Summary
The iosxe_prefix_list resource does not refresh the state accurately when there has been out-of-band changes to the prefix-list which create new sequence numbers.
Current State
Consider code such as this:
resource "iosxe_prefix_list" "example" {
prefixes = [
{
name = "example.pl"
seq = 10
action = "permit"
ip = "10.0.0.0/8"
le = 32
},
{
name = "example.pl"
seq = 20
action = "permit"
ip = "172.16.0.0/12"
le = 32
}
]
}
If the deployed prefix-list is extended on CLI, this will not be reflected in the state accordingly.
c8kv_1#show run | i example.pl
ip prefix-list example.pl seq 10 permit 10.0.0.0/8 le 32
ip prefix-list example.pl seq 20 permit 172.16.0.0/12 le 32
c8kv_1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c8kv_1(config)#ip prefix-list example.pl seq 30 permit 192.168.0.0/16 le 32
c8kv_1(config)#end
c8kv_1#show run | i example.pl
ip prefix-list example.pl seq 10 permit 10.0.0.0/8 le 32
ip prefix-list example.pl seq 20 permit 172.16.0.0/12 le 32
ip prefix-list example.pl seq 30 permit 192.168.0.0/16 le 32
c8kv_1#
The NETCONF RPC does return the prefix list in it's entirety of course, but this isn't reflected in the state. I would have expected for sequence number 30 to be removed upon a subsequent apply after the out-of-band change:
$ TF_LOG=debug ../terraform apply
...
iosxe_prefix_list.example: Refreshing state... [id=Cisco-IOS-XE-native:native/ip/prefix-lists]
2026-04-24T06:46:31.065Z [DEBUG] provider.terraform-provider-iosxe_v0.16.0: Cisco-IOS-XE-native:native/ip/prefix-lists: Beginning Read: tf_provider_addr=registry.terraform.io/CiscoDevNet/iosxe tf_rpc=ReadResource @caller=github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/resource_iosxe_prefix_list.go
:272 @module=iosxe tf_req_id=370b6f13-d589-a999-2c73-656a1fa7cd69 tf_resource_type=iosxe_prefix_list timestamp=2026-04-24T06:46:31.065Z
2026-04-24T06:46:31.479Z [DEBUG] provider.terraform-provider-iosxe_v0.16.0: NETCONF RPC request: @caller=github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/helpers/tflog_adapter.go:108 operation=get-config sessionID=29 @module=iosxe.netconf device=10.84.133.247 target=running timestamp=2026-04-24T06:
46:31.479Z
2026-04-24T06:46:31.479Z [DEBUG] provider.terraform-provider-iosxe_v0.16.0: NETCONF RPC request XML: @module=iosxe.netconf device=10.84.133.247 operation=get-config
xml=
|
| /native/ip/prefix-lists
@caller=github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/helpers/tflog_adapter.go:108 timestamp=2026-04-24T06:46:31.479Z
2026-04-24T06:46:31.492Z [DEBUG] provider.terraform-provider-iosxe_v0.16.0: NETCONF RPC response XML: @caller=github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/helpers/tflog_adapter.go:108 @module=iosxe.netconf device=10.84.133.247 operation=get-config
xml=
|
| <data>
| <native xmlns="http://cisco.com/ns/yang/Cisco-IOS-XE-native">
| <ip>
| <prefix-lists>
| <prefixes>
| <name>example.pl</name>
| <no>10</no>
| <action>permit</action>
| <ip>10.0.0.0/8</ip>
| <le>32</le>
| </prefixes>
| <prefixes>
| <name>example.pl</name>
| <no>20</no>
| <action>permit</action>
| <ip>172.16.0.0/12</ip>
| <le>32</le>
| </prefixes>
| <prefixes>
| <name>example.pl</name>
| <no>30</no>
| <action>permit</action>
| <ip>192.168.0.0/16</ip>
| <le>32</le>
| </prefixes>
| </prefix-lists>
| </ip>
| </native>
| </data>
timestamp=2026-04-24T06:46:31.492Z
2026-04-24T06:46:31.492Z [DEBUG] provider.terraform-provider-iosxe_v0.16.0: NETCONF RPC response: device=10.84.133.247 messageID="" ok=false @module=iosxe.netconf errorCount=0 operation=get-config @caller=github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/helpers/tflog_adapter.go:108 timestamp=2026-0
4-24T06:46:31.492Z
...
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
I assume that this is due to the fact that the provider identifies the resource (prefix-lists, potentially others as well) specifically based on name and sequence number, hence it does not consider sequence numbers that have not been part of the state.
Desired State
Ideally, the resource would refresh the state for all prefix-list entries for a particular name so that in such a scenario as described, it would be able to match the state with the devices's configuration.
Summary
The
iosxe_prefix_listresource does not refresh the state accurately when there has been out-of-band changes to the prefix-list which create new sequence numbers.Current State
Consider code such as this:
If the deployed prefix-list is extended on CLI, this will not be reflected in the state accordingly.
The NETCONF RPC does return the prefix list in it's entirety of course, but this isn't reflected in the state. I would have expected for sequence number 30 to be removed upon a subsequent apply after the out-of-band change:
I assume that this is due to the fact that the provider identifies the resource (prefix-lists, potentially others as well) specifically based on name and sequence number, hence it does not consider sequence numbers that have not been part of the state.
Desired State
Ideally, the resource would refresh the state for all prefix-list entries for a particular name so that in such a scenario as described, it would be able to match the state with the devices's configuration.