search

CiscoDevNet / terraform-provider-sdwan

Terraform Cisco SD-WAN Provider
https://registry.terraform.io/providers/CiscoDevNet/sdwan
Mozilla Public License 2.0
19 stars 11 forks source link

Empty action_entries not idempotent | sdwan_zone_based_firewall_policy_definition #280

Closed rrahimm closed 3 months ago

rrahimm commented 3 months ago

When the action entries are empty, we see that the terraform is trying to push the action_entries over and over.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.sdwan.sdwan_zone_based_firewall_policy_definition.zone_based_firewall_policy_definition["Test_zone_based_fw_1_uni1"] will be updated in-place
  ~ resource "sdwan_zone_based_firewall_policy_definition" "zone_based_firewall_policy_definition" {
        id               = "3e8210c4-018e-41c6-894e-cb94b9fc0c79"
        name             = "Test_zone_based_fw_1_uni1"
      ~ rules            = [
          ~ {
              + action_entries = []
                # (4 unchanged attributes hidden)
            },
          ~ {
              + action_entries = []
                # (4 unchanged attributes hidden)
            },
            # (2 unchanged elements hidden)
        ]
      ~ version          = 13 -> (known after apply)
        # (4 unchanged attributes hidden)
    }
rrahimm commented 3 months ago

@seconroy

please take a look when you get time.

rrahimm commented 3 months ago

More Logs

1st Apply
  # module.sdwan.sdwan_zone_based_firewall_policy_definition.zone_based_firewall_policy_definition["Test_zone_based_fw_3_uni1"] will be created
  + resource "sdwan_zone_based_firewall_policy_definition" "zone_based_firewall_policy_definition" {
      + apply_zone_pairs = [
          + {
              + destination_zone = "5b280f25-eb3f-4545-8440-2f5f28b80055"
              + source_zone      = "self"
            },
        ]
      + default_action   = "drop"
      + description      = "Test_zone_based_fw_3_uni1"
      + id               = (known after apply)
      + mode             = "security"
      + name             = "Test_zone_based_fw_3_uni1"
      + rules            = [
          + {
              + action_entries = []
              + base_action    = "drop"
              + match_entries  = [
                  + {
                      + type  = "protocol"
                      + value = "1 50"
                    },
                ]
              + rule_name      = "Rule_1"
              + rule_order     = 1
            },
        ]
      + version          = (known after apply)
    }

2nd Apply
  # module.sdwan.sdwan_zone_based_firewall_policy_definition.zone_based_firewall_policy_definition["Test_zone_based_fw_3_uni1"] will be updated in-place
  ~ resource "sdwan_zone_based_firewall_policy_definition" "zone_based_firewall_policy_definition" {
        id               = "0ced6374-6b0d-4ae6-9255-c37b3217d9a7"
        name             = "Test_zone_based_fw_3_uni1"
      ~ rules            = [
          ~ {
              + action_entries = []
                # (4 unchanged attributes hidden)
            },
        ]
      ~ version          = 0 -> (known after apply)
        # (4 unchanged attributes hidden)
    }
rrahimm commented 3 months ago

@seconroy

i managed to handle this with Terraform module.