking_subnet_v2.orientdb_se_subnet.cidr])
+  security_group_id = openstack_networking_secgroup_v2.access_to_orientdb_se.id
+  description       = "TCP traffic from the smart executors and the SSH jump server"
+  port_range_min    = 2424
+  port_range_max    = 2490
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  remote_ip_prefix  = each.value
 }
 resource "openstack_networking_secgroup_rule_v2" "access_to_orient_se_from_haproxy" {
-        for_each = toset( [data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.haproxy_l7_1_cidr, data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.haproxy_l7_2_cidr])
-        security_group_id = openstack_networking_secgroup_v2.access_to_orientdb_se.id
-        description = "TCP traffic from the load balancers"
-        port_range_min = 2480
-        port_range_max = 2480
-        direction = "ingress"
-        ethertype = "IPv4"
-        protocol = "tcp"
-        remote_ip_prefix = each.value
+  for_each          = toset([data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.haproxy_l7_1_cidr, data.terraform_remote_state.privnet_dns_router.outputs.basic_services_ip.haproxy_l7_2_cidr])
+  security_group_id = openstack_networking_secgroup_v2.access_to_orientdb_se.id
+  description       = "TCP traffic from the load balancers"
+  port_range_min    = 2480
+  port_range_max    = 2480
+  direction         = "ingress"
+  ethertype         = "IPv4"
+  protocol          = "tcp"
+  remote_ip_prefix  = each.value
 }

 #
@ -150,13 +150,13 @@ resource "openstack_networking_secgroup_rule_v2" "access_to_orient_se_from_hapro
 #
 # Instances used by the resource registry
 resource "openstack_compute_instance_v2" "orientdb_servers" {
-  count = var.orientdb_nodes_count
-  name = format("%s-%02d", var.orientdb_data.node_name, count.index+1)
+  count                   = var.orientdb_nodes_count
+  name                    = format("%s-%02d", var.orientdb_data.node_name, count.index + 1)
  availability_zone_hints = module.common_variables.availability_zones_names.availability_zone_no_gpu
-  image_name = var.orientdb_image_name
-  flavor_name = var.orientdb_node_flavor
-  key_pair = module.ssh_settings.ssh_key_name
-  security_groups = [data.terraform_remote_state.privnet_dns_router.outputs.default_security_group_name,openstack_networking_secgroup_v2.orientdb_internal_traffic.name,openstack_networking_secgroup_v2.access_to_orientdb.name]
+  image_name              = var.orientdb_image_name
+  flavor_name             = var.orientdb_node_flavor
+  key_pair                = module.ssh_settings.ssh_key_name
+  security_groups         = [data.terraform_remote_state.privnet_dns_router.outputs.default_security_group_name, openstack_networking_secgroup_v2.orientdb_internal_traffic.name, openstack_networking_secgroup_v2.access_to_orientdb.name]
  scheduler_hints {
    group = openstack_compute_servergroup_v2.orientdb_cluster.id
  }
@ -181,22 +181,30 @@ resource "openstack_compute_instance_v2" "orientdb_servers" {
    name = data.terraform_remote_state.privnet_dns_router.outputs.main_private_network.name
  }
  network {
-    name = var.orientdb_net.network_name
-    fixed_ip_v4 = var.orientdb_ip.*[count.index]
+    name        = var.orientdb_net.network_name
+    fixed_ip_v4 = var.orientdb_ip.* [count.index]
  }

-  user_data = "${file("${module.common_variables.ubuntu_2204.user_data_file}")}"
-  depends_on = [ openstack_networking_subnet_v2.orientdb_subnet ]
+  user_data  = file("${module.common_variables.ubuntu_2204.user_data_file}")
+  depends_on = [openstack_networking_subnet_v2.orientdb_subnet]
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }

 # Instance used by the smart executors
 resource "openstack_compute_instance_v2" "orientdb_se_server" {
-  name = "orientdb-se"
+  name                    = "orientdb-se"
  availability_zone_hints = module.common_variables.availability_zones_names.availability_zone_no_gpu
-  image_name = var.orientdb_se_image_name
-  flavor_name = var.orientdb_se_node_flavor
-  key_pair = module.ssh_settings.ssh_key_name
-  security_groups = [data.terraform_remote_state.privnet_dns_router.outputs.default_security_group_name,openstack_networking_secgroup_v2.access_to_orientdb_se.name]
+  image_name              = var.orientdb_se_image_name
+  flavor_name             = var.orientdb_se_node_flavor
+  key_pair                = module.ssh_settings.ssh_key_name
+  security_groups         = [data.terraform_remote_state.privnet_dns_router.outputs.default_security_group_name, openstack_networking_secgroup_v2.access_to_orientdb_se.name]
  block_device {
    uuid                  = var.orientdb_image_uuid
    source_type           = "image"
@ -218,11 +226,19 @@ resource "openstack_compute_instance_v2" "orientdb_se_server" {
    name = data.terraform_remote_state.privnet_dns_router.outputs.main_private_network.name
  }
  network {
-    name = var.orientdb_se_net.network_name
+    name        = var.orientdb_se_net.network_name
    fixed_ip_v4 = var.orientdb_se_ip
  }

-  user_data = "${file("${module.common_variables.ubuntu_2204.user_data_file}")}"
-  depends_on = [ openstack_networking_subnet_v2.orientdb_se_subnet ]
+  user_data  = file("${module.common_variables.ubuntu_2204.user_data_file}")
+  depends_on = [openstack_networking_subnet_v2.orientdb_se_subnet]
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }

--- a/openstack-tf/modules/orientdb/terraform-provider.tf
+++ b/openstack-tf/modules/orientdb/terraform-provider.tf
@ -1,6 +1,6 @@
 # Define required providers
 terraform {
-required_version = ">= 0.14.0"
+  required_version = ">= 0.14.0"
  required_providers {
    openstack = {
      source  = "terraform-provider-openstack/openstack"
--- a/openstack-tf/modules/orientdb/variables-orientdb.tf
+++ b/openstack-tf/modules/orientdb/variables-orientdb.tf
@ -1,8 +1,8 @@
 variable "orientdb_data" {
  type = map(string)
  default = {
-    node_name = "orientdb"
-    node_data_disk_size = 10
+    node_name             = "orientdb"
+    node_data_disk_size   = 10
    node_data_disk_device = "/dev/vdb"
  }
 }
@ -15,7 +15,7 @@ variable "orientdb_node_flavor" {
 }

 variable "orientdb_nodes_count" {
-  default = ""  
+  default = ""
 }

 variable "orientdb_image_name" {
@ -33,13 +33,13 @@ variable "orientdb_se_image_uuid" {
 }

 variable "orientdb_ip" {
-  type = list(string)
-  default = [ "192.168.10.5", "192.168.10.6", "192.168.10.7"]  
-} 
+  type    = list(string)
+  default = ["192.168.10.5", "192.168.10.6", "192.168.10.7"]
+}

 variable "orientdb_cidr" {
-  type = list(string)
-  default = [ "192.168.10.5/32", "192.168.10.6/32", "192.168.10.7/32" ]
+  type    = list(string)
+  default = ["192.168.10.5/32", "192.168.10.6/32", "192.168.10.7/32"]
 }

 variable "orientdb_se_node_flavor" {
--- a/openstack-tf/modules/smart-executor/smart-executor.tf
+++ b/openstack-tf/modules/smart-executor/smart-executor.tf
@ -1,10 +1,10 @@
 # Accounting dashboard harvester
 resource "openstack_compute_instance_v2" "accounting_dashboard_harvester" {
-  name = var.accounting_dashboard_harvester.name
+  name                    = var.accounting_dashboard_harvester.name
  availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu
-  flavor_name = var.accounting_dashboard_harvester.flavor
-  key_pair = module.ssh_settings.ssh_key_name
-  security_groups = [var.default_security_group_name]
+  flavor_name             = var.accounting_dashboard_harvester.flavor
+  key_pair                = module.ssh_settings.ssh_key_name
+  security_groups         = [var.default_security_group_name]
  block_device {
    uuid                  = var.ubuntu_1804.uuid
    source_type           = "image"
@ -25,16 +25,24 @@ resource "openstack_compute_instance_v2" "accounting_dashboard_harvester" {
  network {
    name = var.networks_list.timescaledb
  }
-  user_data = "${file("${var.ubuntu1804_data_file}")}"
+  user_data = file("${var.ubuntu1804_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }

 # Resource checker
 resource "openstack_compute_instance_v2" "resource_checker" {
-  name = var.resource_checker.name
+  name                    = var.resource_checker.name
  availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu
-  flavor_name = var.resource_checker.flavor
-  key_pair = module.ssh_settings.ssh_key_name
-  security_groups = [var.default_security_group_name]
+  flavor_name             = var.resource_checker.flavor
+  key_pair                = module.ssh_settings.ssh_key_name
+  security_groups         = [var.default_security_group_name]
  block_device {
    uuid                  = var.ubuntu_1804.uuid
    source_type           = "image"
@ -49,16 +57,24 @@ resource "openstack_compute_instance_v2" "resource_checker" {
  network {
    name = var.networks_list.orientdb_se
  }
-  user_data = "${file("${var.ubuntu1804_data_file}")}"
+  user_data = file("${var.ubuntu1804_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }

 # Social data indexer
 resource "openstack_compute_instance_v2" "social_data_indexer" {
-  name = var.social_data_indexer.name
+  name                    = var.social_data_indexer.name
  availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu
-  flavor_name = var.social_data_indexer.flavor
-  key_pair = module.ssh_settings.ssh_key_name
-  security_groups = [var.default_security_group_name]
+  flavor_name             = var.social_data_indexer.flavor
+  key_pair                = module.ssh_settings.ssh_key_name
+  security_groups         = [var.default_security_group_name]
  block_device {
    uuid                  = var.ubuntu_1804.uuid
    source_type           = "image"
@ -73,16 +89,24 @@ resource "openstack_compute_instance_v2" "social_data_indexer" {
  network {
    name = var.networks_list.orientdb_se
  }
-  user_data = "${file("${var.ubuntu1804_data_file}")}"
+  user_data = file("${var.ubuntu1804_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }

 # Accounting insert storage
 resource "openstack_compute_instance_v2" "accounting_insert_storage" {
-  name = var.accounting_insert_storage.name
+  name                    = var.accounting_insert_storage.name
  availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu
-  flavor_name = var.accounting_insert_storage.flavor
-  key_pair = module.ssh_settings.ssh_key_name
-  security_groups = [var.default_security_group_name]
+  flavor_name             = var.accounting_insert_storage.flavor
+  key_pair                = module.ssh_settings.ssh_key_name
+  security_groups         = [var.default_security_group_name]
  block_device {
    uuid                  = var.ubuntu_1804.uuid
    source_type           = "image"
@ -97,16 +121,24 @@ resource "openstack_compute_instance_v2" "accounting_insert_storage" {
  network {
    name = var.networks_list.orientdb_se
  }
-  user_data = "${file("${var.ubuntu1804_data_file}")}"
+  user_data = file("${var.ubuntu1804_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }

 # Accounting aggregator
 resource "openstack_compute_instance_v2" "accounting_aggregator" {
-  name = var.accounting_aggregator.name
+  name                    = var.accounting_aggregator.name
  availability_zone_hints = var.availability_zones_names.availability_zone_no_gpu
-  flavor_name = var.accounting_aggregator.flavor
-  key_pair = module.ssh_settings.ssh_key_name
-  security_groups = [var.default_security_group_name]
+  flavor_name             = var.accounting_aggregator.flavor
+  key_pair                = module.ssh_settings.ssh_key_name
+  security_groups         = [var.default_security_group_name]
  block_device {
    uuid                  = var.ubuntu_1804.uuid
    source_type           = "image"
@ -121,5 +153,13 @@ resource "openstack_compute_instance_v2" "accounting_aggregator" {
  network {
    name = var.networks_list.orientdb_se
  }
-  user_data = "${file("${var.ubuntu1804_data_file}")}"
+  user_data = file("${var.ubuntu1804_data_file}")
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }
--- a/openstack-tf/modules/smart-executor/variables-smart-executor.tf
+++ b/openstack-tf/modules/smart-executor/variables-smart-executor.tf
@ -1,44 +1,44 @@
 variable "accounting_dashboard_harvester" {
-        type = map(string)
-        default = {
-                name = "accounting-dashboard-harvester-se-plugin"
-                description = "Accounting Dashboard Harvester SE plugin"
-                flavor = "m1.medium"
-        }
+  type = map(string)
+  default = {
+    name        = "accounting-dashboard-harvester-se-plugin"
+    description = "Accounting Dashboard Harvester SE plugin"
+    flavor      = "m1.medium"
+  }
 }

 variable "resource_checker" {
-        type = map(string)
-        default = {
-                name = "resource-checker-se-plugin"
-                description = "Resource checker SE plugin"
-                flavor = "c1.small"
-        }
+  type = map(string)
+  default = {
+    name        = "resource-checker-se-plugin"
+    description = "Resource checker SE plugin"
+    flavor      = "c1.small"
+  }
 }

 variable "social_data_indexer" {
-        type = map(string)
-        default = {
-                name = "social-data-indexer-se-plugin"
-                description = "Social data indexer SE plugin"
-                flavor = "c1.small"
-        }
+  type = map(string)
+  default = {
+    name        = "social-data-indexer-se-plugin"
+    description = "Social data indexer SE plugin"
+    flavor      = "c1.small"
+  }
 }

 variable "accounting_insert_storage" {
-        type = map(string)
-        default = {
-                name = "accounting-insert-storage-se-plugin"
-                description = "Accounting insert storage SE plugin"
-                flavor = "c1.small"
-        }
+  type = map(string)
+  default = {
+    name        = "accounting-insert-storage-se-plugin"
+    description = "Accounting insert storage SE plugin"
+    flavor      = "c1.small"
+  }
 }

 variable "accounting_aggregator" {
-        type = map(string)
-        default = {
-                name = "accounting-aggregator-se-plugin"
-                description = "Accounting aggregator SE plugin"
-                flavor = "m1.medium"
-        }
+  type = map(string)
+  default = {
+    name        = "accounting-aggregator-se-plugin"
+    description = "Accounting aggregator SE plugin"
+    flavor      = "m1.medium"
+  }
 }
--- a/openstack-tf/modules/timescaledb/timescaledb.tf
+++ b/openstack-tf/modules/timescaledb/timescaledb.tf
@ -91,6 +91,14 @@ resource "openstack_compute_instance_v2" "timescaledb_server" {

  user_data  = file("${module.common_variables.ubuntu_2204.user_data_file}")
  depends_on = [openstack_networking_subnet_v2.timescaledb_subnet]
+  # Do not replace the instance when the ssh key changes
+  lifecycle {
+    ignore_changes = [
+      # Ignore changes to tags, e.g. because a management agent
+      # updates these based on some ruleset managed elsewhere.
+      key_pair, user_data
+    ]
+  }
 }