[Bug] : hcloud_server firewall_ids removed only when set to empty array

[nomorepanic]

What happened?

When an hcloud_server resource has firewall_ids set, and firewall_ids is later removed no changes are made.

Oddly, when firewall_ids is set to an empty array, firewalls are detached.

Ran with hcloud v1.48.1 on tofu 1.8.1

What did you expect to happen?

Removing the firewall_ids field should detach firewalls from the server.

Please provide a minimal working example

Example:

hcloud_server "myserver" {
   ....
   firewall_ids = [myfirewall.id]
}

Plan & apply, then remove firewall_ids:

hcloud_server "myserver" {
   ....
}

applywill find no differences.

[jooola]

I believe this behavior is somewhat expected, we only want to manage the firewalls attached to the server if they are defined.

This is because we also manage firewall attachment using the hcloud_firewall_attachement resource, and it does not work well if the server removes the firewalls when firewall_ids is not defined.

We could check the previous state to detect that the attribute has been removed, but this might only be supported in the plugin framework. So we will probably tackle this once we migrated the firewall resources to the plugin framework (see #752).

I recommend only using the firewall_attachement resource (https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall_attachment)

[mkarg]

Please support the use case described in the original descirption, as it is counter-intuitive that this will attach a firewall but not detach it in turn. Thanks.

[github-actions[bot]]

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.