search

F5Networks / terraform-provider-bigip

Terraform resources that can configure F5 BIG-IP products
https://registry.terraform.io/providers/F5Networks/bigip/latest/docs
Mozilla Public License 2.0
103 stars 119 forks source link

2nd Terraform apply on bigip_waf_policy destroys policy instead of modifying #871

Closed Otimun closed 9 months ago

Otimun commented 1 year ago

Environment

Summary

When creating a policy and then updating the policy, a terraform apply first deletes the policy before recreating it.

Cause mentioned by terraform is: ~ template_name = "POLICY_TEMPLATE_BLANK" -> "POLICY_TEMPLATE_RAPID_DEPLOYMENT" # forces replacement

It seems the template_name is not saved properly after use.

Steps To Reproduce

Steps to reproduce the behavior:

provider "bigip" {
  address  = var.hostname
  username = var.username
  password = var.password
}

resource "bigip_waf_policy" "this" {
  partition            = "Common"
  name                 = "scenario2"
  template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
  application_language = "utf-8"
  enforcement_mode     = "blocking"
  server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux",]
}

terraform apply

Adjust server_technologies:

server_technologies  = ["Apache Tomcat", "MySQL", "Unix/Linux", "MongoDB"]

terraform apply

Expected Behavior

The object gets modified with the new server technology.

Actual Behavior

After the second terraform apply, terraform wants to recreate the object instead of modifying it. The cause in the logs seem to indicate that this is due to a change in template_name, however this has not been changed.

Most probable cause is that the template_name is not properly saved.

Logs:

When adding an extra server technology like MongoDB, and rerunning terraform apply the following logs are shown: ~ policy_id = "EdchwjSqo9cFtYP-iWUJmw" -> (known after apply) ~ server_technologies = [

(2 unchanged elements hidden)

        "Unix/Linux",
      + "MongoDB",
    ]
  ~ template_name        = "POLICY_TEMPLATE_BLANK" -> "POLICY_TEMPLATE_RAPID_DEPLOYMENT" # forces replacement
    # (6 unchanged attributes hidden)
}

Plan: 1 to add, 0 to change, 1 to destroy.

RavinderReddyF5 commented 1 year ago

Hi @Otimun, I am unable to reproduce issue.

➜  terraform-provider-bigip git:(devel) ✗ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # bigip_waf_policy.this will be created
  + resource "bigip_waf_policy" "this" {
      + application_language = "utf-8"
      + case_insensitive     = false
      + description          = (known after apply)
      + enable_passivemode   = false
      + enforcement_mode     = "blocking"
      + id                   = (known after apply)
      + name                 = "scenario2"
      + partition            = "Common"
      + policy_export_json   = (known after apply)
      + policy_id            = (known after apply)
      + server_technologies  = [
          + "Apache Tomcat",
          + "MySQL",
          + "Unix/Linux",
        ]
      + template_name        = "POLICY_TEMPLATE_RAPID_DEPLOYMENT"
      + type                 = "security"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

bigip_waf_policy.this: Creating...
bigip_waf_policy.this: Still creating... [10s elapsed]
bigip_waf_policy.this: Still creating... [20s elapsed]
bigip_waf_policy.this: Still creating... [30s elapsed]
bigip_waf_policy.this: Still creating... [40s elapsed]
bigip_waf_policy.this: Creation complete after 41s [id=EdchwjSqo9cFtYP-iWUJmw]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
➜  terraform-provider-bigip git:(devel) ✗ terraform apply
bigip_waf_policy.this: Refreshing state... [id=EdchwjSqo9cFtYP-iWUJmw]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Modification in server technologies:

➜  terraform-provider-bigip git:(devel) ✗ terraform apply
bigip_waf_policy.this: Refreshing state... [id=EdchwjSqo9cFtYP-iWUJmw]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # bigip_waf_policy.this will be updated in-place
  ~ resource "bigip_waf_policy" "this" {
        id                   = "EdchwjSqo9cFtYP-iWUJmw"
        name                 = "scenario2"
      ~ server_technologies  = [
            # (2 unchanged elements hidden)
            "Unix/Linux",
          + "MongoDB",
        ]
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

bigip_waf_policy.this: Modifying... [id=EdchwjSqo9cFtYP-iWUJmw]
bigip_waf_policy.this: Still modifying... [id=EdchwjSqo9cFtYP-iWUJmw, 10s elapsed]
bigip_waf_policy.this: Still modifying... [id=EdchwjSqo9cFtYP-iWUJmw, 20s elapsed]
bigip_waf_policy.this: Modifications complete after 28s [id=EdchwjSqo9cFtYP-iWUJmw]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Otimun commented 1 year ago

Hi @RavinderReddyF5,

Thank you for following up. Ive tried again and the problem persists. Ive also tried to apply it to another F5 under the same circumstances and it remains a problem:

~ policy_id            = "yJGcupcKlFiUO9d_aD-z6A" -> (known after apply)
      ~ server_technologies  = [
            # (3 unchanged elements hidden)
            "Unix/Linux",
          + "MongoDB",
        ]
      ~ template_name        = "POLICY_TEMPLATE_BLANK" -> "POLICY_TEMPLATE_RAPID_DEPLOYMENT" # forces replacement
        # (6 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Changes to Outputs:
  ~ policyId = "yJGcupcKlFiUO9d_aD-z6A" -> (known after apply)

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

Perhaps it is a problem with the specific F5 version. I will try to replicate it with version 16.1.

RavinderReddyF5 commented 9 months ago

hi @Otimun, please do open new issue if the problem still persist