"Security Zone" issue when applying a Routing policy to a Routing Zone

[coterv]

Environment

• Terraform v1.6.2
• Provider: v0.39.0
• Apstra: v4.2.0

Brief description

When you attempt to apply a route policy to a routing zone that was initially created without any routing policy, an error from Apstra is raised. This error refers to a "security-zone" issue. The term "security-zone" appears to be a method to implement "routing-zones" in earlier versions of Apstra.

Logs

• STEP 1: Create RZ "rz_test2" initially w/o RP (so that Default_immutable will be applied) Result: OK

resource "apstra_datacenter_routing_zone" "prueba2" {
  blueprint_id      = local.blueprint_ids["B_TB"]
  name              = "rz_test2"
  vlan_id           = "18"
  vni               = "6667"
  # routing_policy_id = try(apstra_datacenter_routing_policy.routing_policies["B_TB.rp_test"].id, null)
}

Terraform change:

  # module.blueprints.apstra_datacenter_routing_zone.prueba2 will be created
  + resource "apstra_datacenter_routing_zone" "prueba2" {
      + blueprint_id             = "189f19a6-43bb-49f8-beb5-76aae447013b"
      + had_prior_vlan_id_config = (known after apply)
      + had_prior_vni_config     = (known after apply)
      + id                       = (known after apply)
      + name                     = "rz_test2"
      + routing_policy_id        = (known after apply)
      + vlan_id                  = 18
      + vni                      = 6667
    }

terraform.tfstate:

          "attributes": {
            "blueprint_id": "189f19a6-43bb-49f8-beb5-76aae447013b",
            "dhcp_servers": null,
            "had_prior_vlan_id_config": true,
            "had_prior_vni_config": true,
            "id": "Oj9X5DtQzSms647jX10",
            "name": "rz_test2",
            "routing_policy_id": "tRoyPdM6lWGwBavMzF4",
            "vlan_id": 18,
            "vni": 6667
          },

• STEP 2: Apply the RP "rp_test" to RZ "rz_test2" Result: Error

resource "apstra_datacenter_routing_zone" "prueba2" {
  blueprint_id = local.blueprint_ids["B_TB"]
  name         = "rz_test2"
  vlan_id      = "18"
  vni          = "6667"
  routing_policy_id = try(apstra_datacenter_routing_policy.routing_policies["B_TB.rp_test"].id, null)
}

Terraform change:

  # module.blueprints.apstra_datacenter_routing_zone.prueba2 will be updated in-place
  ~ resource "apstra_datacenter_routing_zone" "prueba2" {
      ~ had_prior_vlan_id_config = true -> (known after apply)
      ~ had_prior_vni_config     = true -> (known after apply)
        id                       = "Oj9X5DtQzSms647jX10"
        name                     = "rz_test2"
      ~ routing_policy_id        = "tRoyPdM6lWGwBavMzF4" -> "4YjWG18wiSWFUn82VgQ"
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[…]

module.blueprints.apstra_datacenter_routing_zone.prueba2: Modifying... [id=Oj9X5DtQzSms647jX10]
╷
│ Error: error updating security zone
│
│   with module.blueprints.apstra_datacenter_routing_zone.prueba2,
│   on modules/blueprints/bp_vrf.tf line 29, in resource "apstra_datacenter_routing_zone" "prueba2":
│   29: resource "apstra_datacenter_routing_zone" "prueba2" {
│
│ {"api_response":null,"config_blueprint_version":0,"errors":{"nodes":{"Oj9X5DtQzSms647jX10":[{"severity":"critical","display_category":"routing-zones","resolutions":[{"category":"rz-entire-page","entity_id":null,"hint":"Problematic
│ routing zone"}],"message":"EVPN Security zone rz_test2 must specify junos_evpn_irb_mode to asymmetric or symmetric
│ mode","error_type":"SZ_JUNOS_EVPN_IRB_MODE_NOT_SET_ON_EVPN_SZ","entity_type":"security_zone"}]},"relationships":{}},"error_code":422} - http response '' at
│ 'http://13.38.52.89:38309/api/blueprints/189f19a6-43bb-49f8-beb5-76aae447013b/security-zones/Oj9X5DtQzSms647jX10?async=full&async=full'

terraform.tfstate:

"attributes": {
            "blueprint_id": "189f19a6-43bb-49f8-beb5-76aae447013b",
            "dhcp_servers": null,
            "had_prior_vlan_id_config": true,
            "had_prior_vni_config": true,
            "id": "Oj9X5DtQzSms647jX10",
            "name": "rz_test2",
            "routing_policy_id": "tRoyPdM6lWGwBavMzF4",
            "vlan_id": 18,
            "vni": 6667
          },

• STEP 3: Apply a non-existing RP "dummy" to RZ "rz_test2"

Result: No changes

resource "apstra_datacenter_routing_zone" "prueba2" {
  blueprint_id = local.blueprint_ids["B_TB"]
  name         = "rz_test2"
  vlan_id      = "18"
  vni          = "6667"
  routing_policy_id = try(apstra_datacenter_routing_policy.routing_policies["dummy"].id, null)
}

Terraform change:

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

terraform.tfstate:

"attributes": {
            "blueprint_id": "189f19a6-43bb-49f8-beb5-76aae447013b",
            "dhcp_servers": null,
            "had_prior_vlan_id_config": true,
            "had_prior_vni_config": true,
            "id": "Oj9X5DtQzSms647jX10",
            "name": "rz_test2",
            "routing_policy_id": "tRoyPdM6lWGwBavMzF4",
            "vlan_id": 18,
            "vni": 6667
          },

[chrismarget-j]

It looks like this is a new requirement in Apstra 4.2. We're (now) keeping track of differences like this in #423