Skip to content

Unexpected behaviour for aci_contract_subject (DCNE-425) #1353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dirkf98 opened this issue May 15, 2025 · 3 comments
Open

Unexpected behaviour for aci_contract_subject (DCNE-425) #1353

dirkf98 opened this issue May 15, 2025 · 3 comments
Labels
bug jira-sync Sync this issue to Jira

Comments

@dirkf98
Copy link

dirkf98 commented May 15, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.10.5
on linux_amd64

  • provider registry.terraform.io/ciscodevnet/aci v2.16.0
  • provider registry.terraform.io/hashicorp/assert v0.16.0

APIC version and APIC Platform

  • V 6.0(8f) on-prem

Affected Resource(s)

  • aci_contract_subject

Terraform Configuration Files

############################################ Contract l3out_contr
resource "aci_contract" "l3out_contr" {
  tenant_dn   = aci_tenant.r_tenant.id
  description = ""
  name        = "l3out_contr"
  annotation  = ""
  name_alias  = ""
  prio        = "unspecified"
  scope       = "context"
  target_dscp = "unspecified"
}


resource "aci_contract_subject" "l3out_contr_l3out_contr_subj1" {
  contract_dn   = aci_contract.l3out_contr.id
  description   = ""
  name          = "l3out_contr_subj1"
  annotation    = ""
  cons_match_t  = "AtleastOne"
  name_alias    = ""
  prio          = "unspecified"
  prov_match_t  = "AtleastOne"
  rev_flt_ports = "yes"
  target_dscp   = "unspecified"
}


resource "aci_contract_subject_filter" "l3out_contr_l3out_contr_subj1_flt-any_ip_fltr" {
  contract_subject_dn = aci_contract_subject.l3out_contr_l3out_contr_subj1.id
  filter_dn           = "uni/tn-z_admin_ten/flt-any_ip_fltr"
  action              = "permit"
  directives          = []
  priority_override   = "default"
}

Debug Output

Panic Output

Expected Behavior

After inital apply the configuration should not change.

Actual Behavior

The initial apply works fine and resources are being created. The next apply reports an update for the subject resource.

  # aci_contract_subject.l3out_contr_l3out_contr_subj1 will be updated in-place
  ~ resource "aci_contract_subject" "l3out_contr_l3out_contr_subj1" {
        id                            = "uni/tn-z_admin_ten/brc-l3out_contr/subj-l3out_contr_subj1"
        name                          = "l3out_contr_subj1"
      ~ relation_vz_rs_subj_filt_att  = [
          - "uni/tn-z_admin_ten/flt-any_ip_fltr",
        ]
        # (12 unchanged attributes hidden)
    }

Basically, this removes the filter from the subject.
At the next apply the relation is created again because of the configuration in resource aci_contract_subject_filter.
It seems that these are 2 competing ways for the same configuration in ACI.
I'm not sure if this is a bug or if I'm not using the resources correctly.
Please advise.

Steps to Reproduce

  1. terraform apply
  2. terraform apply with no changes in Terraform config files. Relation to filter is deleted
  3. terraform apply with no changes in Terraform config files. Relation to filter is created again

Important Factoids

References

  • #0000
@akinross akinross added bug jira-sync Sync this issue to Jira labels May 15, 2025
@github-actions github-actions bot changed the title Unexpected behaviour for aci_contract_subject Unexpected behaviour for aci_contract_subject (DCNE-425) May 15, 2025
@akinross
Copy link
Collaborator

Hi @dirkf98, thank you for making us aware. There is already another bug opened on this issue so linking this one to this so it might be able to get fixed in one go: #1342

@dirkf98
Copy link
Author

dirkf98 commented May 15, 2025

Thanks for the quick reply.
As a workaround I've added the relation in the subject resource and Terraform does not attempt to remove the filter then.
It is the last line in this configuration:

resource "aci_contract_subject" "l3out_contr_l3out_contr_subj1" {
  contract_dn   = aci_contract.l3out_contr.id
  description   = ""
  name          = "l3out_contr_subj1"
  annotation    = ""
  cons_match_t  = "AtleastOne"
  name_alias    = ""
  prio          = "unspecified"
  prov_match_t  = "AtleastOne"
  rev_flt_ports = "yes"
  target_dscp   = "unspecified"
  relation_vz_rs_subj_filt_att = ["uni/tn-z_admin_ten/flt-any_ip_fltr"]
}

@akinross
Copy link
Collaborator

akinross commented May 15, 2025
edited
Loading

Hi @dirkf98,

Apologies for the short response before. This indeed is a workaround, and for now only way to do it.

It is a current limitation (bug) of the resources where children when not defined in the parent but separate and in the same configuration the are cyclical created/deleted. When we migrate the resource to plugin framework the problem should be resolved since we do not detect it as a change when not defined in the configuration. More is explained about the migration in https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/guides/migration. Off course the issue would then still persist in migrated resources when you define different configuration in parent and separated child resource.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug jira-sync Sync this issue to Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akinross @dirkf98