Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oci_core_security_list not adhering to plan #2258

Open
Dialgatrainer02 opened this issue Dec 23, 2024 · 1 comment
Open

oci_core_security_list not adhering to plan #2258

Dialgatrainer02 opened this issue Dec 23, 2024 · 1 comment
Labels
bug

Comments

@Dialgatrainer02
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

OpenTofu v1.8.7
on linux_amd64
+ provider registry.opentofu.org/bpg/proxmox v0.69.0
+ provider registry.opentofu.org/hashicorp/local v2.5.2
+ provider registry.opentofu.org/hashicorp/oci v6.21.0
+ provider registry.opentofu.org/hashicorp/random v3.6.3
+ provider registry.opentofu.org/hashicorp/tls v4.0.6

Affected Resource(s)

oci_core_security_list

Terraform Configuration Files

variable "ingress_rules" {
  description = "List of ingress security rules."
  type = list(object({
    protocol    = string
    source      = string
    tcp_options = optional(object({ min = optional(number), max = optional(number) }), {})
    udp_options = optional(object({ min = optional(number), max = optional(number) }), {})
  }))
  default = [
    {
      protocol = "6"
      source   = "0.0.0.0/0"
      tcp_options = {
        max = 22
        min = 22
      }
    }
  ]
}

variable "egress_rules" {
  description = "List of egress security rules."
  type = list(object({
    protocol    = string
    destination = string
    tcp_options = optional(object({ min = optional(number), max = optional(number) }), {})
    udp_options = optional(object({ min = optional(number), max = optional(number) }), {})
  }))
  default = [
    {
      protocol    = "all"
      destination = "0.0.0.0/0"
    },
    {
      protocol    = "all"
      destination = "::/0"
    }
  ]
}

resource "oci_core_security_list" "oci_security_list" { ## null values making headaches
  compartment_id = var.compartment_ocid
  vcn_id         = oci_core_virtual_network.oci_vcn.id
  display_name   = var.security_label

  dynamic "egress_security_rules" {
    for_each = var.egress_rules
    content {
      protocol    = egress_security_rules.value.protocol
      destination = egress_security_rules.value.destination

      udp_options {
        max = egress_security_rules.value.udp_options.max
        min = egress_security_rules.value.udp_options.min
      }
      tcp_options {
        max = egress_security_rules.value.tcp_options.max
        min = egress_security_rules.value.tcp_options.min
      }

    }
  }

Debug Output

│ Error: 400-InvalidParameter, ingressSecurityRules[0].protocol must not be null; egressSecurityRules[0].destination must not be null; egressSecurityRules[1].protocol must not be null; egressSecurityRules[1].destination must not be null; ingressSecurityRules[0].source must not be null; egressSecurityRules[0].protocol must not be null
│ Suggestion: Please update the parameter(s) in the Terraform config as per error message ingressSecurityRules[0].protocol must not be null; egressSecurityRules[0].destination must not be null; egressSecurityRules[1].protocol must not be null; egressSecurityRules[1].destination must not be null; ingressSecurityRules[0].source must not be null; egressSecurityRules[0].protocol must not be null
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list 
│ API Reference: https://docs.oracle.com/iaas/api/#/en/iaas/20160918/SecurityList/CreateSecurityList 
│ Request Target: POST https://iaas.uk-london-1.oraclecloud.com/20160918/securityLists 
│ Provider version: 6.21.0, released on 2024-12-22.  
│ Service: Core Security List 
│ Operation Name: CreateSecurityList 
│ OPC request ID: 4fb034862c36d09bd982d26cac448944/E16D71A4B6BC5F7271C8526B2D565EC9/5C0E60220B9A821C9E765245F1E6DBC4 
│ 
│ 
│   with module.oci_vps.oci_core_security_list.oci_security_list,
│   on modules/oci_vm/main.tf line 50, in resource "oci_core_security_list" "oci_security_list":
│   50: resource "oci_core_security_list" "oci_security_list" { ## null values making headaches
│

Panic Output

Expected Behavior

security list created without error as the plan specified

Actual Behavior

above error saying known values are null

Steps to Reproduce

  1. terraform apply

Important Factoids

tofu plan shows

 resource "oci_core_security_list" "oci_security_list" {
      + compartment_id = (sensitive value)
      + defined_tags   = (known after apply)
      + display_name   = "wg_security"
      + freeform_tags  = (known after apply)
      + id             = (known after apply)
      + state          = (known after apply)
      + time_created   = (known after apply)
      + vcn_id         = "ocid1.vcn.oc1.uk-london-1.amaaaaaau6kjpeyash6nqgc5semjbg4stfiywqyrjolqssjjsqtpozl7bikq"

      + egress_security_rules {
          + description      = (known after apply)
          + destination      = "0.0.0.0/0"
          + destination_type = (known after apply)
          + protocol         = "all"
          + stateless        = (known after apply)

          + tcp_options {
            }

          + udp_options {
            }
        }
      + egress_security_rules {
          + description      = (known after apply)
          + destination      = "::/0"
          + destination_type = (known after apply)
          + protocol         = "all"
          + stateless        = (known after apply)

          + tcp_options {
            }

          + udp_options {
            }
        }

      + ingress_security_rules {
          + description = (known after apply)
          + protocol    = "6"
          + source      = "0.0.0.0/0"
          + source_type = (known after apply)
          + stateless   = false

          + tcp_options {
              + max = 22
              + min = 22
            }

          + udp_options {
            }
        }
    }

however the apply sats the known values eg protocol are null

References
@Dialgatrainer02
Copy link
Author

image

│ Error: 400-InvalidParameter, ingressSecurityRules[0].source must not be null; egressSecurityRules[0].destination must not be null; egressSecurityRules[0].protocol must not be null; ingressSecurityRules[0].protocol must not be null
│ Suggestion: Please update the parameter(s) in the Terraform config as per error message ingressSecurityRules[0].source must not be null; egressSecurityRules[0].destination must not be null; egressSecurityRules[0].protocol must not be null; ingressSecurityRules[0].protocol must not be null
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_security_list 
│ API Reference: https://docs.oracle.com/iaas/api/#/en/iaas/20160918/SecurityList/CreateSecurityList 
│ Request Target: POST https://iaas.uk-london-1.oraclecloud.com/20160918/securityLists 
│ Provider version: 6.21.0, released on 2024-12-22. This provider is 2 Update(s) behind to current. 
│ Service: Core Security List 
│ Operation Name: CreateSecurityList 
│ OPC request ID: 5a163778b708d2625530ab679ff48842/2C599CC23A978B8C6ECD90F4C6C3B303/3AAFB59EA1E6DA0F1358461F093EFE40 
│ 
│ 
│   with module.wireguard.oci_core_security_list.oci_security_list,
│   on modules/oracle/compute/main.tf line 50, in resource "oci_core_security_list" "oci_security_list":
│   50: resource "oci_core_security_list" "oci_security_list" { ## null values making headaches
│

i completely re made my terraform setup and i'm still being hit by this issue

variables.tf

variable "compute" {
  type = object({
    ad = optional(number, 3)
    vcn_label     = optional(string, "oci_vcn")
    vcn_dns_label = optional(string, "OCIVCN")
    vcn_ip_range  = optional(string, "10.0.0.0/16")
    ipv6_enabled  = optional(bool, true)

    dhcp_dns   = optional(list(string), ["1.1.1.1", "1.0.0.1"])
    dhcp_label = optional(string, "oci_dhcp")

    subnet_label     = optional(string, "oci_subnet")
    subnet_dns_label = optional(string, "OCISubnet")
    subnet_ip_range  = optional(string, "10.10.10.0/24")

    gw_label    = optional(string, "oci_gateway")
    route_label = optional(string, "oci_route_tabel")
    security_label = optional(string, "oci_security")

    egress_rules = list(object({
      protocol    = optional(string, "all")
      destination = optional(string, "0.0.0.0/0")
      udp_options = optional(object({
        min = optional(number)
        max = optional(number)
      }))
      tcp_options = object({
        min = optional(number)
        max = optional(number)
      })
    }))
    ingress_rules = list(object({
      protocol = optional(string, "6")
      source   = optional(string, "0.0.0.0")
      tcp_options = optional(object({
        min = optional(number, 22)
        max = optional(number, 22)
      }))
      udp_options = optional(object({
        min = optional(number)
        max = optional(number)
      }))
    }))
    instance_label                      = optional(string, "oci_instance")
    instance_shape = optional(string, "VM.Standard.E2.1.Micro")
    instance_ocpus                      = optional(number, 1)
    instance_shape_config_memory_in_gbs = optional(number, 1)
    nic_label                           = optional(string, "oci_instance_nic")
    hostname                            = optional(string, "oci_hostname")
    gen_keypair                         = optional(bool, true)
    public_key                          = optional(string)
    private_key                         = optional(string)
    host_vars = optional(any)
  })
}

locals {
  public_key  = var.compute.gen_keypair ? tls_private_key.staging_key[0].public_key_openssh : var.compute.public_key
  private_key = var.compute.gen_keypair ? tls_private_key.staging_key[0].private_key_openssh : var.compute.private_key
}

locals {
  ipv4_address = oci_core_instance.oci_instance.public_ip
  host_vars = merge(var.compute.host_vars, { ansible_host = local.ipv4_address })
  host = {
    "${var.compute.hostname}" = local.host_vars
  }
}

data "oci_identity_availability_domain" "ad" {
  compartment_id = var.oci_settings.compartment_ocid
  ad_number      = var.compute.ad
}

data "oci_core_images" "images" {
  compartment_id           = var.oci_settings.compartment_ocid
  operating_system         = "Oracle Linux"
  operating_system_version = 9
  shape                    = var.compute.instance_shape
}

variable "oci_settings" {
  type = object({
    region           = string
    tenancy_ocid     = string
    user_ocid        = string
    fingerprint      = string
    oci_private_key      = string
    compartment_ocid = string
  })
}

main.tf

resource "oci_core_virtual_network" "oci_vcn" {
  cidr_block     = var.compute.vcn_ip_range
  compartment_id = var.oci_settings.compartment_ocid
  display_name   = var.compute.vcn_label
  dns_label      = var.compute.vcn_dns_label
  is_ipv6enabled = var.compute.ipv6_enabled
}

resource "oci_core_dhcp_options" "oci_dhcp_options" {
  compartment_id = var.oci_settings.compartment_ocid
  options {
    type               = "DomainNameServer"
    server_type        = "CustomDnsServer"
    custom_dns_servers = var.compute.dhcp_dns
  }
  display_name = var.compute.dhcp_label
  vcn_id       = oci_core_virtual_network.oci_vcn.id
}

resource "oci_core_subnet" "oci_subnet" {
  cidr_block        = var.compute.subnet_ip_range
  display_name      = var.compute.subnet_label
  dns_label         = var.compute.subnet_dns_label
  security_list_ids = [oci_core_security_list.oci_security_list.id]
  compartment_id    = var.oci_settings.compartment_ocid
  vcn_id            = oci_core_virtual_network.oci_vcn.id
  route_table_id    = oci_core_route_table.oci_route_table.id
  dhcp_options_id   = oci_core_dhcp_options.oci_dhcp_options.id
  ipv6cidr_block    = var.compute.ipv6_enabled ? "${substr(oci_core_virtual_network.oci_vcn.ipv6cidr_blocks[0], 0, length(oci_core_virtual_network.oci_vcn.ipv6cidr_blocks[0]) - 2)}${64}" : null
}

resource "oci_core_internet_gateway" "oci_internet_gateway" {
  compartment_id = var.oci_settings.compartment_ocid
  display_name   = var.compute.gw_label
  vcn_id         = oci_core_virtual_network.oci_vcn.id
}

resource "oci_core_route_table" "oci_route_table" {
  compartment_id = var.oci_settings.compartment_ocid
  vcn_id         = oci_core_virtual_network.oci_vcn.id
  display_name   = var.compute.route_label

  route_rules {
    destination       = "0.0.0.0/0"
    destination_type  = "CIDR_BLOCK"
    network_entity_id = oci_core_internet_gateway.oci_internet_gateway.id
  }
}

resource "oci_core_security_list" "oci_security_list" { ## null values making headaches
  compartment_id = var.oci_settings.compartment_ocid
  vcn_id         = oci_core_virtual_network.oci_vcn.id
  display_name   = var.compute.security_label

  dynamic "egress_security_rules" {
    for_each = var.compute.egress_rules
    content {
      protocol    = egress_security_rules.value.protocol
      destination = egress_security_rules.value.destination

      udp_options {
        max = egress_security_rules.value.udp_options.max
        min = egress_security_rules.value.udp_options.min
      }
      tcp_options {
        max = egress_security_rules.value.tcp_options.max
        min = egress_security_rules.value.tcp_options.min
      }

    }
  }

  dynamic "ingress_security_rules" {
    for_each = var.compute.ingress_rules
    content {
      protocol = ingress_security_rules.value.protocol
      source   = ingress_security_rules.value.source

      udp_options {
        max = ingress_security_rules.value.udp_options.max
        min = ingress_security_rules.value.udp_options.min
      }
      tcp_options {
        max = ingress_security_rules.value.tcp_options.max
        min = ingress_security_rules.value.tcp_options.min
      }

    }
  }
}



resource "oci_core_instance" "oci_instance" {
  availability_domain = data.oci_identity_availability_domain.ad.name
  compartment_id      = var.oci_settings.compartment_ocid
  display_name        = var.compute.instance_label
  shape               = var.compute.instance_shape

  shape_config {
    ocpus         = var.compute.instance_ocpus
    memory_in_gbs = var.compute.instance_shape_config_memory_in_gbs
  }

  create_vnic_details {
    subnet_id        = oci_core_subnet.oci_subnet.id
    display_name     = var.compute.nic_label
    assign_public_ip = true
    hostname_label   = var.compute.hostname
    assign_ipv6ip    = var.compute.ipv6_enabled
  }

  source_details {
    source_type = "image"
    source_id   = lookup(data.oci_core_images.images.images[0], "id") ### again unsure how to make a varible
  }

  metadata = {
    ssh_authorized_keys = local.public_key
  }
}
resource "terraform_data" "provision" {
  input = oci_core_instance.oci_instance.public_ip
  connection {
    type        = "ssh"
    host        = oci_core_instance.oci_instance.public_ip
    user        = "opc"
    private_key = local.private_key ## dont like this
  }
  provisioner "remote-exec" {
    inline = [ # add swap as 1 g memory nd 1 g swap isnt enough for dnf to work
      "sudo swapoff -a",
      "sudo dd if=/dev/zero of=/.swapfile bs=512M count=8", #512M * 8 = 4GB
      "sudo mkswap /.swapfile",
      "sudo swapon /.swapfile"
    ]
  }

}

resource "tls_private_key" "staging_key" {
  count     = var.compute.gen_keypair ? 1 : 0
  algorithm = "ED25519"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Dialgatrainer02