Incorrect handling of directives in resource aci_contract_subject_filter (DCNE-416)

[dirkf98]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

$ terraform -v
Terraform v1.9.0
on linux_386
+ provider registry.terraform.io/ciscodevnet/aci v2.15.0
+ provider registry.terraform.io/hashicorp/assert v0.15.0

Your version of Terraform is out of date! The latest version
is 1.10.5. You can update by downloading from https://www.terraform.io/downloads.html

I know it is an older terraform version but it seems to me like a problem with the terraform resource.

APIC version and APIC Platform

• V 5.2(7f) and on-prem (APIC simulator)

Affected Resource(s)

• aci_contract_subject_filter

Terraform Configuration Files

resource "aci_contract_subject_filter" "ipv6-tsm-prov_cont_ipv6-tsm-prov_subj_flt-icmp_fltr" {
  contract_subject_dn = aci_contract_subject.ipv6-tsm-prov_cont_ipv6-tsm-prov_subj.id
  filter_dn           = "uni/tn-common/flt-icmp_fltr"
  action              = "permit"
  directives          = ["none"]
  priority_override   = "default"
}

Debug Output

Panic Output

Expected Behavior

Initial terraform apply works good. In a second attempt with the same terraform config I expect that no changes are needed.

Actual Behavior

Terraform attempts to modify the resource, specifically updating the attribute directives:

Terraform will perform the following actions:

  # aci_contract_subject_filter.ipv6-tsm-prov_cont_ipv6-tsm-prov_subj_flt-icmp_fltr will be updated in-place
  ~ resource "aci_contract_subject_filter" "ipv6-tsm-prov_cont_ipv6-tsm-prov_subj_flt-icmp_fltr" {
      ~ directives          = [
          ~ null -> "none",
        ]
        id                  = "uni/tn-z_sich_ten/brc-ipv6-tsm-prov_cont/subj-ipv6-tsm-prov_subj/rssubjFiltAtt-icmp_fltr"
        # (5 unchanged attributes hidden)
    }

Steps to Reproduce

1. terraform apply for initial deployment
2. terraform apply without config change

Important Factoids

I'm using APIC simulator for this test.

This is the output from the state file:

$ terraform state show aci_contract_subject_filter.ipv6-tsm-prov_cont_ipv6-tsm-prov_subj_flt-icmp_fltr
# aci_contract_subject_filter.ipv6-tsm-prov_cont_ipv6-tsm-prov_subj_flt-icmp_fltr:
resource "aci_contract_subject_filter" "ipv6-tsm-prov_cont_ipv6-tsm-prov_subj_flt-icmp_fltr" {
    action              = "permit"
    annotation          = null
    contract_subject_dn = "uni/tn-z_sich_ten/brc-ipv6-tsm-prov_cont/subj-ipv6-tsm-prov_subj"
    directives          = [
        null,
    ]
    filter_dn           = "uni/tn-common/flt-icmp_fltr"
    id                  = "uni/tn-z_sich_ten/brc-ipv6-tsm-prov_cont/subj-ipv6-tsm-prov_subj/rssubjFiltAtt-icmp_fltr"
    priority_override   = "default"
}

References

[samiib]

Greetings @dirkf98, thank you for raising this bug.

I can confirm that we can reproduce a similar issue on 6.0 and 5.2.

# aci_contract_subject_filter.local will be updated in-place
  ~ resource "aci_contract_subject_filter" "local" {
      ~ directives          = [
          - "",
          + "none",
        ]
        id                  = "uni/tn-samita_tenant/brc-any666/subj-sbj-any666/rssubjFiltAtt-any999"
        # (4 unchanged attributes hidden)
    }

I see it changing from an empty string to "none" instead of null. However, this is still the same issue.

I'll look into the problem with the directives attribute further.