Resource oci_dns_rrset triggers destroy/replace even when no changes

jeliker commented 3 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.0.2
on darwin_amd64
+ provider registry.terraform.io/hashicorp/oci v4.35.0

Affected Resource(s)

affected_resources = oci_dns_rrset

Terraform Configuration Files

resource "oci_dns_rrset" "the_rrset" {
    domain = var.domain
    rtype = var.rtype
    zone_name_or_id = var.zone_name_or_id

    compartment_id = var.compartment_id
    items {
        #Required
        domain = var.domain
        rdata = var.rdata
        rtype = var.rtype
        ttl = var.ttl
    }
    scope = var.scope
    view_id = var.view_id
}

…apply above then apply a second time to find a change requiring destroy is detected:

  # oci_dns_rrset.the_rrset will be destroyed
  - resource "oci_dns_rrset" "the_rrset" {
      - domain          = "myhost.name" -> null
      - id              = "zoneNameOrId/ocid1.dns-zone.oc1.iad.aaju7awt427cpmzn5h2ehwjbjddg6zza5rsl6uaaaaaah5udgi52jphv4dbq/domain/myhost.name/rtype/A" -> null
      - rtype           = "A" -> null
      - scope           = "PRIVATE" -> null
      - zone_name_or_id = "ocid1.dns-zone.oc1.iad.aaju7awt427cpmzn5h2ehwjbjddg6zza5rsl6uaaaaaah5udgi52jphv4dbq" -> null

      - items {
          - domain        = "myhost.name" -> null
          - is_protected  = false -> null
          - rdata         = "1.2.3.4" -> null
          - record_hash   = "3508864f387019bc4fc3b1e9a8dda072" -> null
          - rrset_version = "2" -> null
          - rtype         = "A" -> null
          - ttl           = 300 -> null
        }
    }

  # oci_dns_rrset.the_rrset will be created
  + resource "oci_dns_rrset" "the_rrset" {
      + compartment_id  = (known after apply)
      + domain          = "myhost.name"
      + id              = (known after apply)
      + rtype           = "A"
      + scope           = "PRIVATE"
      + zone_name_or_id = "ocid1.dns-zone.oc1.iad.aaju7awt427cpmzn5h2ehwjbjddg6zza5rsl6uaaaaaah5udgi52jphv4dbq"

      + items {
          + domain        = "myhost.name"
          + is_protected  = (known after apply)
          + rdata         = "1.2.3.4"
          + record_hash   = (known after apply)
          + rrset_version = (known after apply)
          + rtype         = "A"
          + ttl           = 300
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

I speculate the trigger to destroy comes from the auto-generated record_hash and maybe rrset_version.

I tried to add ignore_changes on the items.record_hash and items.rrset_version attributes but couldn't find the means to specify block attributes. For example, none of these attempts work:

lifecycle {
  ignore_changes = [
    items.record_hash
  ]
}

lifecycle {
  ignore_changes = [
    items["record_hash"]
  ]
}

lifecycle {
  ignore_changes = [
    items[0].record_hash
  ]
}

lifecycle {
  ignore_changes = [
    items.*.record_hash
  ]
}

lifecycle {
  ignore_changes = [
    items[0].["record_hash"]
  ]
}

Help!

Debug Output

Panic Output

Expected Behavior

I expect oci_dns_rrset resources to not trigger destroy/create when the resource is not actively changed OR I expect to have the means to ignore_changes are fields that may trigger the destroy

Actual Behavior

After creating a oci_dns_rrset resource I find it will trigger a destroy/create when (presumably) the internal record_hash and/or rrset_version attributes are set

Steps to Reproduce

See above

Important Factoids

References

jeliker commented 2 years ago

This is still happening on 4.96.0. Very difficult to accommodate with a large number of RRSET entries. Each of these apply operations is causing a lot of lost time reviewing the changes to ensure nothing is unintentionally changing (since, as described above, NOTHING is actually changing yet it is triggering an update because of RRSET resource attributes that are highly dynamic that cannot be ignored).

jeliker commented 2 years ago

Even ignore_changes=all doesn't help 😕

  lifecycle {
    ignore_changes = all
  }

ravinitp commented 1 year ago

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

rjnay commented 1 year ago

@jeliker We are unable to reproduce this when specifying the zone, view, and rrset resources together. Were you doing that or were you looking up the zone or view ocid using a data source?

jeliker commented 1 year ago

I am specifying view and zone IDs as reference to other resources like this:

resource "oci_dns_zone" "the_zone" {
  #Required
  compartment_id = var.compartment_id
  name           = "example.com"
  zone_type      = "PRIMARY"

  scope          = "PRIVATE"
  view_id        = oci_dns_view.the_view.id
}

resource "oci_dns_view" "the_view" {
  #Required
  compartment_id = var.compartment_id
  scope          = "PRIVATE"
}

resource "oci_dns_rrset" "the_rrset" {
  #Required
  domain          = "my.example.com"
  rtype           = "SRV"
  zone_name_or_id = oci_dns_zone.the_zone.id

  #Optional
  compartment_id = var.compartment_id
  items {
     #Required
     domain = "my.example.com"
     rdata  = "0 100 389 example.com."
     rtype  = "SRV"
     ttl    = 300
  }
  scope   = "PRIVATE"
  view_id = oci_dns_view.the_view.id
}

terraform plan

# oci_dns_rrset.the_rrset will be updated in-place
  ~ resource "oci_dns_rrset" "the_rrset" {
        id              = "zoneNameOrId/ocid1.dns-zone.oc1.iad.aaaaxofwl6acaaaih6gdhdceosroceqlro4tjasxqp34pncymi7tuyxhsdaq/domain/my.example.com/rtype/SRV"
        # (6 unchanged attributes hidden)

      + items {
          + domain        = "my.example.com"
          + is_protected  = (known after apply)
          + rdata         = "0 100 389 example.com."
          + record_hash   = (known after apply)
          + rrset_version = (known after apply)
          + rtype         = "SRV"
          + ttl           = 300
        }
      - items {
          - domain        = "my.example.com" -> null
          - is_protected  = false -> null
          - rdata         = "0 100 389 example.com." -> null
          - record_hash   = "d1d083776d0caabf956c46cf81c12ea1" -> null
          - rrset_version = "13" -> null
          - rtype         = "SRV" -> null
          - ttl           = 300 -> null
        }
    }

jeliker commented 1 year ago

Above tested with 4.118.0

rjnay commented 1 year ago

@jeliker I'm unable to reproduce this using your exact configuration above. What is your Terraform version?

parera10 commented 2 months ago

Still happening on this version:

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/oracle/oci v6.4.0

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # oci_dns_rrset.wildcard_sub1_domain_com will be updated in-place
  ~ resource "oci_dns_rrset" "wildcard_sub1_domain_com" {
        id              = "zoneNameOrId/ocid1.dns-zone.oc1..aaaaaaaaftfvx2cbvoh7fcfbgeubgtcgyez7gsyqm2odnknwdyynakq4jnaq/domain/%2A.sub1.domain.com./rtype/A"
        # (3 unchanged attributes hidden)

      - items {
          - domain        = "*.sub1.domain.com" -> null
          - is_protected  = false -> null
          - rdata         = "10.1.0.8" -> null
          - record_hash   = "3f324139f47851f1d269078d54de682d" -> null
          - rrset_version = "12" -> null
          - rtype         = "A" -> null
          - ttl           = 300 -> null
        }
      + items {
          + domain        = "*.sub1.domain.com."
          + is_protected  = (known after apply)
          + rdata         = "10.1.0.8"
          + record_hash   = (known after apply)
          + rrset_version = (known after apply)
          + rtype         = "A"
          + ttl           = 300
        }
    }

  # oci_dns_rrset.wildcard_sub2_domain_com will be updated in-place
  ~ resource "oci_dns_rrset" "wildcard_sub2_domain_com" {
        id              = "zoneNameOrId/ocid1.dns-zone.oc1..aaaaaaaaftfvx2cbvoh7fcfbgeubgtcgyez7gsyqm2odnknwdyynakq4jnaq/domain/%2A.sub2.domain.com./rtype/A"
        # (3 unchanged attributes hidden)

      - items {
          - domain        = "*.sub2.domain.com" -> null
          - is_protected  = false -> null
          - rdata         = "138.1.1.63" -> null
          - record_hash   = "bb18395a4568dbdd59ff39981312e872" -> null
          - rrset_version = "13" -> null
          - rtype         = "A" -> null
          - ttl           = 300 -> null
        }
      + items {
          + domain        = "*.sub2.domain.com."
          + is_protected  = (known after apply)
          + rdata         = "138.1.1.63"
          + record_hash   = (known after apply)
          + rrset_version = (known after apply)
          + rtype         = "A"
          + ttl           = 300
        }
    }

Plan: 0 to add, 2 to change, 0 to destroy.

oracle / terraform-provider-oci