resource `meraki_networks_switch_access_policies` this_policy - Failure on protov6 on apply

[finkjordanj]

Prerequisites

• [X] Have you tested the operation in the API directly?
• [X] Do you have the latest Terraform provider version?
• [X] Review the compatibility matrix before opening an issue.

Describe the bug When attempting to build an access policy via terraform resource call getting error on apply about tfprotov6 plug crash.

resource "meraki_networks_switch_access_policies" "this_site_access_policy" {
  network_id = local.this_network.id
  name       = "dot1x/mab"
  radius_servers = [{
    host   = "<-blanked->"
    port   = 1812
    secret = "<-blanked->"
  }]
  radius_accounting_enabled = true
  radius_accounting_servers = [{
    host   = "<-blanked->"
    port   = 1813
    secret = "<-blanked->"
  }]
  radius_testing_enabled     = true
  radius_coa_support_enabled = false
  radius_group_attribute     = ""
  host_mode                  = "Single-Host"
  access_policy_type         = "Hybrid authentication"
  increase_access_speed      = false
  dot1x = {
    control_direction = "both"
  }
  radius = {
    critical_auth = {
      data_vlan_id        = 10
      suspend_port_bounce = true
      voice_vlan_id       = null
    }
    failed_auth_vlan_id        = 10
    re_authentication_interval = null
  }
  url_redirect_walled_garden_enabled = false
  guest_port_bouncing                = false
  guest_vlan_id                      = null
  voice_vlan_clients                 = true
}

Expected behavior Expect for resource build to complete.

Screenshots Error on apply.

fink@LTWXCGVT333:~/dev/meraki-terraform-test $ terraform apply
meraki_devices.this_mx: Refreshing state... [name=750-comm-meraki-lab-mx1]
meraki_devices.this_ms_ext_sw1: Refreshing state... [name=750-comm-meraki-lab-ext-sw1]
meraki_devices.this_ms_sw1: Refreshing state... [name=750-comm-meraki-lab-sw1]
meraki_devices.this_ms_sw2: Refreshing state... [name=750-comm-meraki-lab-sw2]
data.meraki_networks.dev_networks: Reading...
data.meraki_networks.dev_networks: Read complete after 1s
meraki_networks_switch_mtu.this_site_switch_mtu: Refreshing state...
meraki_networks_appliance_firewall_firewalled_services.this_snmp: Refreshing state...
meraki_networks_switch_settings.this_site_switch_settings: Refreshing state...
meraki_networks_group_policies.group_policy_byod: Refreshing state... [name=BYOD]
meraki_networks_appliance_vlans_settings.this_vlans: Refreshing state...
meraki_networks_appliance_vlans.this_vlan_1: Refreshing state... [id=1]
meraki_networks_appliance_firewall_firewalled_services.this_web: Refreshing state...
meraki_networks_syslog_servers.this_spoke: Refreshing state...
meraki_networks_appliance_firewall_firewalled_services.this_icmp: Refreshing state...
meraki_networks_appliance_settings.this: Refreshing state...
meraki_networks_appliance_vlans.this_vlan_20: Refreshing state... [id=20]
meraki_networks_appliance_vlans.this_vlan_10: Refreshing state... [id=10]
meraki_networks_appliance_vlans.this_vlan_30: Refreshing state... [id=30]
meraki_networks_appliance_vlans.this_vlan_5: Refreshing state... [id=5]
meraki_networks_appliance_vlans.this_vlan_2: Refreshing state... [id=2]
meraki_networks_group_policies.group_policy_guest: Refreshing state... [name=GUEST]
meraki_networks_group_policies.group_policy_pan: Refreshing state... [name=PAN]
meraki_networks_group_policies.group_policy_internal: Refreshing state... [name=INTERNAL]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # meraki_networks_switch_access_policies.this_site_access_policy will be created
  + resource "meraki_networks_switch_access_policies" "this_site_access_policy" {
      + access_policy_number               = (known after apply)
      + access_policy_type                 = "Hybrid authentication"
      + counts                             = (known after apply)
      + dot1x                              = {
          + control_direction = "both"
        }
      + guest_port_bouncing                = false
      + guest_vlan_id                      = (known after apply)
      + host_mode                          = "Single-Host"
      + increase_access_speed              = false
      + name                               = "dot1x/mab"
      + network_id                         = "L_783626335162467749"
      + radius                             = {
          + critical_auth              = {
              + data_vlan_id        = 10
              + suspend_port_bounce = true
              + voice_vlan_id       = (known after apply)
            }
          + failed_auth_vlan_id        = 10
          + re_authentication_interval = (known after apply)
        }
      + radius_accounting_enabled          = true
      + radius_accounting_servers          = [
          + {
              + host   = "<-blanked->"
              + port   = 1813
              + secret = "<-blanked->"
            },
        ]
      + radius_coa_support_enabled         = false
      + radius_group_attribute             = ""
      + radius_servers                     = [
          + {
              + host   = "<-blanked->"
              + port   = 1812
              + secret = "<-blanked->"
            },
        ]
      + radius_testing_enabled             = true
      + url_redirect_walled_garden_enabled = false
      + url_redirect_walled_garden_ranges  = (known after apply)
      + voice_vlan_clients                 = true
    }

Plan: 1 to add, 4 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

meraki_devices.this_ms_ext_sw1: Modifying... [name=750-comm-meraki-lab-ext-sw1]
meraki_devices.this_mx: Modifying... [name=750-comm-meraki-lab-mx1]
meraki_devices.this_ms_sw1: Modifying... [name=750-comm-meraki-lab-sw1]
meraki_devices.this_ms_sw2: Modifying... [name=750-comm-meraki-lab-sw2]
meraki_networks_switch_access_policies.this_site_access_policy: Creating...
╷
│ Error: Plugin did not respond
│ 
│ The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│ The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│ The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│ The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵
╷
│ Error: Plugin did not respond
│ 
│ The plugin encountered an error, and failed to respond to the plugin6.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-meraki_v0.2.1-alpha plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0xd4c543]

goroutine 129 [running]:
terraform-provider-meraki/internal/provider.(*NetworksSwitchAccessPoliciesResource).Create(0xc00056c008, {0x189d928, 0xc000612e40}, {{{{0x18a55b0, 0xc00041bcb0}, {0x133d360, 0xc0004473b0}}, {0x18b7880, 0xc000436050}}, {{{0x18a55b0, ...}, ...}, ...}, ...}, ...)
        terraform-provider-meraki/internal/provider/resource_meraki_networks_switch_access_policies.go:415 +0x643
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).CreateResource(0xc0001c7ba0, {0x189d928, 0xc000612e40}, 0xc000313580, 0xc000313520)
        github.com/hashicorp/terraform-plugin-framework@v1.7.0/internal/fwserver/server_createresource.go:101 +0x578
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).ApplyResourceChange(0xc0000256d8?, {0x189d928, 0xc000612e40}, 0xc0006084b0, 0xc0003136d8)
        github.com/hashicorp/terraform-plugin-framework@v1.7.0/internal/fwserver/server_applyresourcechange.go:57 +0x4a5
github.com/hashicorp/terraform-plugin-framework/internal/proto6server.(*Server).ApplyResourceChange(0xc0001c7ba0, {0x189d928?, 0xc000612d20?}, 0xc000608410)
        github.com/hashicorp/terraform-plugin-framework@v1.7.0/internal/proto6server/server_applyresourcechange.go:55 +0x3e5
github.com/hashicorp/terraform-plugin-go/tfprotov6/tf6server.(*server).ApplyResourceChange(0xc0002b28c0, {0x189d928?, 0xc000612510?}, 0xc0003e6070)
        github.com/hashicorp/terraform-plugin-go@v0.22.2/tfprotov6/tf6server/server.go:846 +0x3d0
github.com/hashicorp/terraform-plugin-go/tfprotov6/internal/tfplugin6._Provider_ApplyResourceChange_Handler({0x1564480?, 0xc0002b28c0}, {0x189d928, 0xc000612510}, 0xc0000da300, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.22.2/tfprotov6/internal/tfplugin6/tfplugin6_grpc.pb.go:518 +0x169
google.golang.org/grpc.(*Server).processUnaryRPC(0xc00022d000, {0x189d928, 0xc000612480}, {0x18b5cf8, 0xc000488000}, 0xc00065a480, 0xc00039f470, 0x20eca38, 0x0)
        google.golang.org/grpc@v1.63.2/server.go:1369 +0xe23
google.golang.org/grpc.(*Server).handleStream(0xc00022d000, {0x18b5cf8, 0xc000488000}, 0xc00065a480)
        google.golang.org/grpc@v1.63.2/server.go:1780 +0x1016
google.golang.org/grpc.(*Server).serveStreams.func2.1()
        google.golang.org/grpc@v1.63.2/server.go:1019 +0x8b
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 39
        google.golang.org/grpc@v1.63.2/server.go:1030 +0x135

Error: The terraform-provider-meraki_v0.2.1-alpha plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Environment (please complete the following information):

• Meraki Dashboard version:
• Terraform version: 1.8.3
• Meraki provider version: 0.2.1-alpha
• OS Version: 22.04 ubuntu

Additional context Removed updates as device in place updates from reads occurring.

[fmunozmiranda]

Hi @finkjordanj could you please try it again with v0.2.2-apha and update if it works now?

[finkjordanj]

@fmunozmiranda the issue with the tfprotov6 plugin crashing apperas to be resolved, however after apply I see all subsequent applys trying to change the guest_port_bouncing and radius_group_attribute.

The config is the same as what was in the original post.

ink@LTWXCGVT333:~/dev/meraki-terraform-test $ terraform apply
meraki_devices_appliance_uplinks_settings.this: Refreshing state...
data.meraki_networks.dev_networks: Reading...
data.meraki_networks.dev_networks: Read complete after 1s
meraki_networks_appliance_firewall_settings.this: Refreshing state...
meraki_networks_appliance_firewall_firewalled_services.this_snmp: Refreshing state...
meraki_networks_appliance_vlans.this_vlan_1: Refreshing state... [id=1]
meraki_networks_appliance_connectivity_monitoring_destinations.this: Refreshing state...
meraki_networks_snmp.this: Refreshing state...
meraki_networks_traffic_analysis.this_spoke: Refreshing state...
meraki_networks_appliance_firewall_firewalled_services.this_icmp: Refreshing state...
meraki_networks_syslog_servers.this_spoke: Refreshing state...
meraki_networks_switch_access_policies.this_site_access_policy: Refreshing state... [name=dot1x/mab]
meraki_networks_appliance_firewall_firewalled_services.this_web: Refreshing state...
meraki_networks_appliance_vlans_settings.this_vlans: Refreshing state...
meraki_networks_appliance_vlans.this_vlan_30: Refreshing state... [id=30]
meraki_networks_appliance_vlans.this_vlan_20: Refreshing state... [id=20]
meraki_networks_appliance_vlans.this_vlan_5: Refreshing state... [id=5]
meraki_networks_appliance_vlans.this_vlan_10: Refreshing state... [id=10]
meraki_networks_appliance_vlans.this_vlan_2: Refreshing state... [id=2]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # meraki_networks_switch_access_policies.this_site_access_policy will be updated in-place
  ~ resource "meraki_networks_switch_access_policies" "this_site_access_policy" {
      ~ guest_port_bouncing                = true -> false
        name                               = "dot1x/mab"
      ~ radius_group_attribute             = "11" -> ""
        # (17 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

If i accept the change it still reads the values in wrong during refresh it appears. So not sure if the value on apply is making it to the dashboard correctly if or the reach from the dashboard isn't being processed correctly by the terraform state refresh.

Please let me know if you want me to open a separate issue on this oddity.

[fmunozmiranda]

Could you please validate at your Meraki Dashboard if changes of guest_port_bouncingand radius_group_attributewere correctly updated? Please try to update it Via API too. And verify changes were applied and share me screenshots please

[finkjordanj]

The radius attribute doesn't appear to be suggesting the change anymore. Here is the python direct api testing. The guest_port_bouncing appears to be unconfigurable based on what values were passed in via terraform and the api directly.

Python

for site in networks:
    if site["name"].find("750-") != -1:
        try:
            policy = dashboard.switch.updateNetworkSwitchAccessPolicy(
                site.get('id'), "1", 
                name='dot1x/mab', 
                radiusServers=[{'host': '<-blanked->', 'port': 1812, 'secret': '<-blanked->'}], 
                radius={'criticalAuth': {'dataVlanId': 10, 'suspendPortBounce': True}, 'failedAuthVlanId': 10, 'reAuthenticationInterval': 3600}, 
                guestPortBouncing=False, 
                radiusTestingEnabled=False, 
                radiusCoaSupportEnabled=False, 
                radiusAccountingEnabled=True, 
                radiusAccountingServers=[{'host': '<-blanked->', 'port': 1813, 'secret': '<-blanked->'}], 
                radiusGroupAttribute='', 
                hostMode='Single-Host', 
                accessPolicyType='Hybrid authentication', 
                increaseAccessSpeed=False, 
                dot1x={'controlDirection': 'both'}, 
                voiceVlanClients=False, 
                urlRedirectWalledGardenEnabled=False, 
            )
            printj(policy)

The output from the api call.

{
    "accessPolicyNumber": "1",
    "name": "dot1x/mab",
    "radiusServers": [
        {
            "serverId": "783626335163254409",
            "host": "<-blanked->",
            "port": 1812
        }
    ],
    "radiusTestingEnabled": true,
    "guestPortBouncing": true,
    "radiusGroupAttribute": "",
    "radius": {
        "criticalAuth": {
            "dataVlanId": 10,
            "voiceVlanId": null,
            "suspendPortBounce": true
        },
        "failedAuthVlanId": 10,
        "reAuthenticationInterval": 3600,
        "cache": {
            "enabled": true,
            "timeout": 24
        }
    },
    "radiusCoaSupportEnabled": false,
    "radiusAccountingEnabled": true,
    "radiusAccountingServers": [
        {
            "serverId": "783626335163254410",
            "host": "<-blanked->",
            "port": 1813
        }
    ],
    "hostMode": "Single-Host",
    "accessPolicyType": "Hybrid authentication",
    "authenticationMethod": "my RADIUS server",
    "increaseAccessSpeed": false,
    "guestVlanId": null,
    "voiceVlanClients": false,
    "urlRedirectWalledGardenEnabled": false,
    "dot1x": {
        "controlDirection": "both"
    },
    "counts": {
        "ports": {
            "withThisPolicy": 0
        }
    }
}

I believe the guest_port_bouncing even though i have it defined it isn't applicable with some other configuration so even though it was called out as false, the non applied configuration must be set to true and our false while applying may not be getting saved. I don't know exactly in the dashboard the guets_port_bouncing is shown so this secondary change may not be an issue.

[obrigg]

Hi @finkjordanj , I was able to reproduce this, and I'd like to check it with the MS team. It is not a Terraform matter. I'll update once I get answers.

[fmunozmiranda]

Closing this because is not a terraform issue.