Rule set removal fails when attached to a listener, even the plan looks good.

[stanicek]

Terraform Version

v0.11.11

OCI Provider Version

3.17.0

Description:

Repro steps:

1. Create a load balancer

   resource "oci_load_balancer_load_balancer" "load_balancer" {
   compartment_id = "${var.compartment_ocid}"
   display_name   = "${var.load_balancer_name}"
   is_private     = "false"
   shape          = "${var.lbaas_shape_100mbps}"
   subnet_ids     = ["${oci_core_subnet.lbaas-ad1.id}", "${oci_core_subnet.lbaas-ad2.id}"]
   }

2. Create a rule set with count = 1

   resource "oci_load_balancer_rule_set" "default_rule_set" {
   count = 1
   name = "default"
   load_balancer_id = "${oci_load_balancer_load_balancer.load_balancer.id}"
   items = [
   {
   action = "ADD_HTTP_REQUEST_HEADER"
   header = "X-LBaaS-Test"
   value = "Test"
   },
   ]
   }

3. Create a listener with the rule set attached

   resource "oci_load_balancer_listener" "default_http_listener" {
   load_balancer_id         = "${oci_load_balancer_load_balancer.load_balancer.id}"
   name                     = "default_http"
   default_backend_set_name = "${oci_load_balancer_backend_set.default_backend_set.name}"
   rule_set_names = ["${oci_load_balancer_rule_set.default_rule_set.*.name}"]
   port                     = "80"
   protocol                 = "HTTP"
   }

4. terraform apply -> everything goes as expected
5. Try to set the rule set resource count to 0

   resource "oci_load_balancer_rule_set" "default_rule_set" {
   count = 0
   name = "default"
   load_balancer_id = "${oci_load_balancer_load_balancer.load_balancer.id}"
   items = [
   {
   action = "ADD_HTTP_REQUEST_HEADER"
   header = "X-LBaaS-Test"
   value = "Test"
   },
   ]
   }

6. terraform apply -> fails as described below

Expected:

• Rule set is detached from listener
• Rule set is removed from load balacner

Actual:

• Plan looks good

  
  Terraform will perform the following actions:
  
  ~ oci_load_balancer_listener.default_http_listener
    rule_set_names.#: "1" => "0"
    rule_set_names.0: "default" => ""
  
  - oci_load_balancer_rule_set.default_rule_set

Plan: 0 to add, 1 to change, 1 to destroy.

- Error pops up

oci_load_balancer_rule_set.default_rule_set: Destroying... (ID: loadBalancers/ocid1.loadbalancer.oc1.ia...iry4f64e4szgfrs53emfa/ruleSets/default)

Error: Error applying plan:

1 error(s) occurred:

• oci_load_balancer_rule_set.default_rule_set (destroy): 1 error(s) occurred:

• oci_load_balancer_rule_set.default_rule_set: can not marshal to path in request for field WorkRequestId. Due to can not marshal a nil pointer

• Nothing happens

• At the first sight it seems that terraform tries to remove the rule before modifying the listener.

[kilokahn]

Thanks for reporting this @stanicek ! I am taking a look at it.

[kilokahn]

This seems like a genuine bug, and we will have an update on a plan in this week.

[kilokahn]

Hey @stanicek - we are working on the fix, but we don't have an ETA as of now. Do you have a workaround that unblocks you? If not, we can suggest something.

[codycushing]

Hello, this scenario exposed a missing error check in the provider for load balancer resources which led you to see a nil pointer message (coming from the underlying sdk). This will be fixed in the next release.

What's also going on here is setting the count of the rule set resource to zero effectively both destroys the resource in the same step as it removes the dependency from the listener. When this happens Terraform no longer infers a dependency relationship between the two and will issue the delete command for the ruleset at the same time it issues the update command for the listener. Because the service is returning a general 400 error instead of a 409, the error is presented as a terminal condition. We'll ask the service team to change the error code they return to a 409 so that retry logic will trigger and mask this behavior, eventually resulting in a successful delete.

However, know that what is occurring here is an underlying limitation in how Terraform comprehends dependencies such that you may have to employ a modified two step approach in these circumstances--remove the dependency first from the resource, then delete the other resource. Alternately, it's possible you could see the listener update occur first, but still see the rule set fail to delete. In this scenario a subsequent apply would successfully delete the rule set.

[alexng-canuck]

The Terraform limitations that lead to this issue are tracked here: https://github.com/hashicorp/terraform/issues/20823

[ravinitp]

We are very sorry that we couldn't respond to each and every issue reported on GitHub. Although we have refined the process to prioritize customer issues on GitHub, since this issue was reported a while ago, there is a good chance it may have been fixed in the latest version of Terraform Provider OCI. If you are still experiencing this issue, please create a new issue and label it as Bug.