Each TF plan causes drift because of the Server Group ID order returned by ZPA provider

Question

Each TF plan causes drift because of the Server Group ID order returned by ZPA provider

Closed this issue a year ago · 1 comments

AdamRabcan commented a year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.3.7
on windows_amd64

provider registry.terraform.io/zscaler/zpa v2.7.9

Affected Resource(s)

zpa_server_group
zpa_application_segment

Terraform Configuration Files

data "zpa_server_group" "tf_server_groups" {
  for_each = local.server_groups
  name     = each.key
}

locals {
  server_groups = toset(lookup(local.server_groups_region, var.region, ["test-zpa-server-group", "test-zpa-server-group2"]))
  server_groups_region = {
    us-east-1      = ["Server Group", "test-zpa-server-group", "test-zpa-server-group2"]
    us-west-2      = ["test-zpa-server-group"]
    eu-central-1   = ["test-zpa-server-group", "test-zpa-server-group2"]
    eu-west-1      = ["test-zpa-server-group", "test-zpa-server-group2"]
    ap-northeast-1 = ["test-zpa-server-group", "test-zpa-server-group2"]
    ap-southeast-1 = ["test-zpa-server-group", "test-zpa-server-group2"]
  }
}

resource "zpa_application_segment" "application_segment" {
  name             = "TF_${upper(local.apms_id)}_${upper(local.env_id_short)}_AWS"
  description      = "${var.application_name} application segment created via TF BB in ${terraform.workspace} TFE workspace"
  enabled          = true
  health_reporting = "ON_ACCESS"
  bypass_type      = "NEVER"
  is_cname_enabled = true
  tcp_port_ranges  = var.tcp_port_ranges
  udp_port_ranges  = var.udp_port_ranges
  domain_names     = var.domain_names
  segment_group_id = data.zpa_segment_group.bu_segment_group.id
  server_groups {
    id = [for sg in local.server_groups : data.zpa_server_group.tf_server_groups[sg].id]
  }
}

Debug Output

run-kmi7AumQewzXT5Hp-plan-log.txt

Expected Behavior

No drift detected as there was no change in configuration.

Actual Behavior

Every run causes drift because the order of Server Group IDs of the application segment is different than configured in the code.
The plan always sort passed IDs of the SG obtained from data source of data.zpa_server_group in numerical order but current tfstate does not have it sorted that way.

ZPA assigns SGs always in this order in GUI - and this is also reflected in state:

Meanwhile the passed configuration is sorted by value of the num. ID.
IDs:
144131165354196994 - Server Group
144131165354197065 - test-zpa-server-group
144131165354197331 - test-zpa-server-group2

Steps to Reproduce

Every TF plan/apply

Answer 1 · 2023-06-26T19:34:31.000Z

Hi @AdamRabcan Thanks for reaching out.
We were able to reproduce the issue, and will develop a fix for it in the next release. v2.8.0.
In the meantime, please feel free to join our private slack channel here if you have further questions.
Thank you

William