Skip to content

"Noisy" terraform plan with new 2.16.0 resources (DCNE-427) #1355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
edudppaz opened this issue May 22, 2025 · 2 comments
Open

"Noisy" terraform plan with new 2.16.0 resources (DCNE-427) #1355

edudppaz opened this issue May 22, 2025 · 2 comments
Labels
documentation jira-sync Sync this issue to Jira

Comments

@edudppaz
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.9.12

APIC version and APIC Platform

  • V v6.1 on-prem

Affected Resource(s)

  • aci_application_epg (example)

Terraform Configuration Files

resource "aci_application_epg" "EPG" {
  for_each  = { for epg in var.model.epg_data : "${epg.tn_name}-${epg.ap_name}-${epg.epg_name}" => epg if epg.type == "local" }
  parent_dn = "uni/tn-${each.value.tn_name}/ap-${each.value.ap_name}"
  name      = each.value.epg_name
  relation_to_bridge_domain = {
    bridge_domain_name = each.value.epg_bd
  }
  relation_to_domains = [
    for dom in each.value.epg_phydom_list != [] ? each.value.epg_phydom_list : [each.value.epg_phydom_old] : {
      target_dn = "uni/phys-${dom}"
    }
  ]

Debug Output

Panic Output

Expected Behavior

On modifying a single variable on the resource (for example, relation_to_domains), only the change on that variable should be informed on the terraform plan

Actual Behavior

The terraform plan on the new resources is very "noisy" confusing the network operators and making it difficult to know whats actually being changed. Maybe this is a problem on my side? Should i specifically set all the objects to "null" to avoid this noisy behaviour? If so, this should be documented.

Example of ONLY changing relation_to_domains :

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.tf-aci-tenantpol[0].aci_application_epg.EPG["B-NY-APP-NY-EPG"] will be updated in-place
  ~ resource "aci_application_epg" "EPG" {
      ~ application_profile_dn                 = "uni/tn-B/ap-NY-APP" -> (known after apply)
      ~ exception_tag                          = null -> (known after apply)
      ~ flood_on_encap                         = "disabled" -> (known after apply)
      ~ fwd_ctrl                               = "none" -> (known after apply)
      ~ has_mcast_source                       = "no" -> (known after apply)
        id                                     = "uni/tn-B/ap-NY-APP/epg-NY-EPG"
      ~ is_attr_based_epg                      = "no" -> (known after apply)
      ~ match_t                                = "AtleastOne" -> (known after apply)
        name                                   = "NY-EPG"
      ~ pc_enf_pref                            = "unenforced" -> (known after apply)
      ~ pc_tag                                 = "16388" -> (known after apply)
      ~ pref_gr_memb                           = "exclude" -> (known after apply)
      ~ prio                                   = "unspecified" -> (known after apply)
      + relation_fv_rs_aepg_mon_pol            = (known after apply)
      ~ relation_fv_rs_bd                      = "uni/tn-B/BD-0011-BD" -> (known after apply)
      ~ relation_fv_rs_cons                    = [] -> (known after apply)
      ~ relation_fv_rs_cons_if                 = [] -> (known after apply)
      ~ relation_fv_rs_cust_qos_pol            = "uni/tn-common/qoscustom-default" -> (known after apply)
      + relation_fv_rs_dpp_pol                 = (known after apply)
      ~ relation_fv_rs_fc_path_att             = [] -> (known after apply)
      ~ relation_fv_rs_intra_epg               = [] -> (known after apply)
      ~ relation_fv_rs_prot_by                 = [] -> (known after apply)
      ~ relation_fv_rs_prov                    = [] -> (known after apply)
      ~ relation_fv_rs_sec_inherited           = [] -> (known after apply)
      + relation_fv_rs_trust_ctrl              = (known after apply)
      ~ relation_to_domains                    = [
          - {
              - annotation                    = "orchestrator:terraform" -> null
              - annotations                   = [] -> null
              - binding_type                  = "none" -> null
              - class_preference              = "encap" -> null
              - deployment_immediacy          = "lazy" -> null
              - enable_netflow                = "disabled" -> null
              - encapsulation                 = "unknown" -> null
              - encapsulation_mode            = "auto" -> null
              - epg_cos                       = "Cos0" -> null
              - epg_cos_pref                  = "disabled" -> null
              - ipam_dhcp_override            = "0.0.0.0" -> null
              - ipam_enabled                  = "no" -> null
              - ipam_gateway                  = "0.0.0.0" -> null
              - netflow_direction             = "both" -> null
              - number_of_ports               = "0" -> null
              - port_allocation               = "none" -> null
              - primary_encapsulation         = "unknown" -> null
              - primary_encapsulation_inner   = "unknown" -> null
              - resolution_immediacy          = "lazy" -> null
              - secondary_encapsulation_inner = "unknown" -> null
              - switching_mode                = "native" -> null
              - tags                          = [] -> null
              - target_dn                     = "uni/phys-testphydomTEST" -> null
              - untagged                      = "no" -> null
                # (3 unchanged attributes hidden)
            },
            # (1 unchanged element hidden)
        ]
      ~ scope                                  = "2228225" -> (known after apply)
      ~ shutdown                               = "no" -> (known after apply)
        tags                                   = []
        # (32 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to Reproduce

Create an aci_application_epg, do not set all variables
Apply
Do a change on relation_to_domains
Next terraform plan shows too many "known after apply" and + variables, when none of this was changed.

Important Factoids

References

  • #0000
@akinross
Copy link
Collaborator

Hi @edudppaz,

This is unfortunately a downside of the migration which we are currently going through, see the guides documentation here: https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/guides/migration

In order to provide back-worth compatibility for the legacy attributes in the migrated resource we made the decision to deprecate but still expose the legacy attributes in the schema. This allows users to have a transition period to migrate their terraform configuration files into the redefined attributes.

For the redefined attributes we made the decision to suppress the (known after apply) attributes by using the value used in state. For the legacy attributes this is a bigger challenge because we cannot guarantee that we know the value that would be applied. When we would suppress this in a similar fashion, this could result in provider crashes where the planned value does not match the applied value in state.

Besides this we also started exposing more read-only attributes ( in case of the EPG the attributes: scope and pc_tag ), which will also show as known after apply on any change.

Do you think it is valuable to have some additional mention of this behaviour in the migration guide?

@edudppaz
Copy link
Author

edudppaz commented May 22, 2025
edited
Loading

Thank you very much for the quick answer @akinross . Yes, i think it should be mentioned on the migration guide, as this might (and will) scare some with all the "changes" being reported. (I did a pre-post diff to verify that nothing was changed and verified).
I think one of the main reasons for using terraform is to see the proposed changes before actually pushing, and if the tfplan is too chatty, then we dont actually know whats being changed or not.. Maybe a comment on the guide that says:
"Due to changes on the provider code, legacy attributes might report "known after apply" when the resource is changed, this behaviour will go back to normal on later versions" or something along those lines.

i have noted this on my resources documentation for internal use :) feel free to close the case. Thanks !

@akinross akinross added documentation jira-sync Sync this issue to Jira labels May 23, 2025
@github-actions github-actions bot changed the title "Noisy" terraform plan with new 2.16.0 resources "Noisy" terraform plan with new 2.16.0 resources (DCNE-427) May 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation jira-sync Sync this issue to Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@akinross @edudppaz