Anti DDoS Protection cannot be created with Terraform, needs manual import

[iitsDelbruegger]

We try to setup DDoS protection with Terraform. Unfortunately, we get an error when we try to create the anto-ddos resource with Terraform. Somehow this resource seems to be auto-created by OTC when we create the EIP. As a workaround, we can import the anti-ddos resource with the EIP ID, but this means we cannot create our whole infrastructure automatically with just one Terraform apply. Therefore this is not acceptable.

Terraform Version

> terraform -v
Terraform v1.0.1
on linux_amd64
+ provider registry.terraform.io/hashicorp/external v1.2.0
+ provider registry.terraform.io/hashicorp/random v3.0.0
+ provider registry.terraform.io/hashicorp/tls v3.1.0
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.24.3

Affected Resource(s)

• opentelekomcloud_antiddos_v1
• opentelekomcloud_vpc_eip_v1

Terraform Configuration Files

terraform {
  required_version = "v1.0.1"
  required_providers {
    external = {
      source  = "hashicorp/external"
      version = "~> 1.2"
    }
    random = {
      source  = "hashicorp/random"
      version = "3.0.0"
    }
    opentelekomcloud = {
      source  = "opentelekomcloud/opentelekomcloud"
      version = "1.24.3"
    }
  }
}

locals {
  stage_name            = "demo"
  vpc_cidr              = "192.168.0.0/16"
  vpc_subnet_gateway_ip = "192.168.0.1"
  node_spec_default     = "s3.large.4"

  node_spec = {
    1 = local.node_spec_default,
    2 = local.node_spec_default
  }
  context           = "custtestaio"
  region            = "eu-de"
  availability_zone = "eu-de-01"

  otc_domain_name = "OTC-EU-DE-00000000001000055571"
  otc_tenant_name = "eu-de_custtestaio"
}

provider "opentelekomcloud" {
  auth_url    = "https://iam.eu-de.otc.t-systems.com/v3"
  domain_name = local.otc_domain_name
  tenant_name = local.otc_tenant_name
}

module "vpc" {
  source                = "iits-consulting/project-factory/opentelekomcloud//modules/vpc"
  version               = "1.0.1"
  vpc_cidr              = local.vpc_cidr
  vpc_name              = "vpc-otc-custtest"
  stage_name            = local.stage_name
  vpc_subnet_cidr       = local.vpc_cidr
  vpc_subnet_gateway_ip = local.vpc_subnet_gateway_ip
  region                = local.region
}

resource "opentelekomcloud_lb_loadbalancer_v2" "elb" {
  name          = "elb_custtestaio"
  description   = "ELB"
  vip_subnet_id = module.vpc.subnet_id
}

resource "opentelekomcloud_vpc_eip_v1" "ingress_eip" {
  bandwidth {
    charge_mode = "traffic"
    name        = "eip_custtestaio"
    share_type  = "PER"
    size        = 300
  }
  publicip {
    type    = "5_bgp"
    port_id = opentelekomcloud_lb_loadbalancer_v2.elb.vip_port_id
  }
}

resource "opentelekomcloud_antiddos_v1" "anti_ddos" {
  floating_ip_id         = opentelekomcloud_vpc_eip_v1.ingress_eip.id
  enable_l7              = true
  traffic_pos_id         = 9
  http_request_pos_id    = 12
  cleaning_access_pos_id = 8
  app_type_id            = 0
}

Debug Output/Panic Output

$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # opentelekomcloud_antiddos_v1.anti_ddos will be created
  + resource "opentelekomcloud_antiddos_v1" "anti_ddos" {
      + app_type_id            = 0
      + cleaning_access_pos_id = 8
      + enable_l7              = true
      + floating_ip_id         = (known after apply)
      + http_request_pos_id    = 12
      + id                     = (known after apply)
      + region                 = (known after apply)
      + traffic_pos_id         = 9
    }

  # opentelekomcloud_lb_loadbalancer_v2.elb will be created
  + resource "opentelekomcloud_lb_loadbalancer_v2" "elb" {
      + admin_state_up        = true
      + description           = "ELB"
      + id                    = (known after apply)
      + loadbalancer_provider = (known after apply)
      + name                  = "elb_custtestaio"
      + region                = (known after apply)
      + tenant_id             = (known after apply)
      + vip_address           = (known after apply)
      + vip_port_id           = (known after apply)
      + vip_subnet_id         = (known after apply)
    }

  # opentelekomcloud_vpc_eip_v1.ingress_eip will be created
  + resource "opentelekomcloud_vpc_eip_v1" "ingress_eip" {
      + id     = (known after apply)
      + region = (known after apply)

      + bandwidth {
          + charge_mode = "traffic"
          + name        = "eip_custtestaio"
          + share_type  = "PER"
          + size        = 300
        }

      + publicip {
          + ip_address = (known after apply)
          + port_id    = (known after apply)
          + type       = "5_bgp"
        }
    }

  # module.vpc.opentelekomcloud_vpc_subnet_v1.subnet will be created
  + resource "opentelekomcloud_vpc_subnet_v1" "subnet" {
      + availability_zone = (known after apply)
      + cidr              = "192.168.0.0/16"
      + dhcp_enable       = true
      + dns_list          = (known after apply)
      + gateway_ip        = "192.168.0.1"
      + id                = (known after apply)
      + name              = "subnet-demo"
      + network_id        = (known after apply)
      + primary_dns       = "100.125.4.25"
      + region            = "eu-de"
      + secondary_dns     = "8.8.8.8"
      + subnet_id         = (known after apply)
      + vpc_id            = (known after apply)
    }

  # module.vpc.opentelekomcloud_vpc_v1.vpc will be created
  + resource "opentelekomcloud_vpc_v1" "vpc" {
      + cidr   = "192.168.0.0/16"
      + id     = (known after apply)
      + name   = "vpc-otc-custtest"
      + region = "eu-de"
      + shared = true
      + status = (known after apply)
    }

Plan: 5 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.vpc.opentelekomcloud_vpc_v1.vpc: Creating...
module.vpc.opentelekomcloud_vpc_v1.vpc: Still creating... [10s elapsed]
module.vpc.opentelekomcloud_vpc_v1.vpc: Creation complete after 11s [id=e90fe705-adc3-40de-a9c3-0e56aa83bc4c]
module.vpc.opentelekomcloud_vpc_subnet_v1.subnet: Creating...
module.vpc.opentelekomcloud_vpc_subnet_v1.subnet: Creation complete after 9s [id=eb8c6d40-21b2-4dfb-bbaf-39ab59de99df]
opentelekomcloud_lb_loadbalancer_v2.elb: Creating...
opentelekomcloud_lb_loadbalancer_v2.elb: Creation complete after 10s [id=f6f3f878-0d9a-4341-a681-7e04b8eefd98]
opentelekomcloud_vpc_eip_v1.ingress_eip: Creating...
opentelekomcloud_vpc_eip_v1.ingress_eip: Still creating... [10s elapsed]
opentelekomcloud_vpc_eip_v1.ingress_eip: Creation complete after 17s [id=4540b9b1-2a38-498c-bbe1-9fd02c608322]
opentelekomcloud_antiddos_v1.anti_ddos: Creating...
opentelekomcloud_antiddos_v1.anti_ddos: Still creating... [10s elapsed]
opentelekomcloud_antiddos_v1.anti_ddos: Still creating... [20s elapsed]
opentelekomcloud_antiddos_v1.anti_ddos: Still creating... [30s elapsed]
opentelekomcloud_antiddos_v1.anti_ddos: Still creating... [40s elapsed]
╷
│ Error: error creating AntiDdos: Action Forbidden, error message: {"error_code":"10001007", "error_msg":"This operation is not allowed in the current status."}
│
│   with opentelekomcloud_antiddos_v1.anti_ddos,
│   on main.tf line 173, in resource "opentelekomcloud_antiddos_v1" "anti_ddos":
│  173: resource "opentelekomcloud_antiddos_v1" "anti_ddos" {
│
╵

Steps to Reproduce

1. Create project "eu-de_custtestaio"
2. terraform apply with the script above and no previous tfstate

Expected Behavior

The resources should be created successfully, including anti-ddos.

Actual Behavior

Apply fails with the error above.

Important Factoids

-

References

-

[lego963]

@iitsDelbruegger antiddos is created by default with elasticIP. This resource should be deprecated