Cyclical issue with RBAC policies and network for access_as_external and external = false.

[Banshee1221]

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see https://www.terraform.io/community.html.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Terraform v1.3.5
on windows_amd64
+ provider registry.terraform.io/terraform-provider-openstack/openstack v1.49.0

Affected Resource(s)

• openstack_networking_network_v2

Terraform Configuration Files

resource "openstack_networking_network_v2" "provider_vlanxxx" {
    name           = "Management"
    description    = "Management VLANxxx provider network"
    external       = false
    mtu            = 9000

    segments {
        physical_network = "xxx"
        segmentation_id  = "xxx"
        network_type     = "vlan"
    }
    admin_state_up = "true"
}

resource "openstack_networking_rbac_policy_v2" "management" {
  action        = "access_as_external"
  object_id     = openstack_networking_network_v2.provider_vlanxxx.id
  object_type   = "network"
  target_tenant = openstack_identity_project_v3.infra.id
}

Output

$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # openstack_networking_network_v2.provider_vlanxxx will be updated in-place
  ~ resource "openstack_networking_network_v2" "provider_vlanxxx" {
      ~ external                = true -> false
        id                      = "c9ec776f-73ed-4056-b23e-9caa4b90cf00"
        name                    = "Management"
        tags                    = []
        # (10 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # openstack_networking_rbac_policy_v2.management will be created
  + resource "openstack_networking_rbac_policy_v2" "management" {
      + action        = "access_as_external"
      + id            = (known after apply)
      + object_id     = "c9ec776f-73ed-4056-b23e-9caa4b90cf00"
      + object_type   = "network"
      + project_id    = (known after apply)
      + region        = (known after apply)
      + target_tenant = "3ab5e9ff06484c939b75a0d81ae1d69e"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # openstack_networking_network_v2.provider_vlanxxx will be updated in-place
  ~ resource "openstack_networking_network_v2" "provider_vlanxxx" {
      ~ external                = true -> false
        id                      = "c9ec776f-73ed-4056-b23e-9caa4b90cf00"
        name                    = "Management"
        tags                    = []
        # (10 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Expected Behavior

• Network is created with external = false
• RBAC policy is created which turns external = true on network
• Network is seen as external = true in terraform provider for subsequent runs

Actual Behavior

• Network is created with external = false
• RBAC policy is created which turns external = true on network
• Network is seen as external = falsein terraform provider for subsequent runs, causing rbac policy to be deleted.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

OpenStack Yoga deployed by Kolla-ansible.

[nikParasyr]

hello @Banshee1221

Thanks for reporting this. I have faced the same issue but have overcame it using ignore_changes for the external attribute. I might have a look on the provider to see if there is something we can do to make ignore_changes not required