Inconsistent result when creating cloudstack_firewall #115

mwaag · 2024-04-26T09:54:33Z

Hi,
this is my first try to open an issue here, please bear with me, if this is not the correct way. I will thankfully accept any hints to optimize it in the future. I will try to orientate to the issue-template from the cloudstack-project.
I may repeat this with different tf-versions / os'es. Let me know, if you need more information.

PROVIDER INFORMATION

Versoin: 0.5.0

TERRAFORM INFORMATION

Versoin: 1.8.2

HYPERVISOR INFORMATION

Hypervisor: VMWare ESXi
Version: 7.0.3

CLOUDSTACK VERSION

4.17.2.0

CONFIGURATION

main.tf:
terraform {
  required_providers {
    cloudstack = {
        source = "cloudstack/cloudstack"
        version = "0.5.0"
    }
  }
}

provider "cloudstack" {
  # Configuration Options
  api_url    = "${var.cloudstack_api_url}"
  api_key    = "${var.cloudstack_api_key}"
  secret_key = "${var.cloudstack_secret_key}"
}

resource "cloudstack_template" "ubuntu2204" {
  name = "Ubuntu 22.04"
  format = "OVA"
  hypervisor = "VMware"
  os_type = "Other Linux (64-bit)"
  url = "${var.cloudstack_template_url}"
  zone = "Enterprise"
  project = "mwatest01"
  is_dynamically_scalable = true
  is_extractable = false
  is_featured = false
  is_public = true
  password_enabled = false
  is_ready_timeout = 600
  
}

resource "cloudstack_network" "snw-demo" {
    name                = "demo-network"
    display_text        = "demo-network"
    cidr                = "172.16.0.0/24"
    network_offering    = "DefaultIsolatedNetworkOfferingWithSourceNatService"
    zone                = "Enterprise"
    project             = "mwatest01"
    source_nat_ip = true
  
}

# resource "cloudstack_ipaddress" "default-ip0" {
#   network_id = cloudstack_network.snw-demo.id
#   zone = "Enterprise"
#   project = "mwatest01"
#   
# }

resource "cloudstack_instance" "instance-demo" {
    name = "vm-demo"
    display_name = "vm-demo"
    service_offering = "XS Instanz"
    template = cloudstack_template.ubuntu2204.id
    project = "mwatest01"
    zone = "Enterprise"
    start_vm = true
    expunge = true
    network_id = cloudstack_network.snw-demo.id
  
}

resource "cloudstack_firewall" "default" {
  ip_address_id = cloudstack_network.snw-demo.source_nat_ip_id

  rule {
    cidr_list = ["172.26.251.57/32"]
    protocol = "tcp"
    ports = ["22"]
  }
}

OS / ENVIRONMENT

OS: Ubuntu 22.04.3 LTS on Windows Subsystem for Linux (WSL 2) on Windows 11 (64-bit)

SUMMARY

Error: Provider produced inconsistent result after apply

when trying to deploy a firewall-rule to a simple isolated guest-network via cloudstack-provider.

DETAILS

We utilize projects for client-isolation
Service-offering for vm is a custom one
Result is reproducable with newly assigned non-snat-ip-adress (see resource cloudstack_ipadress)

STEPS TO REPRODUCE

create main.tf with contents mentioned above
run terraform apply

EXPECTED RESULTS

Rule will be created successfully
Rule will be included in terraform state

ACTUAL RESULTS

Rule is created successfully
Rule is not included in terraform state (Rerun will try to create a new rule)
Full Output:

terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # cloudstack_firewall.default will be created
  + resource "cloudstack_firewall" "default" {
      + id            = (known after apply)
      + ip_address_id = (known after apply)
      + managed       = false
      + parallelism   = 2

      + rule {
          + cidr_list = [
              + "172.26.251.57/32",
            ]
          + icmp_code = (known after apply)
          + icmp_type = (known after apply)
          + ports     = [
              + "22",
            ]
          + protocol  = "tcp"
          + uuids     = (known after apply)
        }
    }

  # cloudstack_instance.instance-demo will be created
  + resource "cloudstack_instance" "instance-demo" {
      + display_name     = "vm-demo"
      + expunge          = true
      + group            = (known after apply)
      + id               = (known after apply)
      + ip_address       = (known after apply)
      + name             = "vm-demo"
      + network_id       = (known after apply)
      + project          = "mwatest01"
      + root_disk_size   = (known after apply)
      + service_offering = "XS Instanz"
      + start_vm         = true
      + tags             = (known after apply)
      + template         = (known after apply)
      + uefi             = false
      + zone             = "Enterprise"
    }

  # cloudstack_network.snw-demo will be created
  + resource "cloudstack_network" "snw-demo" {
      + acl_id                = "none"
      + cidr                  = "172.16.0.0/24"
      + display_text          = "demo-network"
      + endip                 = (known after apply)
      + gateway               = (known after apply)
      + id                    = (known after apply)
      + name                  = "demo-network"
      + network_domain        = (known after apply)
      + network_offering      = "DefaultIsolatedNetworkOfferingWithSourceNatService"
      + project               = "mwatest01"
      + source_nat_ip         = true
      + source_nat_ip_address = (known after apply)
      + source_nat_ip_id      = (known after apply)
      + startip               = (known after apply)
      + tags                  = (known after apply)
      + zone                  = "Enterprise"
    }

  # cloudstack_template.ubuntu2204 will be created
  + resource "cloudstack_template" "ubuntu2204" {
      + display_text            = (known after apply)
      + format                  = "OVA"
      + hypervisor              = "VMware"
      + id                      = (known after apply)
      + is_dynamically_scalable = true
      + is_extractable          = false
      + is_featured             = false
      + is_public               = true
      + is_ready                = (known after apply)
      + is_ready_timeout        = 600
      + name                    = "Ubuntu 22.04"
      + os_type                 = "Other Linux (64-bit)"
      + password_enabled        = false
      + project                 = "mwatest01"
      + tags                    = (known after apply)
      + url                     = "http://20.82.104.206/Ubuntu_22.04_jammy_user.ova"
      + zone                    = "Enterprise"
    }

Plan: 4 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

cloudstack_network.snw-demo: Creating...
cloudstack_template.ubuntu2204: Creating...
cloudstack_network.snw-demo: Creation complete after 2s [id=68247c09-802a-44b6-bc59-e31a9230c7d1]
cloudstack_firewall.default: Creating...
cloudstack_template.ubuntu2204: Still creating... [10s elapsed]
cloudstack_template.ubuntu2204: Still creating... [20s elapsed]
cloudstack_template.ubuntu2204: Still creating... [30s elapsed]
cloudstack_template.ubuntu2204: Still creating... [40s elapsed]
cloudstack_template.ubuntu2204: Still creating... [50s elapsed]
cloudstack_template.ubuntu2204: Still creating... [1m0s elapsed]
cloudstack_template.ubuntu2204: Still creating... [1m10s elapsed]
cloudstack_template.ubuntu2204: Still creating... [1m20s elapsed]
cloudstack_template.ubuntu2204: Still creating... [1m30s elapsed]
cloudstack_template.ubuntu2204: Still creating... [1m40s elapsed]
cloudstack_template.ubuntu2204: Still creating... [1m50s elapsed]
cloudstack_template.ubuntu2204: Still creating... [2m0s elapsed]
cloudstack_template.ubuntu2204: Still creating... [2m10s elapsed]
cloudstack_template.ubuntu2204: Creation complete after 2m14s [id=5bd0e49f-942c-4893-853e-ab74d725d1fe]
cloudstack_instance.instance-demo: Creating...
cloudstack_instance.instance-demo: Still creating... [10s elapsed]
cloudstack_instance.instance-demo: Still creating... [20s elapsed]
cloudstack_instance.instance-demo: Still creating... [30s elapsed]
cloudstack_instance.instance-demo: Still creating... [40s elapsed]
cloudstack_instance.instance-demo: Still creating... [50s elapsed]
cloudstack_instance.instance-demo: Still creating... [1m0s elapsed]
cloudstack_instance.instance-demo: Still creating... [1m10s elapsed]
cloudstack_instance.instance-demo: Still creating... [1m20s elapsed]
cloudstack_instance.instance-demo: Still creating... [1m30s elapsed]
cloudstack_instance.instance-demo: Still creating... [1m40s elapsed]
cloudstack_instance.instance-demo: Still creating... [1m50s elapsed]
cloudstack_instance.instance-demo: Still creating... [2m0s elapsed]
cloudstack_instance.instance-demo: Still creating... [2m10s elapsed]
cloudstack_instance.instance-demo: Still creating... [2m21s elapsed]
cloudstack_instance.instance-demo: Still creating... [2m31s elapsed]
cloudstack_instance.instance-demo: Still creating... [2m41s elapsed]
cloudstack_instance.instance-demo: Creation complete after 2m48s [id=5f1e1fbc-a259-4a3a-bd27-0c2b2ecc2c56]
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to cloudstack_firewall.default, provider "provider[\"registry.terraform.io/cloudstack/cloudstack\"]" produced an unexpected new value: Root
│ object was present, but now absent.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

The text was updated successfully, but these errors were encountered:

mwaag · 2024-04-26T12:00:00Z

My colleague just found this: https://www.reddit.com/r/Terraform/comments/m5nv14/comment/gr29zct/?utm_source=share&utm_medium=web2x&context=3

Using the argument 'managed = true' workaround my problem, but it seems it would be cleaner when the problem is catched from the provider. What do you think?

kiranchavala · 2024-04-29T06:34:21Z

@mwaag

Thanks for reporting the issue

The issue is occurring only if project are used.

Marking it as a bug and improvement request

baltazorbest · 2025-01-17T13:04:47Z

Hello,
Any updates regarding the bug fix?

baltazorbest · 2025-02-09T15:20:17Z

Hello.

After searching for the source of the issue, I found it here, the issue is related to the condition:

cloudstack-terraform-provider/cloudstack/resource_cloudstack_firewall.go

Line 378 in ae7858c

} else if !managed {

After changing it to:

else if managed { d.SetId("") }

the firewall was created successfully with the parameters:

managed = false  
project = my_project_id

However, I'm not sure if this is the correct approach to solving the issue.

DaanHoogland · 2025-03-18T08:44:05Z

Hey @baltazorbest , nice to meet you. As said please submit your change in a Pull Request and we can test. As you said you have already tested in your production environment, we are more than helf way merging it already ;) . Meybe a unit test to make sure it is covored would be nice.

rohityadavcloud assigned kiranchavala and vishesh92 Apr 26, 2024

kiranchavala added bug enhancement labels Apr 29, 2024

kiranchavala added this to the v0.6.0 milestone Apr 29, 2024

baltazorbest linked a pull request Mar 18, 2025 that will close this issue

Fixing issue - 115 #164

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Inconsistent result when creating cloudstack_firewall #115

Inconsistent result when creating cloudstack_firewall #115

mwaag commented Apr 26, 2024

mwaag commented Apr 26, 2024

kiranchavala commented Apr 29, 2024

baltazorbest commented Jan 17, 2025

baltazorbest commented Feb 9, 2025

DaanHoogland commented Mar 18, 2025

Inconsistent result when creating cloudstack_firewall #115

Inconsistent result when creating cloudstack_firewall #115

Comments

mwaag commented Apr 26, 2024

PROVIDER INFORMATION

TERRAFORM INFORMATION

HYPERVISOR INFORMATION

CLOUDSTACK VERSION

CONFIGURATION

OS / ENVIRONMENT

SUMMARY

DETAILS

STEPS TO REPRODUCE

EXPECTED RESULTS

ACTUAL RESULTS

mwaag commented Apr 26, 2024

kiranchavala commented Apr 29, 2024

baltazorbest commented Jan 17, 2025

baltazorbest commented Feb 9, 2025

DaanHoogland commented Mar 18, 2025