[CBR] Add the ability to update existing CBR rules and zones.

[Ak-sky]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

As of now there is no way to update the existing CBR zones and rules except from the UI. We have a requirement where few of the base CBR rules/zones will be created before and later we want to update both existing zones and rules based on newly created VPCs etc.

New or Affected Resource(s)

• ibm_cbr_zone
• ibm_cbr_rule

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• 0000

[zhenwan]

@Ak-sky Besides UI, you can also update zones and rules by using API, CLI, Terraform. Please let me know if these are what you ask for.

[tyao117]

is this the problem where the update doesn't recognize the update from the main.tf?

---

my main.tf:

if that is the case, the attribute contexts needs to become a TypeSet rather than a TypeList

[ocofaigh]

@zhenwan With the terraform provider my understanding is its only possible to create new CBR zones or rules. We are looking for the ability to update an existing zone or rule using terraform. Our use case is that we may have one terraform state that creates the zones and rules, but then as more resource get created in our account (in different terraform state files) we want to ability to update the zones / rules with the new resources. Does this make sense?

[tyao117]

Previous CBR zones or rules can be updated. I tried the command locally and it does update a previous cbr rule.

$ terraform plan
ibm_cbr_rule.cbr_rule: Refreshing state... [id=db37786887b117ce3481b987d78d9a77]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # ibm_cbr_rule.cbr_rule will be updated in-place
  ~ resource "ibm_cbr_rule" "cbr_rule" {
      + description         = "this is an example of rule with two contexts"
        id                  = "db37786887b117ce3481b987d78d9a77"
        # (8 unchanged attributes hidden)

      ~ contexts {
          ~ attributes {
              ~ name  = "endpointType" -> "networkZoneId"
              ~ value = "private,public,direct" -> "dba984bd974c1ec08d414896538ac390"
            }
          ~ attributes {
              ~ name  = "networkZoneId" -> "endpointType"
              ~ value = "dba984bd974c1ec08d414896538ac390" -> "private"
            }
        }

      ~ resources {
          ~ attributes {
              ~ name     = "serviceInstance" -> "serviceName"
              - operator = "stringEquals" -> null
              ~ value    = "7484f1cc-09c4-4953-88f4-f36180fe1415" -> "cloud-object-storage"
            }
          - attributes {
              - name  = "serviceName" -> null
              - value = "cloud-object-storage" -> null
            }
          + tags {
              + name  = "tag_name"
              + value = "tag_value"
            }

            # (1 unchanged block hidden)
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
$ terraform apply tf.plan
ibm_cbr_rule.cbr_rule: Modifying... [id=db37786887b117ce3481b987d78d9a77]
ibm_cbr_rule.cbr_rule: Modifications complete after 1s [id=db37786887b117ce3481b987d78d9a77]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

I checked the Update Resource code. It does call an Update provided from the SDK. https://github.com/IBM-Cloud/terraform-provider-ibm/blob/bba25291c9e05a7e01c1d2db14bcbe0f1946b241/ibm/service/contextbasedrestrictions/resource_ibm_cbr_zone.go#L436

[ocofaigh]

I think in order to achieve this, we would need a new provider resource (e.g. ibm_cbr_rule_context) in order to be able to update existing CBR resources. Something similar to the way ibm_is_security_group_rule can be used to update an existing security group

[ocofaigh]

@zhenwan @Ak-sky Should we sync up internally on this? This is blocking one of our committed AHA items for 2Q

[zhenwan]

@ocofaigh please look at the response Tim provided above https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5235#issuecomment-2022915184 Tim has opened a PR https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5246 that fixed rule/zone update issues. Please let me know if this new PR will address your issue. If not, can you please provide us a test case?

[ocofaigh]

@zhenwan I don't think Tim's updates will cover our use case. As per above comment, our use case is that we have one terraform state that creates the zones and rules, but then as more resource get created in our account (in different terraform states) we need the ability to update the contexts of the existing zones / rules we with the new resources we created.

So for this to work, we would need a new provider resource (e.g. ibm_cbr_rule_context) in order to be able to update existing CBR zones / rules. Something similar to the way ibm_is_security_group_rule can be used to update an existing security group.

[vburckhardt]

Suggest to name the resource attachment. This is conceptually the same as https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_instance_network_attachment or https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_instance_volume_attachment where objects are created, and then another resource is used to attach an object to another. This follows best practices in terraform / IaC in general around idempotency.

[LindaBat]

Hello, can you please provide an update on this issue. Thanks.