When parameters_json are updated with ibm_pag_instance this should force a new instance to be created

[ocofaigh]

Use case:

• Same terraform code is creating subnets and PAG
• After initial deploy, updates are made to change the subnets (delete / recreate)
• PAG instance has not been idenitifed for destroy / recreate, meaning the sdnlb that the old subnets are attached to still remains up, and this prevent the old subnets from getting deleted.
• The fix here would be to ensure that PAG gets deleted and recreated, instead of update in place. That way the sdnlb will be deleted too, and subnet deletion should pass.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

tf 1.9.2
ibm provider 1.70.0

Affected Resource(s)

• ibm_pag_instance

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

locals {
  # locals
  standard_parameters_json = jsonencode({
    "vpc_id" : var.pag_vpc_id,
    "cosinstance" : var.cos_instance_crn,
    "cosbucket" : var.cos_bucket_name,
    "cosendpoint" : var.cos_endpoint,
    "proxies" : var.pag_proxies,
    "settings" : {
      "inactivity_timeout" : var.pag_inactivity_timeout,
      "system_use_notification" : var.system_use_notification
    }
  })
  sec044_parameters_json = jsonencode({
    "vpc_id" : var.pag_vpc_id,
    "cosinstance" : var.cos_instance_crn,
    "cosbucket" : var.cos_bucket_name,
    "cosendpoint" : var.cos_endpoint,
    "proxies" : var.pag_proxies,
    "secret_manager_crn" : var.secret_manager_crn,
    "sdnlb_api_key_secret_id" : var.sdnlb_api_key_secret_id,
    "settings" : {
      "inactivity_timeout" : var.pag_inactivity_timeout,
      "system_use_notification" : var.system_use_notification,
      "production_flag_enabled" : var.production_flag_enabled,
      "sdnlb_endpoint" : var.sdnlb_endpoint_prefix
    }
  })
  # NOTE: Tried to reduce the duplication between above parameters using terraform merge(),
  # but hit this issue where values were getting converted to strings: https://github.com/hashicorp/terraform/issues/34727
}

resource "ibm_pag_instance" "pag" {
  name              = var.pag_instance_name
  resource_group_id = var.resource_group_id
  service           = "privileged-access-gateway"
  plan              = var.pag_service_plan
  location          = var.region
  tags              = var.pag_tags
  parameters_json   = var.pag_service_plan == "standard" ? local.standard_parameters_json : local.sec044_parameters_json
  timeouts {
    create = "1h" # Extending provisioning time to 1h. Typically takes around 15 min
  }
  depends_on = [ibm_iam_authorization_policy.pag_sm_iam_policy_allow]
}

Debug Output

Panic Output

Expected Behavior

When parameters_json are updated with ibm_pag_instance this should force a new instance to be created

Actual Behavior

The resource instance has only been idenitifed for update in place:

 2024/10/09 20:26:48 Terraform plan |   ~ resource "ibm_pag_instance" "pag" {
 2024/10/09 20:26:48 Terraform plan |         id                      = "crn:v1:bluemix:public:privileged-access-gateway:us-east:a...::"
 2024/10/09 20:26:48 Terraform plan |         name                    = "pagbackup-pag"
 2024/10/09 20:26:48 Terraform plan |       ~ parameters_json         = jsonencode(
 2024/10/09 20:26:48 Terraform plan |             {
 2024/10/09 20:26:48 Terraform plan |               - cosbucket               = "pagbackup-pag-1rj3"
 2024/10/09 20:26:48 Terraform plan |               - cosendpoint             = "s3.direct.us-east.cloud-object-storage.appdomain.cloud"
 2024/10/09 20:26:48 Terraform plan |               - cosinstance             = "crn:v1:bluemix:public:cloud-object-storage:global:a/...::"
 2024/10/09 20:26:48 Terraform plan |               - proxies                 = [
 2024/10/09 20:26:48 Terraform plan |                   - {
 2024/10/09 20:26:48 Terraform plan |                       - name           = "proxy1"
 2024/10/09 20:26:48 Terraform plan |                       - securitygroups = [
 2024/10/09 20:26:48 Terraform plan |                           - "r014-c5bae388-0917-42bb-8039-604977f4271a",
 2024/10/09 20:26:48 Terraform plan |                         ]
 2024/10/09 20:26:48 Terraform plan |                       - subnet         = {
 2024/10/09 20:26:48 Terraform plan |                           - cidr = "172.240.0.0/26"
 2024/10/09 20:26:48 Terraform plan |                           - crn  = "crn:v1:bluemix:public:is:us-east-1:a/..."
 2024/10/09 20:26:48 Terraform plan |                         }
 2024/10/09 20:26:48 Terraform plan |                     },
 2024/10/09 20:26:48 Terraform plan |                   - {
 2024/10/09 20:26:48 Terraform plan |                       - name           = "proxy2"
 2024/10/09 20:26:48 Terraform plan |                       - securitygroups = [
 2024/10/09 20:26:48 Terraform plan |                           - "r014-c5bae388-0917-42bb-8039-604977f4271a",
 2024/10/09 20:26:48 Terraform plan |                         ]
 2024/10/09 20:26:48 Terraform plan |                       - subnet         = {
 2024/10/09 20:26:48 Terraform plan |                           - cidr = "172.240.64.64/26"
 2024/10/09 20:26:48 Terraform plan |                           - crn  = "crn:v1:bluemix:public:is:us-east-2:a/..."
 2024/10/09 20:26:48 Terraform plan |                         }
 2024/10/09 20:26:48 Terraform plan |                     },
 2024/10/09 20:26:48 Terraform plan |                 ]
 2024/10/09 20:26:48 Terraform plan |               - sdnlb_api_key_secret_id = "xxxxxx"
 2024/10/09 20:26:48 Terraform plan |               - secret_manager_crn      = "crn::"
 2024/10/09 20:26:48 Terraform plan |               - settings                = {
 2024/10/09 20:26:48 Terraform plan |                   - inactivity_timeout      = 15
 2024/10/09 20:26:48 Terraform plan |                   - production_flag_enabled = false
 2024/10/09 20:26:48 Terraform plan |                   - sdnlb_endpoint          = "xyz"
 2024/10/09 20:26:48 Terraform plan |                   - system_use_notification = <<-EOT
 2024/10/09 20:26:48 Terraform plan |                         By accessing this information system, users acknowledge and accept the following terms and conditions:
 2024/10/09 20:26:48 Terraform plan |                          - Users are accessing a U.S. Government or financial services information system;
 2024/10/09 20:26:48 Terraform plan |                         - Due to IBM security policies, information system usage will be monitored, recorded, and subject to audit in accordance with the applicable laws; and 
 2024/10/09 20:26:48 Terraform plan |                         - Unauthorized use of the information system is prohibited and subject to criminal and civil penalties
 2024/10/09 20:26:48 Terraform plan |                     EOT
 2024/10/09 20:26:48 Terraform plan |                 }
 2024/10/09 20:26:48 Terraform plan |               - vpc_id                  = "123"
 2024/10/09 20:26:48 Terraform plan |             }
 2024/10/09 20:26:48 Terraform plan |         ) -> (known after apply)

Steps to Reproduce

1. terraform apply

Important Factoids

References

• #0000