OCP variation of RAG stack is not idempotent (ACL rules managed by two different DAs)

1. Deploy `standard` (OCP) variation of RAG stack
2. Run a plan on the OCP landing zone DA

- Expected: No-op
- Actual:
  ```
  2025/03/31 15:15:44 Terraform plan |   # module.roks_landing_zone.module.landing_zone.module.vpc["workload"].ibm_is_network_acl.network_acl["workload-acl"] will be updated in-place
   2025/03/31 15:15:44 Terraform plan |   ~ resource "ibm_is_network_acl" "network_acl" {
   2025/03/31 15:15:44 Terraform plan |         id                      = "r006-ccce8f72-5dcd-4e4a-bffc-8d9734b77fbb"
   2025/03/31 15:15:44 Terraform plan |         name                    = "ragc-workload-acl"
   2025/03/31 15:15:44 Terraform plan |         tags                    = [
   2025/03/31 15:15:44 Terraform plan |             "schematics:us-south.workspace.projects-service.4199ce50",
   2025/03/31 15:15:44 Terraform plan |         ]
   2025/03/31 15:15:44 Terraform plan |         # (7 unchanged attributes hidden)
   2025/03/31 15:15:44 Terraform plan | 
   2025/03/31 15:15:44 Terraform plan |       ~ rules {
   2025/03/31 15:15:44 Terraform plan |           ~ action      = "allow" -> "deny"
   2025/03/31 15:15:44 Terraform plan |           ~ destination = "10.50.10.11/32" -> "0.0.0.0/0"
   2025/03/31 15:15:44 Terraform plan |             id          = "cc461a3e-0792-483e-908d-07a734ce26b2"
   2025/03/31 15:15:44 Terraform plan |           ~ name        = "ragc-public-ingress-lba-zone2-https-req" -> "ibmflow-deny-all-inbound"
   2025/03/31 15:15:44 Terraform plan |             # (4 unchanged attributes hidden)
   2025/03/31 15:15:44 Terraform plan | 
   2025/03/31 15:15:44 Terraform plan |           - tcp {
   2025/03/31 15:15:44 Terraform plan |               - port_max        = 443 -> null
   2025/03/31 15:15:44 Terraform plan |               - port_min        = 443 -> null
   2025/03/31 15:15:44 Terraform plan |               - source_port_max = 65535 -> null
   2025/03/31 15:15:44 Terraform plan |               - source_port_min = 1024 -> null
   2025/03/31 15:15:44 Terraform plan |             }
   2025/03/31 15:15:44 Terraform plan |         }
   2025/03/31 15:15:44 Terraform plan |       ~ rules {
   2025/03/31 15:15:44 Terraform plan |           ~ action      = "allow" -> "deny"
   2025/03/31 15:15:44 Terraform plan |             id          = "73cca000-1330-4b5e-b972-f4140f19cc39"
   2025/03/31 15:15:44 Terraform plan |           ~ name        = "ragc-public-ingress-lba-zone2-https-resp" -> "ibmflow-deny-all-outbound"
   2025/03/31 15:15:44 Terraform plan |           ~ source      = "10.50.10.11/32" -> "0.0.0.0/0"
   2025/03/31 15:15:44 Terraform plan |             # (4 unchanged attributes hidden)
   2025/03/31 15:15:44 Terraform plan | 
   2025/03/31 15:15:44 Terraform plan |           - tcp {
   2025/03/31 15:15:44 Terraform plan |               - port_max        = 65535 -> null
   2025/03/31 15:15:44 Terraform plan |               - port_min        = 1024 -> null
   2025/03/31 15:15:44 Terraform plan |               - source_port_max = 443 -> null
   2025/03/31 15:15:44 Terraform plan |               - source_port_min = 443 -> null
   2025/03/31 15:15:44 Terraform plan |             }
   2025/03/31 15:15:44 Terraform plan |         }
   2025/03/31 15:15:44 Terraform plan |       - rules {
   2025/03/31 15:15:44 Terraform plan |           - action      = "allow" -> null
   2025/03/31 15:15:44 Terraform plan |           - destination = "10.40.10.11/32" -> null
   2025/03/31 15:15:44 Terraform plan |           - direction   = "inbound" -> null
   2025/03/31 15:15:44 Terraform plan |           - id          = "8d848005-e6f7-4dfc-b56d-d85606a03210" -> null
   2025/03/31 15:15:44 Terraform plan |           - ip_version  = "ipv4" -> null
   2025/03/31 15:15:44 Terraform plan |           - name        = "ragc-public-ingress-lba-zone1-https-req" -> null
   2025/03/31 15:15:44 Terraform plan |           - source      = "0.0.0.0/0" -> null
   2025/03/31 15:15:44 Terraform plan |           - subnets     = 6 -> null
   2025/03/31 15:15:44 Terraform plan | 
   2025/03/31 15:15:44 Terraform plan |           - tcp {
   2025/03/31 15:15:44 Terraform plan |               - port_max        = 443 -> null
   2025/03/31 15:15:44 Terraform plan |               - port_min        = 443 -> null
   2025/03/31 15:15:44 Terraform plan |               - source_port_max = 65535 -> null
   2025/03/31 15:15:44 Terraform plan |               - source_port_min = 1024 -> null
   2025/03/31 15:15:44 Terraform plan |             }
   2025/03/31 15:15:44 Terraform plan |         }
   2025/03/31 15:15:44 Terraform plan |       - rules {
   2025/03/31 15:15:44 Terraform plan |           - action      = "allow" -> null
   2025/03/31 15:15:44 Terraform plan |           - destination = "0.0.0.0/0" -> null
   2025/03/31 15:15:44 Terraform plan |           - direction   = "outbound" -> null
   2025/03/31 15:15:44 Terraform plan |           - id          = "8e994c86-73de-4ea1-9b36-372633955f4d" -> null
   2025/03/31 15:15:44 Terraform plan |           - ip_version  = "ipv4" -> null
   2025/03/31 15:15:44 Terraform plan |           - name        = "ragc-public-ingress-lba-zone1-https-resp" -> null
   2025/03/31 15:15:44 Terraform plan |           - source      = "10.40.10.11/32" -> null
   2025/03/31 15:15:44 Terraform plan |           - subnets     = 6 -> null
   2025/03/31 15:15:44 Terraform plan | 
   2025/03/31 15:15:44 Terraform plan |           - tcp {
   2025/03/31 15:15:44 Terraform plan |               - port_max        = 65535 -> null
   2025/03/31 15:15:44 Terraform plan |               - port_min        = 1024 -> null
   2025/03/31 15:15:44 Terraform plan |               - source_port_max = 443 -> null
   2025/03/31 15:15:44 Terraform plan |               - source_port_min = 443 -> null
   2025/03/31 15:15:44 Terraform plan |             }
   2025/03/31 15:15:44 Terraform plan |         }
   2025/03/31 15:15:44 Terraform plan |       - rules {
   2025/03/31 15:15:44 Terraform plan |           - action      = "deny" -> null
   2025/03/31 15:15:44 Terraform plan |           - destination = "0.0.0.0/0" -> null
   2025/03/31 15:15:44 Terraform plan |           - direction   = "inbound" -> null
   2025/03/31 15:15:44 Terraform plan |           - id          = "0b08a555-43ea-44a8-b3a6-bdb90b8b0629" -> null
   2025/03/31 15:15:44 Terraform plan |           - ip_version  = "ipv4" -> null
   2025/03/31 15:15:44 Terraform plan |           - name        = "ibmflow-deny-all-inbound" -> null
   2025/03/31 15:15:44 Terraform plan |           - source      = "0.0.0.0/0" -> null
   2025/03/31 15:15:44 Terraform plan |           - subnets     = 6 -> null
   2025/03/31 15:15:44 Terraform plan |         }
   2025/03/31 15:15:44 Terraform plan |       - rules {
   2025/03/31 15:15:44 Terraform plan |           - action      = "deny" -> null
   2025/03/31 15:15:44 Terraform plan |           - destination = "0.0.0.0/0" -> null
   2025/03/31 15:15:44 Terraform plan |           - direction   = "outbound" -> null
   2025/03/31 15:15:44 Terraform plan |           - id          = "7facf80c-0847-4c42-aee8-ac032df89291" -> null
   2025/03/31 15:15:44 Terraform plan |           - ip_version  = "ipv4" -> null
   2025/03/31 15:15:44 Terraform plan |           - name        = "ibmflow-deny-all-outbound" -> null
   2025/03/31 15:15:44 Terraform plan |           - source      = "0.0.0.0/0" -> null
   2025/03/31 15:15:44 Terraform plan |           - subnets     = 6 -> null
   2025/03/31 15:15:44 Terraform plan |         }
   2025/03/31 15:15:44 Terraform plan | 
   2025/03/31 15:15:44 Terraform plan |         # (16 unchanged blocks hidden)
   2025/03/31 15:15:44 Terraform plan |     }
  ```

This is probably caused because both the landing zone DA and the RAG sample app DA are updating the same ACL. Is there anything we can do here? It is tricky because the load balancer has to exist before we can create the rules for it

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OCP variation of RAG stack is not idempotent (ACL rules managed by two different DAs) #247

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

OCP variation of RAG stack is not idempotent (ACL rules managed by two different DAs) #247

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions