Modifying project ip whitelist destroy and re-create all resources

[rrondeau]

Hi,

This seems to be a bug into the mongodbatlas_project_ip_whitelist resource. Exemple :

resource "mongodbatlas_project_ip_whitelist" "whitelist" {
  project_id = data.mongodbatlas_project.project.id
  whitelist {
    cidr_block = "10.10.0.0/24"
    comment    = "cidr 1"
  }
}

Add a cidr :

resource "mongodbatlas_project_ip_whitelist" "whitelist" {
  project_id = data.mongodbatlas_project.project.id
  whitelist {
    cidr_block = "10.10.0.0/24"
    comment    = "cird 1"
  }
  whitelist {
    cidr_block = "10.10.1.0/24"
    comment    = "cidr 2"
  }
}

Plan :

  # module.atlas.mongodbatlas_project_ip_whitelist.whitelist must be replaced
-/+ resource "mongodbatlas_project_ip_whitelist" "whitelist" {
      ~ id         = "cHJvamVjdF9pZA==:NWQ4OWM4MzJmMmEzMGI4ZTc4Mzc5NDEx-ZW50cmllcw==:MTAuMTAwLjk4LjAvMjM=" -> (known after apply)
        project_id = "xxxxxxxxxxxxxxxxxxxxxxxxxx"

      + whitelist { # forces replacement
          + cidr_block = "10.10.0.0/24"
          + comment    = "cidr 1"
          + ip_address = (known after apply)
        }
      - whitelist { # forces replacement
          - cidr_block = "10.10.0.0/24" -> null
          - comment    = "cidr 1" -> null
        }
      + whitelist { # forces replacement
          + cidr_block = "10.10.1.0/24"
          + comment    = "cidr 2"
          + ip_address = (known after apply)
        }
    }

It happens if i add or delete or modify a cidr_block.
Thanks

[themantissa]

Hi @rrondeau,

Thank you for the issue submission. In this case the behavior is as intended and not a bug.

Because of the way the project IP whitelist's underlying API resource works updating it via Terraform would have been a challenge without doing the forced replacement - the provider would have had to figure out what was changed, delete if applicable and if new/changed submit those. In making the list forced it allows us to do this more simply. Note the Provider will not delete all whitelist entries (for example those not in Terraform) it will only delete those in the config file.

Closing since this is the intended behavior. -Melissa

[rrondeau]

Thanks for the reply. So how i can update my whitelist without disconnecting my applications ? This seems weird to me and i cannot use it in production since this can break connections :/

[rrondeau]

I check the api resource documentation, maybe i misunderstood something previously. Does the provider post the whitelist globally and the api applies the changes with more granularity ?

[rrondeau]

Done some testing with TF_LOG=TRACE and it delete every rule before re-creating the whitelist globally :/

[mattt416]

Hi @themantissa , I've also tested this and see similar behaviour to what @rrondeau reported. If you add a new whitelist entry to your terraform config and apply, it'll blow away all existing whitelist entries and then recreate them all again (including the newly added entry). This gets done every single time you make a change.

Looking at the project's Activity Feed, you can also see that everything is deleted and then re-added whenever there's a change made to the terraform config.

I'm not sure what the implications with this are, but can you please re-open this issue for further consideration?

Thanks!

--Matt

[emas80]

Hi, I have also reported this to MongoDB.

May I suggest to update the documentation page of the provider/resource at https://www.terraform.io/docs/providers/mongodbatlas/r/project_ip_whitelist.html ?

[themantissa]

@emas80 thank you, we are in communication with our support team as well. I'll reopen this issue so we can review with the team. Please be aware that due to the US holiday and an upcoming major event there will be some delay.

[themantissa]

Wanted to update everyone on this issue. We are working to redo the way we handle the IP Whitelist to make it less all or nothing (see PR #94). This will result in breaking a change in the Terraform configuration for this Resource but will implement a more desired behavior based on feedback. However note it will still destroy and delete an entry when a change is required but only for the specific entry, not all. The reason for this is that basically there is a GET, POST and DELETE for IP Whitelists (see https://docs.atlas.mongodb.com/reference/api/whitelist/) but not PATCH. If one wants to change an entry one must delete it and then post it gain. One can, via POST, update the comment for an existing entry which I think creates confusion. However there is no id to identify a specific entry to change just that entry.

However an important note from the underlying doc on IP Whitelists (and that will be added to the resource doc for the Provider) is

When you remove an entry from the whitelist, existing connections from the removed address(es) may remain open for a variable amount of time. How much time passes before Atlas closes the connection depends on several factors, including how the connection was established, the particular behavior of the application or driver using the address, and the connection protocol (e.g., TCP or UDP).

[rrondeau]

@themantissa do you have an idea when this change will be release ?

[themantissa]

The improvements will be in the next release @rrondeau. ETA mid Feb.