type `[]AccessControlPolicyRules` cannot handle unknown values, use `types`

[jabielecki]

Testing the behavior of #40 commit-id bfdf257c63f8 together with our module.

│ Error: Value Conversion Error
│ 
│   with fmc_access_control_policy.accesspolicy,
│   on fmc_policies.tf line 62, in resource "fmc_access_control_policy" "accesspolicy":
│   62:   rules                                   = try(each.value.rules, [])
│ 
│ An unexpected error was encountered trying to build a value. This is always an error in the provider. Please report the following to the
│ provider developer:
│ 
│ Received unknown value, however the target type cannot handle unknown values. Use the corresponding `types` package type or a custom type
│ that handles unknown values.
│ 
│ Path: rules
│ Target Type: []provider.AccessControlPolicyRules
│ Suggested Type: basetypes.ListValue

This is my YAML, where each.value.rules will be the rules key:

acp = [
  {
    "default_action" = "BLOCK"
    "default_action_log_begin" = null
    "default_action_log_end" = null
    "default_action_send_events_to_fmc" = null
    "default_action_send_syslog" = null
    "description" = null
    "domain" = "Global"
    "name" = "MyAccessPolicyName1"
    "rules" = [
      {
        "action" = "ALLOW"
        "description" = null
        "destination_network_objects" = [
          {
            "id" = "005056B0-8042-0ed3-0000-004294969066"
            "type" = "Host"
          },
        ]
        "name" = "MyAccessRuleNAme1"
        "source_network_objects" = [
          {
            "id" = "005056B0-8042-0ed3-0000-004294969266"
            "type" = "Host"
          },
        ]
      },
      {
        "action" = "ALLOW"
        "description" = null
        "destination_network_objects" = [
          {
            "id" = "005056B0-8042-0ed3-0000-004294969322"
            "type" = "Network"
          },
        ]
        "name" = "MyAccessRuleNAme2"
        "source_network_objects" = [
          {
            "id" = "005056B0-8042-0ed3-0000-004294969248"
            "type" = "Network"
          },
        ]
      },
    ]
  },
]

log.txt

[jabielecki]

Remove Validator because it is too much code for too little value.

We want the detection to happen as early as possible. The pipeline stages are:

1. Validate (terraform validate) detects with Validator.
2. Plan (terraform plan) detects with Validator.
3. Apply (terraform apply) detects with Create/Update as well as Validator.

Our primary module terraform-fmc-nac-fmc will not be able to feed the Validator in stage Validate or stage Plan with known values, which can be actually validated. The Validator will be mostly no-op. This is because that module has for_each clause like this:

resource "fmc_access_control_policy" "accesspolicy" {
  for_each = { for p in local.policies : p.name => p }
  ...
  rules = each.value.rules   # unknown value in stages: Validate, Plan; known value in Apply
}

Since we cannot make terraform validate detecting as early as possible in a pipeline, we fall back to terraform apply detecting a few stages later. This means we no longer need Validator and we no longer need to handle unknown values delicately (values that we care to validate are no longer unknown during terraform apply).

[danischm]

We typically "expand" nested lists in the module, to explicitly define each individual attribute, which should also work around the error of unknown values.

For example: https://github.com/netascode/terraform-ise-nac-ise/blob/f681a5f8a5d9751984c5529b72354da5676607ec/ise_device_admin.tf#L29 .