search

bpg / terraform-provider-proxmox

Terraform Provider for Proxmox
https://registry.terraform.io/providers/bpg/proxmox
Mozilla Public License 2.0
836 stars 138 forks source link

Firewall rule attributes cannot be removed / perpetual change plan #1504

Open kbcz1989 opened 2 months ago

kbcz1989 commented 2 months ago

Describe the bug Removing attribute(setting it to null or empty string) from firewall rule definition does not remove the attribute and next terraform plan wants to make same changes.

To Reproduce Steps to reproduce the behavior:

  1. Create a resource proxmox_virtual_environment_firewall_rules
  2. Run terraform apply
  3. Remove one of the attributes from defined rule
  4. Run terraform apply - it "successfully" removes the rule
  5. Next terraform plan wants to remove it again

Please also provide a minimal Terraform configuration that reproduces the issue.

Before the change:

resource "proxmox_virtual_environment_firewall_rules" "inbound" {
  node_name = var.node_name
  vm_id     = var.vm_id

  rule {
    type    = "in"
    action  = "ACCEPT"
    comment = "Allow HTTP"
    dest    = "192.168.1.5"
    dport   = "80"
    proto   = "tcp"
    log     = "info"
  }

  rule {
    type   = "in"
    action = "ACCEPT"
    comment = "Allow HTTPS"
    dest = "192.168.1.5"
    dport   = "443"
    proto   = "tcp"
    log = "info"
  }
}

After the change:

resource "proxmox_virtual_environment_firewall_rules" "inbound" {
  node_name = var.node_name
  vm_id     = var.vm_id

  rule {
    type    = "in"
    action  = "ACCEPT"
    comment = "Allow HTTP"
    dest    = "192.168.1.5"
    dport   = "80"
    proto   = "tcp"
    log     = "info"
  }

  rule {
    type   = "in"
    action = "ACCEPT"
    #comment = "Allow HTTPS"
    dest = "192.168.1.5"
    #dport   = "443"
    #proto   = "tcp"
    log = "info"
  }
}

Expected behavior Attributes removed from config should be removed from resource.

Screenshots 2024-08-22_13-59

Additional context I am suspecting this is due to provider not sending null parameters at all. Comparing GUI and provider actions suggests the same: Provider: tf_http_req_body="action=ACCEPT&comment=Allow+HTTP&dest=192.168.1.5&dport=80&enable=1&log=info&pos=0&proto=tcp&type=in"

GUI: type=in&action=ACCEPT&delete=iface&source=&dest=192.168.1.5&enable=1&macro=&proto=&sport=&dport=&comment=&log=info&icmp-type=&digest=0929e8b4b3604b3b14a620d53a5aa86f13c838e4

kbcz1989 commented 2 months ago

Possibly related to "omitempty" here: https://github.com/bpg/terraform-provider-proxmox/blob/35cbe98d6b26b47c0b8797dd6d4f084585f846c7/proxmox/firewall/rules.go#L32-L45