-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resource iosxe_access_list_extended - not implementing changes to sequence order and inaccurate state #156
Comments
Complex Test CaseI wanted to provide better context of the exact code I am trying to implement to assist in determining if this is a bug or simply bad code I am writing! I am using a YAML file that define the ACL. The YAML file is converted to a Terraform object using the An example YAML file looks like this:
Within the
The statements within the YAML config are then looped through within the
Note: Not shown for brevity, but there is a Once this Terraform code is applied, the router will have an initial ACL of:
If an ACL entry is added to the YAML configuration, this will work as expected. Here is the new YAML structure to show the rule change:
Note: A new entry was added as the third entry in the list. This is accurately reflected on the router once the Terraform code is applied:
The bug starts once that entry is removed (or any other entry). If the new entry is removed from the YAML configuration and the Terraform code is applied, the router will now show the ACL as having only two entries:
The current fix for this is to completely destroy the ACL before recreating it, but the provider does not currently recreate the resource if a change to the I am trying to better understand if this issue is related to the provider, the underlying YANG module, or other Terraform behavior that may indicate this is expected behavior. Thank you for any assistance you can provide with this! |
I believe I see why this behavior is occurring, but am unsure how to prevent this. Based on the complex test case described in the previous comment, when the 3rd ACL statement is removed, the list of entries is "shifted" and the old 4th entry is now the 3rd entry. This is visible by viewing the expected actions Terraform will perform when that entry is removed:
The The debug of the
It appears that this should possibly be a PUT instead of a PATCH to ensure any changes to the ACL configuration are reflected even when a statement's sequence number is changed and nothing else? From what this shows, it appears the desired sequence is removed, and then Terraform is also removing the new 3rd sequence because it was previously the 4th item in the list of entries which now no longer exists (and Terraform wants to destroy). Sorry if this adds confusion or is not explained properly. I hope this helps provide better insight on the behavior being seen. |
It looks like this is a bug in the RESTCONF implementation of XE as the last DELETE should not delete anything if an entry with a sequence number of "4" does not exist. |
Hey @danischm, I have not tested this on the exact platform and IOS versions listed in the provider documentation. Are you aware if this bug is also present on those versions? If this is a persistent bug across multiple IOS versions, what would be the way to handle requesting getting this fixed? |
I haven't tested this specific use case, but it might be worth checking with the latest XE version to make sure this isn't something that has already been addressed in the meantime. |
I was able to test this on 17.9.4 (Cisco IOS XE Software, Version 17.09.04a) and the same symptoms occur. It is not the most current latest release, but fairly close. It is the highest I can go in my current environment, but it is at least up to the same version the provider was tested on. |
Overview
The iosxe_access_list_extended resource does not configure an ACL correctly once modifications to the ACL sequence numbers are made. When the sequence of statements are reordered, Terraform reflect these changes in the Terraform plan. However, once the changes are applied, the ACL will be missing statements. Subsequent runs of
terraform plan
will not detect this drift and will report that no changes need to made. Terraform believes the live configurations are accurately matching the declarative state which is not accurate.A
terraform plan -refresh-only
also does not detect the mismatch between the live configurations and the state.Test Case
This bug can be replicated by following the steps list below.
Once applied, the
bug-test-acl
ACL should now exist on the router:Note: The sequence number for the second and third statement have been swapped.
When the
terraform plan
is ran, the only change detected is the sequence number. However, these statements have different configurations so the entire statement should be recognized as a change.Here is an example output of the
terraform plan
:Once this is applied, the live configuration of the ACL on the router looks like this:
The debug of the
terraform apply
shows the payload of the PATCH has the appropriate configurations that reflect the desired configurations in the resource:Note: The resource can be removed and recreated without any issues even though the internal configurations do not match the configurations in the state.
Other Scenarios
I have tested adding and removing statements to an ACL and that appears to work successfully. The bug appears to occur only when sequences are changes for existing statements.
The text was updated successfully, but these errors were encountered: