tencentcloud_vpc_acl missing rule status

[djluo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.2.2 on darwin_amd64 provider registry.terraform.io/tencentcloudstack/tencentcloud v1.72.7

Affected Resource(s)

• tencentcloud_vpc_acl

Terraform Configuration Files

resource "tencentcloud_vpc_acl" "oc" {
  vpc_id  = tencentcloud_vpc.vpc.id
  name    = "only_accept_oc"
  ingress = [
    "ACCEPT#10.255.0.0/16#ALL#ALL",
  ]
  egress  = [
    "ACCEPT#10.255.0.0/16#ALL#ALL",
  ]
}

resource "tencentcloud_vpc_acl_attachment" "attachment" {
  acl_id    = tencentcloud_vpc_acl.oc.id
  subnet_id = tencentcloud_subnet.subnet.id
}

Plan Always output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.nucleus-tencent2.tencentcloud_vpc_acl.oc will be updated in-place
  ~ resource "tencentcloud_vpc_acl" "oc" {
      ~ egress      = [
          + "ACCEPT#10.255.0.0/16#ALL#ALL",
        ]
        id          = "acl-i0fikcbm"
      ~ ingress     = [
          + "ACCEPT#10.255.0.0/16#ALL#ALL",
        ]
        name        = "only_accept_oc"
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply
2. terraform plan
3. terraform apply
4. terraform plan

猜测

egress、ingress规则并没有保存到 terraform.tfstate中。 plan、apply就一直重复操作它了。

[smorimoto]

Can anyone on the Terraform team check this? I believe this bug still exists.

[lyu571]

@djluo thx for your feedback. The provider always stores egress and ingress configs after “apply” operation unless the config is without a port.

So...the root cause is your egress/ingress protocol specified by ALL with no port. The provider will not store the egress/ingress in that case.

Workaround: Using the specified protocol and port. eg: ingress = [ "ACCEPT#192.168.1.0/24#80#TCP", "ACCEPT#192.168.1.0/24#80-90#TCP", ] egress = [ "ACCEPT#192.168.1.0/24#80#TCP", "ACCEPT#192.168.1.0/24#80-90#TCP", ]

We will evaluate removing this port constraint in this scenario.

[smorimoto]

@lyu571 That would be great if the constraint could be removed. The extra output always makes a lot of noise in many senses.

[lyu571]

After a quick glance, we found that the vpc query interface return two default configs every time, which will cause the diff in tf plan/apply operation. So, the constraint of the port is used to filter these configs and then avoid this unexpected diff.

In other words, this constraint will be retained until an effective method to filter these default configs. Or, optimization from the vpc interface(Tencent cloud SDK).