[Bug]: Firewall attachment gets detached on second run of "terraform apply"

[Iyashi]

What happened?

I create some maintainance hcloud_firewalls which are required during hcloud_server resource creation. (dns/out, https/out, ssh/in)

So I create the hcloud_server and pass the maintainance firewall ids into hcloud_server.firewall_ids.

Then I create another hcloud_firewall for a specific service which should run on the created server.
I attach that firewall to the hcloud_server using hcloud_firewall_attachment.

The first time I run terraform apply it works just fine.

But on the second run of terraform apply, the service firewall gets detached again, even though the hcloud_firewall_attachment is being kept and not destroyed.

All subsequent runs of terraform apply now show no changes and the service firewall is still detached.

This effectively ignores hcloud_firewall_attachment.

What did you expect to happen?

I expect the maintainance firewalls as well as the service firewall to be attached to the server, even after subsequently executing terraform apply.

Please provide a minimal working example

I have created a public repo which demonstates the problem:

https://github.com/Iyashi/terraform-hcloud-firewall-attachment-problem

Terraform Output for second run of terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # hcloud_server.some_service will be updated in-place
  ~ resource "hcloud_server" "some_service" {
      ~ firewall_ids               = [
          - 1190567,
            # (3 unchanged elements hidden)
        ]
        id                         = "41476860"
        name                       = "some-service"
        # (17 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

[Iyashi]

I found a workaround:

That is, to move the server setup (meaning remote-exec to install ansible) out of resource hcloud_server scope into a null_resource and ensure that all firewalls are added before it executes using depends_on.

Here's the diff: Iyashi/terraform-hcloud-firewall-attachment-problem@152ded8

Full code:
https://github.com/Iyashi/terraform-hcloud-firewall-attachment-problem/tree/workaround

I still think that this behavior is a bug that should be addressed as such.

[apricote]

This is how Terraform expects the resources to behave. If you specify something, terraform will make sure that the real state exactly matches the plan. In this case you specify a specific list of firewalls on the server, and on the second apply terraform sees another one so it will be removed. We have no way to know inside the provider that there is a server with configured firewalls as well as a firewall_attachement

Your workaround looks fine, you could also use lifecycle.ignore_changes = [ firewall_ids ] on the hcloud_server to ignore the attribute after the first apply.

[github-actions]

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.