Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mongodbatlas_project_ip_access_list Unexpected replacement of CIDR with IP address #1571

Closed
tatianaschaefer0815 opened this issue Oct 27, 2023 · 11 comments
Closed

mongodbatlas_project_ip_access_list Unexpected replacement of CIDR with IP address #1571

tatianaschaefer0815 opened this issue Oct 27, 2023 · 11 comments
Labels
bug

Comments

@tatianaschaefer0815
Copy link

tatianaschaefer0815 commented Oct 27, 2023
edited
Loading

Terraform CLI and Terraform MongoDB Atlas Provider Version

terraform version v1.6.2
+ provider registry.terraform.io/mongodb/mongodbatlas v1.12.2

Terraform Configuration File

#main.tf
resource "mongodbatlas_project_ip_access_list" "ip_access" {
  for_each   = { for index, ip in var.ip-list : index => ip }
  project_id = data.mongodbatlas_project.project.id
  cidr_block = each.value.cidr
  comment    = each.value.description
}

#variables.tf
variable "ip-list" {
  type = list(object({
    cidr        = string
    description = string
  }))
}

#common.tvars
ip-list = [
  {
    cidr        = "xx.xx.xxx.xx/32"
    description = "xxx Campus"
  },
  {
    cidr        = "xx.xx.xxx.xx/28"
    description = "xxx Campus"
  }
]

Steps to Reproduce

- terraform init
- terraform plan

Expected Behavior

Plan result should be: No changes. Your infrastructure matches the configuration. (Tested with provider[registry.terraform.io/mongodb/mongodbatlas] 1.11.1)

Actual Behavior

Terraform will perform the following actions:

  mongodbatlas_project_ip_access_list.ip_access["0"] must be replaced

-/+ resource "mongodbatlas_project_ip_access_list" "ip_access" {
      + aws_security_group = (known after apply) # forces replacement
      ~ id                 = "xxxxxxxxxl" -> (known after apply)
      ~ ip_address         = "xx.xx.xxx.xx" # forces replacement -> (known after apply) # forces replacement
        # (3 unchanged attributes hidden)

      - timeouts {}
    }
@github-actions
Copy link
Contributor

Thanks for opening this issue! Please make sure you've followed our guidelines when opening the issue. In short, to help us reproduce the issue we need:

  • Terraform configuration file used to reproduce the issue
  • Terraform log files from the run where the issue occurred
  • Terraform Atlas provider version used to reproduce the issue
  • Terraform version used to reproduce the issue
  • Confirmation if Terraform OSS, Terraform Cloud, or Terraform Enterprise deployment

The ticket INTMDB-1231 was created for internal tracking.

@emas80
Copy link

emas80 commented Nov 1, 2023

I am having the same issue, any help would be appreciated

@andreaangiolillo andreaangiolillo added not_stale Not stale issue or PR bug labels Nov 6, 2023
@villers
Copy link

villers commented Nov 8, 2023
edited
Loading

I am having the same issue with Terraform, any help would be appreciated. I've noticed that this problem does not occur in version 1.11.1, but it does in 12.0.x. Here's the code snippet where the issue appears:

  # mongodbatlas_project_ip_access_list.mongodb-peering-gcp-whitelist-subnet_ip_primary_platform must be replaced
-/+ resource "mongodbatlas_project_ip_access_list" "mongodb-peering-gcp-whitelist-subnet_ip_primary_platform" {
      + aws_security_group = (known after apply) # forces replacement
      ~ id                 = "xxx" -> (known after apply)
      + ip_address         = (known after apply) # forces replacement
        # (3 unchanged attributes hidden)
      - timeouts {}
    }

Does anyone have insights on why this replacement is forced in the newer version?

@maastha
Copy link
Collaborator

maastha commented Dec 1, 2023

Thanks @tatianaschaefer0815 I was not able to reproduce this issue. I tried creating the resource with 1.11.1 and then upgrading to 1.12.0.

I'd request you to please share the resource config from the state file before and after upgrading as that will help us understand what differs. We will investigate this further.

For now, I can recommend a workaround to remove resource from the state using tf state rm [affected resource] and then re-importing it.

@marcosuma
Copy link
Collaborator

@villers @emas80 @tatianaschaefer0815 can anybody share more details about your own plan and full list of actions to reproduce the issue?

This is what I tried and I wasn't able to replicate:

# main.tf
resource "mongodbatlas_project_ip_access_list" "ip_access" {
  for_each   = { for index, ip in var.ip-list : index => ip }
  project_id = "64ec3d7ec2aa06026a76d683"
  cidr_block = each.value.cidr
  comment    = each.value.description
}

# variables.tf
variable "ip-list" {
  type = list(object({
    cidr        = string
    description = string
  }))
}

# versions.tf
terraform {
  required_providers {
    mongodbatlas = {
      source  = "mongodb/mongodbatlas"
      version = "1.12.2"
    }
  }
  required_version = "= 1.6.2"
}

# common.tfvars
ip-list = [
  {
    cidr        = "192.168.0.1/32"
    description = "A"
  },
  {
    cidr        = "192.168.1.1/32"
    description = "B"
  }
]
  1. terraform apply -var-file common.tfvars
  2. Operation successful: Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
  3. Run again terraform apply -var-file common.tfvars
  4. No matches found:
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Marking this stale for now so it will auto-close in 7 days if we don't receive any other information.

@marcosuma marcosuma added stale and removed not_stale Not stale issue or PR labels Dec 5, 2023
@tatianaschaefer0815
Copy link
Author

Hello @marcosuma, @maastha
here is the state created with version 1.11.1

{
  "mode": "managed",
  "type": "mongodbatlas_project_ip_access_list",
  "name": "ip_access",
  "provider": "provider[\"registry.terraform.io/mongodb/mongodbatlas\"]",
  "instances": [
    {
      "index_key": "0",
      "schema_version": 0,
      "attributes": {
        "aws_security_group": "",
        "cidr_block": "xx.xx.196.90/32",
        "comment": "Campus",
        "id": "ZW50cnk=:ODAuODUuMTk2LjkwLzMy-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl",
        "ip_address": "xx.xx.196.90",
        "project_id": "5aa691890bd66b5845af2a0e",
        "timeouts": {
          "delete": null,
          "read": null
        }
      },
      "sensitive_attributes": [],
      "private": "some private info",
      "dependencies": [
        "data.mongodbatlas_project.project"
      ]
    },
    {
      "index_key": "1",
      "schema_version": 0,
      "attributes": {
        "aws_security_group": "",
        "cidr_block": "xx.xx.196.16/28",
        "comment": "Campus",
        "id": "ZW50cnk=:ODAuODUuMTk2LjE2LzI4-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl",
        "ip_address": "",
        "project_id": "5aa691890bd66b5845af2a0e",
        "timeouts": {
          "delete": null,
          "read": null
        }
      },
      "sensitive_attributes": [],
      "private": "some private info",
      "dependencies": [
        "data.mongodbatlas_project.project"
      ]
    },
    {
      "index_key": "2",
      "schema_version": 0,
      "attributes": {
        "aws_security_group": "",
        "cidr_block": "xx.xx.196.32/29",
        "comment": "Campus",
        "id": "ZW50cnk=:ODAuODUuMTk2LjMyLzI5-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl",
        "ip_address": "",
        "project_id": "5aa691890bd66b5845af2a0e",
        "timeouts": {
          "delete": null,
          "read": null
        }
      },
      "sensitive_attributes": [],
      "private": "some private info",
      "dependencies": [
        "data.mongodbatlas_project.project"
      ]
    }
  ]
}

and what I get after

  • terraform init
  • terraform plan
Providers required by configuration:
.
└── provider[registry.terraform.io/mongodb/mongodbatlas] 1.12.2

Providers required by state:

    provider[registry.terraform.io/mongodb/mongodbatlas]

data.mongodbatlas_project.project: Reading...
data.mongodbatlas_project.project: Read complete after 2s [id=5aa691890bd66b5845af2a0e]
mongodbatlas_project_ip_access_list.ip_access["0"]: Refreshing state... [id=ZW50cnk=:ODAuODUuMTk2LjkwLzMy-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl]
mongodbatlas_project_ip_access_list.ip_access["2"]: Refreshing state... [id=ZW50cnk=:ODAuODUuMTk2LjMyLzI5-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl]
mongodbatlas_project_ip_access_list.ip_access["1"]: Refreshing state... [id=ZW50cnk=:ODAuODUuMTk2LjE2LzI4-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # mongodbatlas_project_ip_access_list.ip_access["0"] must be replaced
-/+ resource "mongodbatlas_project_ip_access_list" "ip_access" {
      + aws_security_group = (known after apply) # forces replacement
      ~ id                 = "ZW50cnk=:ODAuODUuMTk2LjkwLzMy-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl" -> (known after apply)
      ~ ip_address         = "xx.xx.196.90" # forces replacement -> (known after apply) # forces replacement
        # (3 unchanged attributes hidden)

      - timeouts {}
    }

  # mongodbatlas_project_ip_access_list.ip_access["1"] must be replaced
-/+ resource "mongodbatlas_project_ip_access_list" "ip_access" {
      + aws_security_group = (known after apply) # forces replacement
      ~ id                 = "ZW50cnk=:ODAuODUuMTk2LjE2LzI4-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl" -> (known after apply)
      + ip_address         = (known after apply) # forces replacement
        # (3 unchanged attributes hidden)

      - timeouts {}
    }

  # mongodbatlas_project_ip_access_list.ip_access["2"] must be replaced
-/+ resource "mongodbatlas_project_ip_access_list" "ip_access" {
      + aws_security_group = (known after apply) # forces replacement
      ~ id                 = "ZW50cnk=:ODAuODUuMTk2LjMyLzI5-cHJvamVjdF9pZA==:NWFhNjkxODkwYmQ2NmI1ODQ1YWYyYTBl" -> (known after apply)
      + ip_address         = (known after apply) # forces replacement
        # (3 unchanged attributes hidden)

      - timeouts {}
    }

Plan: 3 to add, 0 to change, 3 to destroy.

In your example you use single host cidr "192.168.0.1/32". Can you please retry with something like this 192.168.196.16/28.
Unfortunately I can't give you the state after because I don't necessarily want to recreate the resources.
My question is: What value should the ip_address property be set to for non-single-host CIDR?

@github-actions github-actions bot removed the stale label Dec 7, 2023
@github-actions GitHub Actions
Copy link
Contributor

This issue has gone 7 days without any activity and meets the project’s definition of "stale". This will be auto-closed if there is no new activity over the next 7 days. If the issue is still relevant and active, you can simply comment with a "bump" to keep it open, or add the label "not_stale". Thanks for keeping our repository healthy!

@github-actions github-actions bot added the stale label Dec 12, 2023
@tatianaschaefer0815
Copy link
Author

tatianaschaefer0815 commented Dec 12, 2023
edited
Loading

Ping, see my comment above

@github-actions github-actions bot removed the stale label Dec 13, 2023
@github-actions GitHub Actions
Copy link
Contributor

This issue has gone 7 days without any activity and meets the project’s definition of "stale". This will be auto-closed if there is no new activity over the next 7 days. If the issue is still relevant and active, you can simply comment with a "bump" to keep it open, or add the label "not_stale". Thanks for keeping our repository healthy!

@github-actions github-actions bot added the stale label Dec 18, 2023
@marcosuma marcosuma added not_stale Not stale issue or PR and removed stale labels Dec 18, 2023
@marcosuma
Copy link
Collaborator

marcosuma commented Dec 18, 2023
edited
Loading

@tatianaschaefer0815 I am afraid I still can't reproduce it.

terraform apply -var-file common.tfvars
mongodbatlas_project_ip_access_list.ip_access["1"]: Refreshing state... [id=ZW50cnk=:MTkyLjE2OC4xOTYuMTYvMjg=-cHJvamVjdF9pZA==:NjRlYzNkN2VjMmFhMDYwMjZhNzZkNjgz]
mongodbatlas_project_ip_access_list.ip_access["0"]: Refreshing state... [id=ZW50cnk=:MTkyLjE2OC4wLjEvMzI=-cHJvamVjdF9pZA==:NjRlYzNkN2VjMmFhMDYwMjZhNzZkNjgz]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

I've tried with the IP address you mentioned.
What really helps as we mentioned when you created the issue is to have the exact step of actions with the exact relevant script that you've used it. By not doing it, I am afraid it takes way longer with back and forth to figure how we can help.

My question is: What value should the ip_address property be set to for non-single-host CIDR?
May I ask how is this related to the TF issue raised here?

Last question: have you tried to upgrade to the latest provider version 1.13.x? Are you still getting a non-empty plan?

@marcosuma marcosuma added stale and removed not_stale Not stale issue or PR labels Dec 18, 2023
@Evesy
Copy link

Evesy commented Dec 20, 2023
edited
Loading

@marcosuma I don't have exact reproduction steps, our TF has been around for years so I'm not sure in which versions certain fields were added to being tracked by state etc.

Here's a copy of the current state for one of our project whitelists:

{
    "resources": [
        {
            "module": "module.mongodb-atlas",
            "mode": "managed",
            "type": "mongodbatlas_project_ip_access_list",
            "name": "ip_whitelist",
            "provider": "provider[\"registry.terraform.io/hashicorp/mongodbatlas\"]",
            "instances": [
                {
                    "index_key": "omnienv-ngw-west4c",
                    "schema_version": 0,
                    "attributes": {
                        "aws_security_group": "",
                        "cidr_block": "35.204.68.43/32",
                        "comment": "GCP Omnienv Europe-West4-c NAT",
                        "id": "ZW50cnk=:MzUuMjA0LjY4LjQzLzMy-cHJvamVjdF9pZA==:NWI5YjgyYzkzYjM0Yjk3M2ZkZWFlNmVm",
                        "ip_address": "35.204.68.43",
                        "project_id": "<redacted>",
                        "timeouts": {
                            "delete": null,
                            "read": null
                        }
                    },
                    "sensitive_attributes": [],
                    "private": "<redacted>",
                    "dependencies": [
                        "module.mongodb-atlas.mongodbatlas_project.platform_project"
                    ]
                }
            ]
        }
    ]
}

I suspect the bug was introduced as part of #1411 Both aws_security_group and ip_address should be computed (and not relevant) as the resource in question is using cidr_block instead of those two alternatives

Here's a before and after of one that I removed from the state and then reimported on 1.12:

        {
          "index_key": "testing-ngw-west4c",
          "schema_version": 0,
          "attributes": {
            "aws_security_group": "",
            "cidr_block": "35.204.74.199/32",
            "comment": "testing nat-gw-euwest4-c",
            "id": "ZW50cnk=:MzUuMjA0Ljc0LjE5OS8zMg==-cHJvamVjdF9pZA==:NWI5YjgxNWI0ZTY1ODE1ZTA2ODg0MDMx",
            "ip_address": "35.204.74.199",
            "project_id": "<redacted>",
            "timeouts": {
              "delete": null,
              "read": null
            }
          },
          "sensitive_attributes": [],
          "private": "<redacted>",
          "dependencies": [
            "module.mongodb-atlas.mongodbatlas_project.platform_project"
          ]
        }

        {
          "index_key": "testing-ngw-west4c",
          "schema_version": 0,
          "attributes": {
            "aws_security_group": "",
            "cidr_block": "35.204.74.199/32",
            "comment": "testing nat-gw-euwest4-c",
            "id": "ZW50cnk=:MzUuMjA0Ljc0LjE5OS8zMg==-cHJvamVjdF9pZA==:NWI5YjgxNWI0ZTY1ODE1ZTA2ODg0MDMx",
            "ip_address": "35.204.74.199",
            "project_id": "<redacted>",
            "timeouts": null
          },
          "sensitive_attributes": []
        }

@github-actions github-actions bot removed the stale label Dec 21, 2023
@drmaciej drmaciej mentioned this issue Feb 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@emas80 @villers @andreaangiolillo @marcosuma @Evesy @tatianaschaefer0815 @maastha