Skip to content
This repository has been archived by the owner on Mar 25, 2022. It is now read-only.

Terraform is removing qualified name prefix from selected attributes in tfstate #166

Closed
mtjakobczyk opened this issue Apr 16, 2019 · 2 comments
Closed

Terraform is removing qualified name prefix from selected attributes in tfstate #166

mtjakobczyk opened this issue Apr 16, 2019 · 2 comments
Assignees
@mbfrahry

Comments

@mtjakobczyk
Copy link

mtjakobczyk commented Apr 16, 2019
edited
Loading

Hi there,

the issue can be summarized in one sentence: provider plugin implementation seems to remove qualified name prefix (such as /Compute-123456789/first.user@example.com/) from selected attributes in tfstate.

This causes unnecessary and, in this way, actually invalid rebuild (destroy & create) behavior, even though there is no change in .tf files in the meantime. This is particularly visible when using private images and/or IP networks created by different users.

In my opinion the reason is rather obvious and should be pretty straightforward to fix. The provider plugin implementation does not store fully qualified names in the tfstate file for the following attributes:

  • opc_compute_storage_volume.image_list
  • opc_compute_instance.networking_info.*.ip_network
  • opc_compute_instance.networking_info.*.vnic_sets

As a result it is risky to reference an existing IP network, VNIC Set or a private image created by other users, because it may result in unplanned and destructive reprovisioning.

Terraform Version

Terraform v0.11.13
+ provider.opc v1.3.3

Affected Resource(s)

  • opc_compute_storage_volume
  • opc_compute_instance

Terraform Configuration Files

Steps to Reproduce

To experience the issue exactly as I did, you will need 3 users.

  • User 1: Prepare a custom image.
    • Let's assume it is created as: /Compute-123456789/first.user@example.com/OL76_UEKR5
  • User 2: Provision IP network https://github.com/mtjakobczyk/opc-sandbox/tree/master/ip-network/infrastructure (master branch)
    • Let's assume these are the resources created: /Compute-123456789/second.user@example.com/sandbox-ip-network and /Compute-123456789/second.user@example.com/sandbox-ip-network-vnics
  • Clone https://github.com/mtjakobczyk/opc-sandbox/tree/issue-1/simple-vm (issue-1 branch)
  • Adapt simple-vm/infrastructure/compute.tf file:
    • Change opc_compute_instance.simplevm.networking_info.vnic_sets to /Compute-123456789/second.user@example.com/sandbox-ip-network-vnics
    • Change opc_compute_instance.simplevm.networking_info.ip_network to /Compute-123456789/second.user@example.com/sandbox-ip-network
    • Change opc_compute_storage_volume.simplevm_bootvolume.image_list to /Compute-123456789/first.user@example.com/OL76_UEKR5
  • User 3 : Provision compute-related resources as the third user (!) using simple-vm project (issue-1 branch)
  • User 3 : Run again terraform apply to see the invalid destructive plan

Expected Behavior

Plan: 0 to add, 0 to change, 0 to destroy.

Actual Behavior

-/+ opc_compute_storage_volume.simplevm_bootvolume (new resource required)
      image_list:       "OL76_UEKR5" => "/Compute-123456789/first.user@example.com/OL76_UEKR5" (forces new resource)

Plan: 1 to add, 0 to change, 1 to destroy.

Important Factoids

The source of the problem can be found in the state file:

      "opc_compute_instance.simplevm": {
        "networking_info.2638415351.ip_network": "sandbox-ip-network",
        "networking_info.2638415351.vnic_sets.0": "sandbox-ip-network-vnics",

      "opc_compute_storage_volume.simplevm_bootvolume": {
        "image_list": "OL76_UEKR5",

The qualified name prefix (such as /Compute-123456789/first.user@example.com/) is removed (most probably on terraform refresh).

References
@mtjakobczyk mtjakobczyk changed the title Terraform removes qualified name prefix from selected attributes in tfstate Terraform is removing qualified name prefix from selected attributes in tfstate Apr 16, 2019
@mtjakobczyk mtjakobczyk mentioned this issue Apr 16, 2019
Open
@mbfrahry mbfrahry mentioned this issue Apr 19, 2019
Merged
@mbfrahry
Copy link
Contributor

Hey @mtjakobczyk, thanks for opening this issue. The sdk takes a simplified approach to dealing with ids for OCI-Classic resources by taking a single name and generating the full id for the resource. Unfortunately, because that functionality has been baked into the provider for so long, we can't just turn it off for certain attributes because that would end up breaking users that were depending on that functionality. We try to avoid breaking changes as best we can.

I believe I've found a decent solution however which is to check the full name being passed in and if the username or identity domain is different than we just return that full name so you won't see that diff anymore. That is in #167 and should be released shortly.

@mbfrahry
Copy link
Contributor

This should be fixed with the latest release!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mbfrahry mbfrahry

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mtjakobczyk @mbfrahry