terraform-provider-fortios icon indicating copy to clipboard operation
terraform-provider-fortios copied to clipboard

Published 20 hours ago verified publisher icon fortinetdev

Terraform Provider doesn't Compare Strings to validate there is a change

Open blkistsg opened this issue 5 years ago • 1 comments

If I change a static string to a resource path that passes the static string, it doesn't evaluate and see it's the same, and instead wants to make a change.

Old Code:

aws_vpn_wan2 = {
tunnel_name = "aws-vpn-wan2"
interface = "wan2"
psksecret = "XXXXXXXXX"
nat_traversal = "forced"
external_ip =
{ hub = "X.X.X.X" spoke = "Y.Y.Y.Y" }
tunnel_ip = { hub = "169.254.255.3 255.255.255.255" spoke = "169.254.255.4 255.255.255.255" }
}

New Code:

aws_vpn_wan2 = {
tunnel_name = "aws-vpn-wan2"
interface = "wan2"
psksecret = data.aws_secretsmanager_secret_version.aws_hq_key.secret_string
nat_traversal = "forced"
external_ip = { hub = "X.X.X.X" spoke = "Y.Y.Y.Y" }

tunnel_ip =
{ hub = "169.254.255.3 255.255.255.255" spoke = "169.254.255.4 255.255.255.255" }

}

blkistsg avatar Oct 19 '20 20:10 blkistsg

@blkistsg Thanks for raising this issue. I was not able to reproduce the issue, don't know if the following steps can match the problem you encountered:

Old Code:

# cat maintst.tf
provider "fortios" {
  hostname = "192.168.52.177"
  token = "GNH7r40H65GNb46kd4rG8rtrmn0fr1" 
  insecure = "true"
}

resource "null_resource" "dependency" {
  triggers = {
    secret_string = "XXXXXXfdasfdsaX"
  }
}

resource "fortios_vpnipsec_phase1interface" "vpn_hq_wan1" {
  name = "vpn-hq-wan1"
  interface = "port1"
  ike_version = "2"
  peertype = "any"
  proposal = "aes256-sha256"
  dhgrp = "21"
  local_gw = "1.1.1.1"
  net_device = "disable"
  remote_gw = "2.2.2.2"
  psksecret = "XXXXXXfdasfdsaX"
  nattraversal = "enable"
}

Then execute Terraform apply:

# terraform apply
2020/10/21 00:53:51 [WARN] Log levels other than TRACE are currently unreliable, and are supported only for backward compatibility.
  Use TF_LOG=TRACE to see Terraform's internal logs.
  ----

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # fortios_vpnipsec_phase1interface.vpn_hq_wan1 will be created
  + resource "fortios_vpnipsec_phase1interface" "vpn_hq_wan1" {
      + acct_verify               = (known after apply)
      + add_gw_route              = (known after apply)
      ......................
      + tunnel_search             = (known after apply)
      + type                      = (known after apply)
      + unity_support             = (known after apply)
      + usrgrp                    = (known after apply)
      + vni                       = (known after apply)
      + wizard_type               = (known after apply)
      + xauthtype                 = (known after apply)
    }

  # null_resource.dependency will be created
  + resource "null_resource" "dependency" {
      + id       = (known after apply)
      + triggers = {
          + "secret_string" = "XXXXXXfdasfdsaX"
        }
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

null_resource.dependency: Creating...
null_resource.dependency: Creation complete after 0s [id=2778060842245989055]
fortios_vpnipsec_phase1interface.vpn_hq_wan1: Creating...
fortios_vpnipsec_phase1interface.vpn_hq_wan1: Creation complete after 0s [id=vpn-hq-wan1]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

New Code:


resource "null_resource" "dependency" {
  triggers = {
    secret_string = "XXXXXXfdasfdsaX"
  }
}

resource "fortios_vpnipsec_phase1interface" "vpn_hq_wan1" {
  name = "vpn-hq-wan1"
  interface = "port1"
  ike_version = "2"
  peertype = "any"
  proposal = "aes256-sha256"
  dhgrp = "21"
  local_gw = "1.1.1.1"
  net_device = "disable"
  remote_gw = "2.2.2.2"
  psksecret = null_resource.dependency.triggers.secret_string
  nattraversal = "enable"
}

Then execute Terraform plan:

# terraform plan
2020/10/21 00:59:47 [WARN] Log levels other than TRACE are currently unreliable, and are supported only for backward compatibility.
  Use TF_LOG=TRACE to see Terraform's internal logs.
  ----
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

null_resource.dependency: Refreshing state... [id=7448170198171046464]
fortios_vpnipsec_phase1interface.vpn_hq_wan1: Refreshing state... [id=vpn-hq-wan1]

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

We can find that terraform has detected that the psksecret in the new code is same as the psksecret in the old code. Can you please re-check whether the static value of psksecret is the same as data.aws_secretsmanager_secret_version.aws_hq_key.secret_string? Since psksecret is sensitive, we can also use cat terraform.tfstate to view its real value(after terraform apply). Let me know if you need anything else. Thank you!

frankshen01 avatar Oct 20 '20 17:10 frankshen01

I will go ahead to close this case, if you still have questions, feel free to reopen it or another case.

MaxxLiu22 avatar Jul 07 '23 20:07 MaxxLiu22