whitelisted_ips doesn't work with mixed vnet ocid and ip address

[luckeyca]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

N/A

Affected Resource(s)

oci_database_autonomous_database

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. 
# Please remove any sensitive information from configuration files before sharing them. 

N/A

Debug Output

whitelisted_ips list value does NOT accept semicolon as delimitator as described below:

whitelisted_ips - The client IP access control list (ACL). This feature is available for autonomous databases on shared Exadata infrastructure and on Exadata Cloud@Customer. Only clients connecting from an IP address included in the ACL may access the Autonomous Database instance.

For shared Exadata infrastructure, this is an array of CIDR (Classless Inter-Domain Routing) notations for a subnet or VCN OCID. Use a semicolon (;) as a deliminator between the VCN-specific subnets or IPs. Example: ["1.1.1.1","1.1.1.0/24","ocid1.vcn.oc1.sea.","ocid1.vcn.oc1.sea.;1.1.1.1","ocid1.vcn.oc1.sea.;1.1.0.0/16"] For Exadata Cloud@Customer, this is an array of IP addresses or CIDR (Classless Inter-Domain Routing) notations. Example: ["1.1.1.1","1.1.1.0/24","1.1.2.25"]

Expected Behavior

use semicolon between OCID and IP

Actual Behavior

terraform plan error saying semicolon is wrong in list value.

Steps to Reproduce

1 create an ADB with oci_database_autonomous_database resource with whitelist as below:

whitelisted_ips = ["ocid1.vcn.oc1.ca-toronto-1.xxxxxxxx";"a_public_ip"]

2. terraform plan fails with error "Error: Invalid character", The ";" character is not valid. Use newlines to separate arguments and blocks, and commas to separate items in collection values."

3. change the semicolon to comma, then terraform apply fails with the the following error

   Error: Work Request error │ Provider version: 4.110.0, released on 2023-03-01. This provider is 1 Update(s) behind to current. │ Service: Database Autonomous │ Error Message: work request did not succeed, workId: ocid1.coreservicesworkrequest.oc1.ca-montreal-1.ab4xkljrb6k2f4dzszttx5oa4t4ov64dsoabwg5hga5msdbrl2upfjzr674a, entity: database, action: UPDATED. Message: The Autonomous Database operation failed due to an unknown error. Refer to JobId e2a53561-3969-42b8-8cab-5ffbebe56a84 and WorkRequestId eb8aa347-a286-408d-8f8b-f380e740931a when opening a Service Request at My Oracle Support. │ Resource OCID: ocid1.autonomousdatabase.oc1.ca-montreal-1.an4xkljr5xeuumqaeyy234ewtpyy5jd7pa2ho7zklgtghgsevlb55ydoi4za │ Suggestion: Please retry or contact support for help with service: Database Autonomous

Important Factoids

References

[NagendraNigade]

Use a semicolon (;) as a deliminator between the VCN-specific subnets or IPs if you want to pass it as subnet and IP as single entity. If you want to use as single parameter then use as : whitelisted_ips = ["ocid1.vcn.oc1.ca-toronto-1.xxxxxxxx;a_public_ip"]

If you want to use as different params then use as : whitelisted_ips = ["ocid1.vcn.oc1.ca-toronto-1.xxxxxxxx","a_public_ip"]

Verified & checked the example. It's working fine as mentioned in the example.

[luckeyca]

Hi @NagendraNigade, after more testing, I found what the problem is and it's not really related to comma vs semicolon, but related to vcn regions. see details as below.

1. the ADB created, without specifying subnet_id(equivalent of console option, Secure access from allowed IPs and VCNs only) is in region1, in the whitelisted_ips that was not working, I have vcn ocids from both region1 and region2. once I removed the region2 vcn ocid from the whitelisted_ips, it's working. Is this designed behavior because not only it's not mentioned in the resource documentation, but also a huge limitation.
2. the error messages are inconsistent with the failed whitelisted_ips containing the vcn ocids from different regions. At creation time, the error was "entity: database, action: CREATED. Message: Invalid VCN/Private IP/Private CIDR format". After creating an ADB and do update with the bad whitelisted_ips, the error was "entity: database, action: UPDATED. Message: The Autonomous Database operation failed due to an unknown error."

example:

adb created in toronto without specify subnet.

whitelisted_ips = ["public_ip", "toronto_vcn", "montreal_vcn"] this will fail with the two errors mentioned above. whitelisted_ips = ["public_ip", "toronto_vcn"] this will work.

[NagendraNigade]

@luckeyca Hey, Thank for writing. Would you like to re-open issue?

[luckeyca]

Hi @NagendraNigade, yes please re-open the issue. terraform should behave the same as on console. and provide same error when creating and updating the ADB given the cause is the same. Also, this issue falls under another big issue, NO dependency check at terraform plan for many of the ADB resource as reported on another ticket https://github.com/oracle/terraform-provider-oci/issues/1791. Please do discuss this with your development team. In this particular case, with whitelisted_ips = ["public_ip", "toronto_vcn", "montreal_vcn"], terraform plan still worked, but apply failed with the error as reported above. This happens a lot on ADB resource which makes the "terraform plan" non-existent. It's a big issue. Thanks.