vcd_nsxv_dnat and DHCP

[haf-tech]

Hi there,

I figured out an issue with a DHCP routed network and trying to set dnat rule. IP is during plan known, but in apply not. The network is created manually in vCD due other bugs in the plugin with routed network and distributed interface type (#559 ).

vcd_network_routed net

• routed
• distributed
• static IP pool
• DHCP Pool
• ..DHCP binding MAC to IP, hostname

Terraform Version

Terraform v0.13.3
+ provider registry.terraform.io/hashicorp/random v2.3.0
+ provider registry.terraform.io/terraform-providers/ignition v1.2.1
+ provider registry.terraform.io/terraform-providers/vcd v2.9.0

Affected Resource(s)

• vcd_nsxv_dnat

Terraform Configuration Files

resource "vcd_nsxv_dnat" "rule_internet_ssh" {
    count = var.vcd_allow_ssh == true ? 1 :0

    edge_gateway        = var.vcd_edge_gateway_name
    network_type        = "ext"
    network_name        = data.vcd_edgegateway.edge.default_gateway_network

    original_address    = data.vcd_edgegateway.edge.default_external_network_ip
    original_port       = 22

    translated_address  = vcd_vapp_vm.okd_bastion_vm00.network[0].ip
    translated_port     = 22
    protocol            = "tcp"
}

Debug Output

https://gist.github.com/haf-tech/d1e213e26a37b3fc72534aeaa7739bd2

Panic Output

n/a

Expected Behavior

• VM with DHCP
• ...and Firewall rules

Actual Behavior

Error: Provider produced inconsistent final plan

When expanding the plan for
module.module_vcd.vcd_nsxv_dnat.rule_internet_ssh[0] to include new values
learned so far during apply, provider
"registry.terraform.io/terraform-providers/vcd" produced an invalid new value
for .translated_address: was cty.StringVal("192.168.100.11"), but now
cty.StringVal("").

This is a bug in the provider, which should be reported in the provider's own
issue tracker.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

• vCD on IBM Cloud

References

n/a

[Didainius]

Thanks @haf-tech, I will try to reproduce it and come back.

[Didainius]

Potentially partly related to #551 as well

[Didainius]

@haf-tech , First thing. Could you also share definition of vcd_vapp_vm.okd_bastion_vm00 resource?

[haf-tech]

@Didainius yes, see enclosed the resource definition.

# Create a VM, bastion 0
resource "vcd_vapp_vm" "okd_bastion_vm00" {
  name            = "okd_bastion_vm00"
  vapp_name     = vcd_vapp.okd-bastion-vapp.name
  template_name = "CentOS-8-Template-Official"
  power_on      = "true"
  catalog_name  = "Public Catalog"

  memory        = 4096
  cpus          = 1  

  # helpful for DHCP to wait for the IP assignment, relevant for other steps like firewall rule
  network_dhcp_wait_seconds = 30

  network {
      name                = vcd_vapp_org_network.bastion-direct-network.org_network_name
      type                = "org"
      #ip_allocation_mode  = "POOL"
      #ip                  = "192.168.100.6"
      #ip_allocation_mode  = "MANUAL"
      ip_allocation_mode  = "DHCP"
      is_primary          = true
  }

  # define the Ignition config
  guest_properties = {
    "guest.hostname"                          = "okd-bastion-vm00"
  }

  customization {
    force                               = true
    enabled                             = true
    allow_local_admin_password          = true
    must_change_password_on_first_login = false
    auto_generate_password              = false
    admin_password                      = random_password.password.result   
  }

  lifecycle {
   ignore_changes = [customization[0].admin_password]
  }
}

[Didainius]

@haf-tech, That one is a tricky thing with DHCP because we rely on VM reporting IP (showing in UI). Did it happen on initial deployment or later on while doing apply? Does UI still report IP for that VM? Could a longer network_dhcp_wait_seconds = 30 help? Is your DHCP pool configured in Edge gateway or some external infrastructure using DHCP relay?

Would you be able to also capture (TF_LOG=TRACE) from Terraform itself? It should have a few custom logs lines from this provider about how succesfull DHCP IP lookup was.