Whitelisted Project IPs when manually deleted causes failure at next plan/apply

[richardj-bsquare]

Version affected terraform-provider-mongodbatlas 0.3.1

How to reproduce Use mongodbatlas_project_ip_whitelist to whitelist a list of IPs Terraform plan & apply Delete all of the IP whitelisted addresses. Run terraform plan & apply

Expected Behaviour The whitelisted IP is recreated.

Actual behaviour Upon re-running the terraform plan this is reported (example):

Error: error getting project IP whitelist information: GET https://cloud.mongodb.com/api/atlas/v1.0/groups/5dc3051579358e9725c677e8/whitelist/139.14.250.168%2F29: 404 (request "Not Found") IP Address 139.14.250.168/29 not on Atlas whitelist for group 5dc3021579358e9745c677e8.

Workaround The above error will be reported individually for each IP that is missing, but only one error per plan until each is manually re-added (which is quite tedious, to say the least, especially if some are dynamically generated).

Notes The resource also does not notice changes in the comment field and therefore does not modify them to match the terraform.

[PacoDw]

Hi @richardj-bsquare! Thank you so much for your review, on your steps to reproduce how do you remove all the whitelist? Due you can't remove them and run the plan or apply because Terraform whitelist is a required field. On another hand, I made a test removing them, always leaving one or updating them, and I didn't have errors.

If you have another comment or concern plz just let me know.

[richardj-bsquare]

Hi,

Sorry for the confusion. I removed them all manually from the Mongo DB Atlas whitelist via the Atlas web UI.

As indicated in this scenario, the provider should detect entries are missing and re-add them, this prevents inadvertent deletion or other manual changes from being missed, and would be consistent behaviour with other providers (i.e. if you delete a subnet in AWS via the console, and its in your terraform configuration it gets re-created by the plan and apply cycle).

[themantissa]

Hi @richardj-bsquare as you can see we are working on some improvements in regard to the IP Whitelist resource based on customer feedback. In doing so I'm reviewing some of the issues reported in and I'm not quite clear on the expectations here? When one create a resource like an IP Whitelist with Terraform the information is held in the Terraform state file. If one then manually deletes the resource Terraform and refreshes Terraform's state (terraform refresh) then Terraform reports it can't find the resources it expects. Since it is now gone one can remove it from the state file (make a backup first of course) with the CLI like: terraform state rm fullnameof.resource (This is a nice blog on this topic that may help: https://medium.com/faun/cleaning-up-a-terraform-state-file-the-right-way-ab509f6e47f3). Once one does that then the plan/apply cycle will work and the manually deleted resources will be recreated. I don't know all the details about the cited example but my guess is the state was able to properly refresh without any intervention.

[richardj-bsquare]

It's really simple to reproduce. Add some whitelists IPs to a terraform config, plan it, apply it, delete 1 manually via the Atlas console, re-plan, you'll see the above error.

The expectation is as described, when your terraform configuration says IPs should be in a whitelist, and they are not, it should put them back when you plan and apply. This is only an issue when they are manually deleted via the Atlas console, not if you remove them from the terraform configuration.

It's so easy to reproduce, try it and see. I don't think my bug report could be any clearer in this respect.

[themantissa]

HI @richardj-bsquare - yes, I've reproduced the behavior but there are some resources for which state can be refreshed and some that can't (this is covered in the drift documentation at Terraform's site and is why I provided the work around above). In order to determine if this is one that's a bug or one that's problematic when removed manually to refresh state I've asked the team to look into it. I'll report back their results. Thank you for your patience.

[w0ut0]

@themantissa is there any update on this issue?

[themantissa]

@w0ut0 we've completed a large rewrite of the ipwhitelist functionality that will be in the next version. @PacoDw can you verify this issue regarding state is corrected?

[PacoDw]

Hi @themantissa and @w0ut0, I added this expecting behavior to the new whitelist resource and I tested remove one whitelist entry manually to recreate the issue, and everything works fine. You can check the changes in PR #106.

If you have another comment or concern plz let us know, thank you so much!