terraform-provider-tailscale icon indicating copy to clipboard operation
terraform-provider-tailscale copied to clipboard
verified publisher icon tailscale

tailscale/resource_acl: relax policy validation during plan steps

Open mcoulombe opened this issue 2 months ago • 3 comments

What this PR does / why we need it:

Some resources like SCIM groups can be created and added as a reference to the policy file in the same run. The eager validation causes otherwise valid runs to fail at the plan step because the references do not exist yet.

We are relaxing the plan validation logic to avoid such false positives. The full validation results are still available in debug logs in case this is useful. Note that the validation is done in full during an apply before the policy file is changed so this does not bypass the full breath of validations taking place before the policy is modified.

Which issue this PR fixes (use fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged):

Fixes #546

Example of a validation error for a failed test in the debug logs:

2025-10-03T14:07:54.620-0400 [DEBUG] provider.terraform-provider-tailscale: ACL validation unsuccessful due to advisory error: tf_resource_type=tailscale_acl tf_rpc=PlanResourceChange @module=provider tf_provider_addr=provider error="ACL validation failed: test(s) failed; [{[email protected] [[acl test error]: address \"1.2.3.4:80\" (protocol \"tcp\"): want: Drop, got: Accept]}]" tf_req_id=4a4b79ad-9fb5-fe55-1ab8-961f4e20b4af @caller=/Users/maxc/Documents/projects/terraform-provider-tailscale/tailscale/resource_acl.go:54 timestamp=2025-10-03T14:07:54.620-0400

Resulting apply if the user ignores or does not check the validation logs before an apply:

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

tailscale_acl.as_hujson: Modifying... [id=acl]
╷
│ Error: Failed to set ACL
│ 
│   with tailscale_acl.as_hujson,
│   on main.tf line 15, in resource "tailscale_acl" "as_hujson":
│   15: resource "tailscale_acl" "as_hujson" {
│ 
│ test(s) failed (400)
╵
╷
│ Error: user: [email protected]
│ error: [acl test error]: address "1.2.3.4:80" (protocol "tcp"): want: Drop, got: Accept
│ 
│   with tailscale_acl.as_hujson,
│   on main.tf line 15, in resource "tailscale_acl" "as_hujson":
│   15: resource "tailscale_acl" "as_hujson" {
│ 
╵

mcoulombe avatar Oct 03 '25 18:10 mcoulombe

@mcoulombe Should we just close this one?

oxtoacart avatar Oct 10 '25 20:10 oxtoacart

@mcoulombe Should we just close this one?

Once I'm done with the WIF work my plan is to add error codes on the validate endpoint and use that code here instead of the error message format, it seems reasonable to me to update this PR once the BE is ready instead of opening a new one.

mcoulombe avatar Oct 10 '25 20:10 mcoulombe

Converting to draft since it requires downstream BE changes and has been a bit deprioritized to get some internal projects over the finish line. I'll come back to it as soon when possible

mcoulombe avatar Oct 14 '25 18:10 mcoulombe