Selector of consul_acl_binding_rule is not checked for syntax errors

[edevil]

Terraform Version

Terraform v0.12.24
+ provider.consul v2.11.0

Affected Resource(s)

Please list the resources as a list, for example:

• consul_acl_binding_rule

Debug Output

Error: Failed to create binding rule: Unexpected response code: 500 (rpc error making call: invalid Binding Rule: Selector is invalid: 1:27 (26): no match found, expected: ".", "[", [ \t\r\n], [a-zA-Z0-9_] or EOF)

Expected Behavior

Terraform plan should have produced an error.

Actual Behavior

Terraform plan did not produce an error and apply failed.

Steps to Reproduce

Configure an invalid selector such as selector = "value.namespace==bitbucket-dev"

[remilapeyre]

Hi @edevil, to be able to do detect this error during the plan we would have to use thee same version of https://github.com/hashicorp/go-bexpr that the Consul server uses since future versions of this library might support more complex expressions.

If at one point we forget to update then we would refuse some expressions that are accepted by the current version of Consul and even if we keep this library up-to-date we could accept some expressions that are not correct when talking to an older version of Consul, and this would only be detected during the apply too.

I'm not sure the current behavior of the provider is wrong here although perhaps Consul should respond with a 400 error with a nicer message instead of a 500?

[remilapeyre]

Hi @edevil, as I mentionned this is out of scope for the Terraform provider since the selector argument is interpreted by Consul itself, we only know on apply whether it is correct.

I will close this issue for now.