terraform-provider-oci icon indicating copy to clipboard operation
terraform-provider-oci copied to clipboard
verified publisher icon oracle

oci_core_security_list rule ordering

Open steve-gray opened this issue 2 years ago • 10 comments

When creating an oci_core_security_list, the resource appears sensitive to the ordering of the rules. Each time I run the plan in terraform, I get a change operation that removes and re-adds the various rules pointlessly.

image

Whilst it's possible to re-arrange the plan to align to the order it prefers, it seems pretty moot and fragile to do it - and temporarily removing access/re-adding it seems inherently disruptive.

steve-gray avatar Mar 13 '23 00:03 steve-gray

Hi @steve-gray thanks for reporting this issue, if possible can yo share config file to debug it further? I used https://github.com/oracle/terraform-provider-oci/blob/master/examples/always_free/main.tf to re-create this issue but I do not see diff in terraform plan output.

sagarp337 avatar Mar 13 '23 18:03 sagarp337

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

ravinitp avatar Mar 16 '23 14:03 ravinitp

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

ravinitp avatar Mar 16 '23 14:03 ravinitp

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

ravinitp avatar Mar 16 '23 14:03 ravinitp

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

ravinitp avatar Mar 16 '23 15:03 ravinitp

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

ravinitp avatar Mar 16 '23 16:03 ravinitp

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

ravinitp avatar Mar 16 '23 16:03 ravinitp

Hey @sagarp337 - Unfortunately I can't share our specific configuration, but what I can advise is:

  • Modify the demo list so that there's at least 8 rules in the list for both ingress and egress. You can just make up random addresses/ports on the rules.

I believe the issue is probably related to Go's randomisation behaviour, and so because that demo list only has one rule for egress and only a few for the ingress, it's probably not enough records for it to kick in and start randomising. It might be because something internally is using a map.

steve-gray avatar Mar 17 '23 00:03 steve-gray

@ravinitp - Found the issue. The all is case sensitive in the prototype type, so if you set protocols "ALL", it gets replaced with "all" each type, and the OCI API's permit both but consistently report back "all". This means terraform does a pointless state cycle each time. I think you can avoid this by lowercasing the input to prevent the mutation (you can't enforce one case or the other now, as I imagine lots of people have this in their configs)

image

steve-gray avatar Mar 18 '23 00:03 steve-gray

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.

ravinitp avatar Mar 29 '23 12:03 ravinitp