Firewall resource is not idempotent when region is null
aw1cks opened this issue · 3 comments
Hi there!
I noticed an idempotency issue with the civo_firewall resource.
I deployed a firewall with the following code:
terraform {
required_version = "~> 1.3.0"
required_providers {
civo = {
source = "civo/civo"
version = "~> 1.0.24"
}
}
}
variable "civo_token" {
description = "Token used for Civo API"
type = string
sensitive = true
}
provider "civo" {
token = var.civo_token
region = "LON1"
}
resource "civo_firewall" "fw" {
name = "test-firewall"
}Here is the state after deploying it:
~» terraform show
# civo_firewall.fw:
resource "civo_firewall" "fw" {
create_default_rules = true
id = "7b45a626-3e6d-4534-8a03-ebad5a47a8fc"
name = "test-firewall"
network_id = "6d8820ad-8e93-4d99-82e0-740eb54f316d"
region = "LON1"
egress_rule {
action = "allow"
cidr = [
"0.0.0.0/0",
]
id = "507dc331-395b-4fd2-9728-b025442a3408"
label = "All TCP ports open"
port_range = "1-65535"
protocol = "tcp"
}
egress_rule {
action = "allow"
cidr = [
"0.0.0.0/0",
]
id = "df559ec9-65e2-49b8-8974-9908b15fc4ac"
label = "All UDP ports open"
port_range = "1-65535"
protocol = "udp"
}
egress_rule {
action = "allow"
cidr = [
"0.0.0.0/0",
]
id = "fbf23493-6d69-49d9-bf28-eb2e741f19f6"
label = "Ping/traceroute"
protocol = "icmp"
}
ingress_rule {
action = "allow"
cidr = [
"0.0.0.0/0",
]
id = "37f676ef-1810-45d3-842e-d96a7a9de7b6"
label = "Ping/traceroute"
protocol = "icmp"
}
ingress_rule {
action = "allow"
cidr = [
"0.0.0.0/0",
]
id = "3c8336e1-533e-4c45-80bd-45fb1b512443"
label = "All TCP ports open"
port_range = "1-65535"
protocol = "tcp"
}
ingress_rule {
action = "allow"
cidr = [
"0.0.0.0/0",
]
id = "dfe6c93c-3745-4938-ac8f-a128f44f30a4"
label = "All UDP ports open"
port_range = "1-65535"
protocol = "udp"
}
}
~»However, if I now plan again:
~» terraform plan
civo_firewall.fw: Refreshing state... [id=7b45a626-3e6d-4534-8a03-ebad5a47a8fc]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# civo_firewall.fw will be updated in-place
~ resource "civo_firewall" "fw" {
id = "7b45a626-3e6d-4534-8a03-ebad5a47a8fc"
name = "test-firewall"
- region = "LON1" -> null
# (2 unchanged attributes hidden)
# (6 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
~»This issue doesn't appear if explicitly specifying the region. However, as per the docs, this string should be nullable, in which case it'll pick up the provider default region.
In my use case, I have a generic module to create a firewall, and I'd like to be able to have the option to override the region if desired, but default to nulling the value so that it picks up the provider config.
Let me know if you'd like any more information or details
Thanks!
I will check, thank for the report @aw1cks
This will be out in the next release
Thanks for the quick fix!