digitalocean_database_firewall: provider produced an invalid new value for .rule

[0x62]

Bug Report

Describe the bug

Terraform throws an error when trying to create a database firewall with multiple rules:

resource "digitalocean_database_firewall" "fw" {
  depends_on = [digitalocean_vpc.app_vpc]
  cluster_id = digitalocean_database_cluster.app.id

  rule {
    type  = "ip_addr"
    value = digitalocean_vpc.app_vpc.ip_range
  }

  dynamic "rule" {
    for_each = toset(var.db_allowed_ips)

    content {
      type  = "ip_addr"
      value = each.value
    }
  }
}

Terraform error:

│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.public_api.digitalocean_database_firewall.fw to include new values
│ learned so far during apply, provider
│ "registry.terraform.io/digitalocean/digitalocean" produced an invalid new
│ value for .rule: planned set element
│ cty.ObjectVal(map[string]cty.Value{"created_at":cty.UnknownVal(cty.String),
│ "type":cty.StringVal("ip_addr"), "uuid":cty.UnknownVal(cty.String),
│ "value":cty.StringVal("10.10.10.0/20")}) does not correlate with any
│ element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

I've also tried creating multiple firewall resources for the same cluster, but this results in only the last rule being applied.

Affected Resource(s)

• digitalocean_database_firewall

Expected Behavior

Firewall is created

Actual Behavior

Error: Provider produced inconsistent final plan

Steps to Reproduce

1. terraform apply

Terraform Configuration Files

resource "digitalocean_vpc" "app_vpc" {
  name     = "${var.env}-vpc"
  region   = var.srv_region
  ip_range = lookup(var.vpc_ip_range, var.env)
}

# Postgres database
resource "digitalocean_database_cluster" "app" {
  name                 = "${var.env}-${var.app_slug}-postgres"
  engine               = "pg"
  version              = "12"
  size                 = "db-s-1vcpu-1gb"
  region               = var.srv_region
  private_network_uuid = digitalocean_vpc.app_vpc.id
  node_count           = 1
}

# Postgres firewall (only allow connection inside VPC)
resource "digitalocean_database_firewall" "fw" {
  cluster_id = digitalocean_database_cluster.app.id

  rule {
    type  = "ip_addr"
    value = digitalocean_vpc.app_vpc.ip_range
  }

  dynamic "rule" {
    for_each = toset(var.db_allowed_ips)

    content {
      type  = "ip_addr"
      value = each.value
    }
  }
}

[andrewsomething]

Hi @0x62,

I haven't been able to reproduce this problem and can successfully create dynamic rules.

One thing that jumped out to me in your config is each being used as the temporary variable. By default, it should match the label for the dynamic bock, in this case rule. You can also set something custom using iterator. Though this doesn't seem like it would lead to your error.

What type is the db_allowed_ips variable? Is there any other relevant info you could share?

This config works for me as expected:

variable "allowed_ips" {
  type    = list(string)
  default = ["111.111.111.111", "222.222.222.222"] // real IPs redacted
}

resource "digitalocean_vpc" "app_vpc" {
  name     = "test-vpc"
  region   = "nyc3"
}

resource "digitalocean_database_cluster" "app" {
  name                 = "test-postgres"
  engine               = "pg"
  version              = "12"
  size                 = "db-s-1vcpu-1gb"
  region               = "nyc3"
  private_network_uuid = digitalocean_vpc.app_vpc.id
  node_count           = 1
}

resource "digitalocean_database_firewall" "fw" {
  cluster_id = digitalocean_database_cluster.app.id

  rule {
    type  = "ip_addr"
    value = digitalocean_vpc.app_vpc.ip_range
  }

  dynamic "rule" {
    for_each = toset(var.allowed_ips)

    content {
      type  = "ip_addr"
      value = rule.value
    }
  }
}

[andrewsomething]

I am going to go ahead and close this issue as there has not been any response. Feel free to reopen if you are still experiencing a problem and can provide the requested information.