volterra_http_loadbalancer - DeleteResource: service_policy cannot be deleted as it is in the active service policy list for http_loadbalancer

[eissko]

Terraform apply fails when there is destroy of service policy. The volterra provider is not able to handle dependency. The provider doesn't know that first needs to remove "service policy" from "active service policy" and then delete the "service policy".
Even though that "active_service_policies" contains reference to "volterra_service_policy" in it's definition as shown below:

 active_service_policies {
      policies {
        name = volterra_service_policy.service_policy_custom_rule[0].name
        namespace = var.volt_namespace_name
      }
  }

[michaelbuemi]

Still a problem on 0.11.33. The expected behavior is to be able to remove the policy from the active list and destroy it in the same run.

resource "volterra_active_service_policies" "_" {
  namespace = volterra_namespace._.name

  # policies {
  #   namespace = volterra_namespace._.name
  #   name      = volterra_service_policy.do_stuff.name
  # }
}

# resource "volterra_service_policy" "do_stuff" {
#    name      = "do-stuff"
#    namespace = volterra_namespace._.name
# }

[SanjeetKr7]

@michaelbuemi Can you add depends_on = [volterra_active_service_policies_] inside the resource "volterra_service_policy" resource block? This will ensure that the volterra_active_service_policies resource is destroyed before the volterra_service_policy resource.

[michaelbuemi]

@SanjeetKr7 I was hoping that would work too but it led to a circular dependency and Terraform failed to run.

[SanjeetKr7]

@michaelbuemi could you please share terraform code (with masked credential)?

[michaelbuemi]

Sure, but I'd like to clarify that we don't want the volterra_active_service_policies resource to be destroyed. It just needs to be modified before the referenced volterra_service_policy resources are deleted.

terraform {
  cloud {
    hostname     = "tfe.example.com"
    organization = "example-org"
    workspaces {
      name = "example-ws"
    }
  }
  required_providers {
    volterra = {
      source  = "volterraedge/volterra"
      version = "0.11.34"
    }
  }
}

provider "volterra" {
  url = "https://example.console.ves.volterra.io/api"
}

resource "volterra_namespace" "_" {
  name = "example"
}

resource "volterra_active_service_policies" "_" {
  namespace = volterra_namespace._.name

  policies {
    namespace = volterra_namespace._.name
    name      = volterra_service_policy.block_sources.name
  }
  policies {
    namespace = volterra_namespace._.name
    name      = volterra_service_policy.restrict_sources.name
  }
  policies {
    namespace = "shared"
    name      = "restrict-sources"
  }
}

resource "volterra_service_policy" "block_sources" {
  depends_on = [ volterra_active_service_policies._ ]
  name      = "block-sources"
  namespace = volterra_namespace._.name
  labels = {
    "foo" = "bar"
    "x"   = "y"
  }
  description = "Do stuff"
  disable     = false

  algo       = "FIRST_MATCH"
  any_server = true

  rule_list {
    ... various rules omitted ... 
  }
}

I added the depends_on as depicted above and ran a "terraform apply". This resulted in the following:

Terraform v1.7.1
on linux_amd64
Initializing plugins and modules...
2024-07-08T12:08:08.741Z [ERROR] Graph validation failed. Graph:

provider["registry.terraform.io/volterraedge/volterra"]
provider["registry.terraform.io/volterraedge/volterra"] (close)
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_active_service_policies._
  volterra_api_definition.main
  volterra_app_firewall.main
  volterra_healthcheck.primary
  volterra_http_loadbalancer.primary
  volterra_namespace._
  volterra_origin_pool.primary
  volterra_service_policy.block_sources
  volterra_service_policy.restrict_sources
root
  provider["registry.terraform.io/volterraedge/volterra"] (close)
volterra_active_service_policies._
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_namespace._
  volterra_service_policy.block_sources
  volterra_service_policy.restrict_sources
volterra_api_definition.main
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_namespace._
volterra_app_firewall.main
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_namespace._
volterra_healthcheck.primary
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_namespace._
volterra_http_loadbalancer.primary
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_app_firewall.main
  volterra_namespace._
  volterra_origin_pool.primary
volterra_namespace._
  provider["registry.terraform.io/volterraedge/volterra"]
volterra_origin_pool.primary
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_healthcheck.primary
  volterra_namespace._
volterra_service_policy.block_sources
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_active_service_policies._
  volterra_namespace._
volterra_service_policy.restrict_sources
  provider["registry.terraform.io/volterraedge/volterra"]
  volterra_namespace._
╷
│ Error: Cycle: volterra_active_service_policies._, volterra_service_policy.block_sources
│
│
╵
Operation failed: failed running terraform plan (exit 1)

[eissko]

guys, depends on is not a solution. there is implicit dependency. provider must handle this properly

[pranavdharwadkar]

guys, depends on is not a solution. there is implicit dependency. provider must handle this properly

And what is the best practice to handle this properly?

[michaelbuemi]

@pranavdharwadkar The Terraform provider needs to understand the dependency between the two resource types. It should first remove the policy being deleted from any active namespace policies or load balancer policies, then delete the resource.