| I'm not sure what they mean by that. But one case where terraform's model doesn't work very well, is updating a certificate on a load balancer (to be concrete, say an ACM certificate attached to an NLB in AWS) to a new cert and remove the old one. The proper way to do that, without service interruption is the following: 1. Create new certificate 2. Update the certificate attached to the load balancer 3. Delete old certificate But it isn't actually possible to do that in that order with terraform because of how dependencies work. By default what terraform will try to do is: 1. Delete old certificate. this will either fail, because the certificate is in use (as is the case in AWS) or destroy a resource that is still in use and cause the load balancer to enter a bad state 2. Create new certificate 3. Update the load balancer The only ways I have found to work around this is with targeted applies (which are discouraged), or splitting the change up into multiple code changes, with separate applies for each change. |