Issue with L3Out config

[JockeW-DvL]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

APIC version and APIC Platform

• V 1.5.7 and Terraform cloud

Affected Resource(s)

• aci_external_network_instance_profile

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "aci_external_network_instance_profile" "terraform_external_epg" {
  for_each            = { for k in compact([for k, v in var.l3out : v.purpose == "l3out" ? k : ""]) : k => var.l3out[k] }
  l3_outside_dn       = aci_l3_outside.terraform_l3out[each.key].id
  name                = "Default_route"
  pref_gr_memb        = each.value.pref_gr == "yes" ? "include" : "exclude"
  relation_fv_rs_cons = each.value.contract == "" ? [""] : [data.tfe_outputs.network_state.values.contracts[each.value.contract].id]
}

l3out                          = {
  NL3OUT1                        = {
    tenant                         = "TEN1"
    vrf                            = "VRF1"
    routing_igp                    = "ospf"
    routing_protocol               = "bgp"
    l3dom                          = "L3DOM2"
    purpose                        = "intervrf"
    contract                       = ""
    pref_gr                        = "yes"
  }
  NL3OUT2                        = {
    tenant                         = "TEN2"
    vrf                            = "VRF2"
    routing_igp                    = "ospf"
    routing_protocol               = "bgp"
    l3dom                          = "L3DOM2"
    purpose                        = "intervrf"
    contract                       = ""
    pref_gr                        = "yes"
  }
  NL3OUT3                        = {
    tenant                         = "TEN3"
    vrf                            = "VRF3"
    routing_igp                    = "ospf"
    routing_protocol               = "bgp"
    l3dom                          = "L3DOM2"
    purpose                        = "intervrf"
    contract                       = ""
    pref_gr                        = "yes"
  }
}

Debug Output

Panic Output

Expected Behavior

Nothing, no change should be performed

Actual Behavior

every time i run the terraform plan job in Terraform Cloud, i get the proposed change as shown below, even though no changes has been done to the config files.

{"@level":"info","@message":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]: Drift detected (update)","@module":"terraform.ui","@timestamp":"2024-02-20T08:25:00.894232Z","change":{"resource":{"addr":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]","module":"","resource":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]","implied_provider":"aci","resource_type":"aci_external_network_instance_profile","resource_name":"terraform_new_intervrf_external_epg","resource_key":"NL3OUT1"},"action":"update"},"type":"resource_drift"} {"@level":"info","@message":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]: Refreshing state... [id=uni/tn-dev/out-vFW_InterVRF-dev/instP-InterVRF]","@module":"terraform.ui","@timestamp":"2024-02-20T08:24:25.727017Z","hook":{"resource":{"addr":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]","module":"","resource":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]","implied_provider":"aci","resource_type":"aci_external_network_instance_profile","resource_name":"terraform_new_intervrf_external_epg","resource_key":"NL3OUT1"},"id_key":"id","id_value":"uni/tn-dev/out-vFW_InterVRF-dev/instP-InterVRF"},"type":"refresh_start"} {"@level":"info","@message":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]: Refresh complete [id=uni/tn-dev/out-vFW_InterVRF-dev/instP-InterVRF]","@module":"terraform.ui","@timestamp":"2024-02-20T08:24:27.781401Z","hook":{"resource":{"addr":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]","module":"","resource":"aci_external_network_instance_profile.terraform_new_intervrf_external_epg[\"NL3OUT1\"]","implied_provider":"aci","resource_type":"aci_external_network_instance_profile","resource_name":"terraform_new_intervrf_external_epg","resource_key":"NL3OUT1"},"id_key":"id","id_value":"uni/tn-dev/out-vFW_InterVRF-dev/instP-InterVRF"},"type":"refresh_complete"}

No change is performed, but it is anoying to see the planned change every time i do a plan & Apply job.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[akinross]

HI @JockeW-DvL,

Thank you for raising the issue, are you sure you copied the correct example above? I see your resource aci_l3out_ospf_external_policy but then you mention aci_external_network_instance_profile?

Another thing I am curious about is why do you define this as empty string?

[JockeW-DvL]

body{font-family:Helvetica,Arial;font-size:13px}Hello Akini,Sorry, my bad. I copied the wrong definition. Here are the correct:resource "aci_external_network_instance_profile" "terraform_external_epg" {  for_each                             = { for k in compact([for k, v in var.l3out: v.purpose == "l3out" ? k : ""]): k => var.l3out[k] }  l3_outside_dn                        = aci_l3_outside.terraform_l3out[each.key].id  name                                 = "Default_route"  pref_gr_memb                         = each.value.pref_gr == "yes" ? "include" : "exclude"  relation_fv_rs_cons                  = each.value.contract == "" ? [""] : [data.tfe_outputs.network_state.values.contracts[each.value.contract].id]} On 4 March 2024 at 09:58:36, Akini Ross @.***) wrote: HI @JockeW-DvL, Thank you for raising the issue, are you sure you copied the correct example above? I see your resource aci_l3out_ospf_external_policy but then you mention aci_external_network_instance_profile?

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

[akinross]

Hi @JockeW-DvL,

Had a quick look at your code and did some testing on a resource without a loop and suspect the issue here is that you provide "" in the set variable when "" is passed in as contract. From the resource perspective it will add "" to the set of contracts and then check in state if it exists, thus I suspect causing this plan output of adding "" to list. I assume you would like to set no contracts when you define "", so I think your ternary operation should be slightly different:

resource "aci_external_network_instance_profile" "terraform_external_epg" {
  for_each            = { for k in compact([for k, v in var.l3out : v.purpose == "l3out" ? k : ""]) : k => var.l3out[k] }
  l3_outside_dn       = aci_l3_outside.terraform_l3out[each.key].id
  name                = "Default_route"
  pref_gr_memb        = each.value.pref_gr == "yes" ? "include" : "exclude"
  relation_fv_rs_cons = each.value.contract == "" ? [] : [data.tfe_outputs.network_state.values.contracts[each.value.contract].id]
}

I have only tested this on a single resource with out looping so you would need to verify in your looping situation. See below outputs. Where the first output sets relation_fv_rs_cons = [""] and the second sets relation_fv_rs_cons = [].

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly
these actions if you run "terraform apply" now.
26f4dab604e9:/test# tfp
aci_l3_outside.abr_l3out: Refreshing state... [id=uni/tn-abr_test/out-abr_l3out]
aci_external_network_instance_profile.terraform_external_epg: Refreshing state... [id=uni/tn-abr_test/out-abr_l3out/instP-Default_route]

Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aci_external_network_instance_profile.terraform_external_epg will be updated in-place
  ~ resource "aci_external_network_instance_profile" "terraform_external_epg" {
        id                           = "uni/tn-abr_test/out-abr_l3out/instP-Default_route"
        name                         = "Default_route"
      ~ relation_fv_rs_cons          = [
          + "",
        ]
        # (12 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

──────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly
these actions if you run "terraform apply" now.
26f4dab604e9:/test# tfp
aci_l3_outside.abr_l3out: Refreshing state... [id=uni/tn-abr_test/out-abr_l3out]
aci_external_network_instance_profile.terraform_external_epg: Refreshing state... [id=uni/tn-abr_test/out-abr_l3out/instP-Default_route]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences,
so no changes are needed.
26f4dab604e9:/test# 

[JockeW-DvL]

body{font-family:Helvetica,Arial;font-size:13px}Hello again Akini,Thank you for that, I will test this out asap.Regards On 4 March 2024 at 10:41:23, Akini Ross @.***) wrote: Hi @JockeW-DvL, Had a quick look at your code and did some testing on a resource without a loop and thing the issue here is that you provide "" in the set variable when "" is passed in as contract. From the resource perspective it will add "" to the list of contracts and then check in state if it exists, thus I suspect causing this plan output of adding "" to list. I assume you would like to set no contracts when you define "", so I think your ternary operation should be slightly different: resource "aci_external_network_instance_profile" "terraform_external_epg" { for_each = { for k in compact([for k, v in var.l3out : v.purpose == "l3out" ? k : ""]) : k => var.l3out[k] } l3_outside_dn = aci_l3_outside.terraform_l3out[each.key].id name = "Default_route" pref_gr_memb = each.value.pref_gr == "yes" ? "include" : "exclude" relation_fv_rs_cons = each.value.contract == "" ? [] : [data.tfe_outputs.network_state.values.contracts[each.value.contract].id] }

I have only tested this on a single resource with out looping so you would need to verify in your looping situation. See below outputs. Where the first output sets relation_fv_rs_cons = [""] and the second sets relation_fv_rs_cons = []. Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. 26f4dab604e9:/test# tfp aci_l3_outside.abr_l3out: Refreshing state... [id=uni/tn-abr_test/out-abr_l3out] aci_external_network_instance_profile.terraform_external_epg: Refreshing state... [id=uni/tn-abr_test/out-abr_l3out/instP-Default_route]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: ~ update in-place

Terraform will perform the following actions:

aci_external_network_instance_profile.terraform_external_epg will be updated in-place

~ resource "aci_external_network_instance_profile" "terraform_external_epg" { id = "uni/tn-abr_test/out-abr_l3out/instP-Default_route" name = "Default_route" ~ relation_fv_rs_cons = [

• "", ]

  (12 unchanged attributes hidden)

  }

Plan: 0 to add, 1 to change, 0 to destroy.

──────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now. 26f4dab604e9:/test# tfp aci_l3_outside.abr_l3out: Refreshing state... [id=uni/tn-abr_test/out-abr_l3out] aci_external_network_instance_profile.terraform_external_epg: Refreshing state... [id=uni/tn-abr_test/out-abr_l3out/instP-Default_route]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. 26f4dab604e9:/test#

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

[akinross]

Hi @JockeW-DvL, please keep me updated on your testing, so we can track this issue accordingly.

[JockeW-DvL]

body{font-family:Helvetica,Arial;font-size:13px}Hello akini,That fixed my issue, thank you so very much for this.You can close this issue as it was an issue with my config code.Regards On 4 March 2024 at 10:49:37, Akini Ross @.***) wrote: Hi @JockeW-DvL, please keep me updated on your testing, so we can track this issue accordingly.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: @.***>

[akinross]

Configuration issue, will close.