Ingore changes on position in panos_security_policy_rules leads to a corrupted state #483
Description
Describe the bug
TLDR: Introducing the lifecycle to ignore the changes on the position attribute in a panos_security_policy_rules leads to a corrupted state (position is set to null). While the first apply works fine, subsequent apply will fail with the error: Received null value, however the target type cannot handle null values.
Currently we use the following resource definition:
resource "panos_security_policy_rules" "main" {
for_each = var.rules
...
position = each.value.position
# default value:
# position = {
# where = "first"
# }
rules = [{
name = "${local.rule-prefix}-${each.key}"
...
}]
lifecycle {
ignore_changes = [position]
}
}
To ignore changes in the rule position we introduced the lifecycle with corresponding ignore_changes block. While the inital apply runs without any errors, a subsequent apply leads to the following error:
│ Error: Value Conversion Error
│
│ with module.panorama.panos_security_policy_rules.main["some_rule"],
│ An unexpected error was encountered trying to build a value. This is always
│ an error in the provider. Please report the following to the provider
│ developer:
│
│ Received null value, however the target type cannot handle null values. Use
│ the corresponding types package type, a pointer type or a custom type
│ that handles null values.
│
│ Path:
│ Target Type: provider.TerraformPositionObject
│ Suggested types Type: basetypes.ObjectValue
│ Suggested Pointer Type: *provider.TerraformPositionObject
╵
Further investigation show that the state file is corrupted, as the value for the position is set to null:
"normal":
"position": {
"directly": null,
"pivot": null,
"where": "first"
},
observed:
"position": null,
As this attribute is mandatory a plan/apply will lead to an error.
This was also tested by disabling the remote state, were the plan performed smoothly, excluding errors in the code.
Possible relations:
Initially we had some issues with the position attribute which was partly solved by using the provider 2.0.2. However there is also another issue open: #470
Expected behavior
Changes in the position are ignored.
Current behavior
The position attribute in the state file is changed to null. As this is a mandatory attribute, as subsequent plan/apply will fail.
Possible solution
Currently the only "solution" is to remove the lifecycle and life with the reoccurring changes.
Steps to reproduce
- Insert lifecycle as shown in the example above
- Perform an apply
- Try to make a subsequent plan
Context
The bug makes is less clear, what terraform wants to change and make automation more difficult (e.g. nothing to change -> everything is in sync, no human interaction needed). The "useless" changes also grow with more rules implemented.
Your Environment
- Version used: 2.0.2 and 2.0.4
- Environment: OpenTofu 1.10.2
- Operating System and version (desktop or mobile): Ubuntu