resource(oxide_instance): fix inconsistent result after apply (#460)

sudomateo · web-flow · commit 7af9fa6dca7d · 2025-07-09T11:16:55.000-04:00
Updated the `oxide_instance` resource to fix the issue documented in #459 where the provider would produce an inconsistent result after apply. The changes here do the following. 1. Use the ephemeral external IP pool ID from the plan since the upstream Oxide API does not provide that. 1. Use the `.IpPoolId` field for floating external IPs rather than the incorrect `.Id` field. Creating an acceptance test for this proved to be difficult since it required either using an existing IP pool for the external IP or creating and linking an IP pool on the fly. I opted to assume an IP pool named `default` exists in the silo and allowing the user to override that IP pool name via the `OXIDE_TEST_IP_POOL_NAME` environment variable. ``` > TEST_ACC_NAME=TestAccCloudResourceInstance_extIPs OXIDE_TEST_IP_POOL_NAME=private make testacc -> Running terraform acceptance tests === RUN TestAccCloudResourceInstance_extIPs === PAUSE TestAccCloudResourceInstance_extIPs === CONT TestAccCloudResourceInstance_extIPs --- PASS: TestAccCloudResourceInstance_extIPs (59.90s) PASS ok github.com/oxidecomputer/terraform-provider-oxide/internal/provider 59.912s ```
diff --git a/.changelog/0.12.0.toml b/.changelog/0.12.0.toml
@@ -11,5 +11,5 @@ title = ""
 description = ""
 
 [[bugs]]
-title = ""
-description = ""
+title = "`oxide_instance`"
+description = "Fixed the `inconsistent result after apply` error when applying a subsequent plan where the `external_ips` attribute contained an ephemeral IP with a non-empty ID. [#460](https://github.com/oxidecomputer/terraform-provider-oxide/pull/460)"
diff --git a/.github/workflows/acceptance.yml b/.github/workflows/acceptance.yml
@@ -18,4 +18,5 @@ jobs:
         env:
           OXIDE_TOKEN: ${{ secrets.COLO_OXIDE_TOKEN }}
           OXIDE_HOST: ${{ secrets.COLO_OXIDE_HOST }}
-          TEST_ACC_NAME: TestAccCloud
+          OXIDE_TEST_IP_POOL_NAME: private
+          TEST_ACC_NAME: TestAccCloud
diff --git a/internal/provider/resource_instance.go b/internal/provider/resource_instance.go
@@ -527,7 +527,7 @@ func (r *instanceResource) Read(ctx context.Context, req resource.ReadRequest, r
 	state.TimeCreated = types.StringValue(instance.TimeCreated.String())
 	state.TimeModified = types.StringValue(instance.TimeModified.String())
 
-	externalIPs, diags := newAttachedExternalIPModel(ctx, r.client, state.ID.ValueString())
+	externalIPs, diags := newAttachedExternalIPModel(ctx, r.client, state)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
@@ -774,7 +774,9 @@ func (r *instanceResource) Update(ctx context.Context, req resource.UpdateReques
 	plan.TimeCreated = types.StringValue(instance.TimeCreated.String())
 	plan.TimeModified = types.StringValue(instance.TimeModified.String())
 
-	externalIPs, diags := newAttachedExternalIPModel(ctx, r.client, state.ID.ValueString())
+	// We use the plan here instead of the state to capture the desired IP pool ID
+	// value for the ephemeral external IP rather than the previous value.
+	externalIPs, diags := newAttachedExternalIPModel(ctx, r.client, plan)
 	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
@@ -1075,13 +1077,32 @@ func newAttachedNetworkInterfacesModel(ctx context.Context, client *oxide.Client
 	return nicSet, nil
 }
 
-func newAttachedExternalIPModel(ctx context.Context, client *oxide.Client, instanceID string) (
+// newAttachedExternalIPModel fetches the external IP addresses for the instance
+// specified by model, keeping the IP pool ID from the ephemeral external IP
+// from the model if one is present.
+func newAttachedExternalIPModel(ctx context.Context, client *oxide.Client, model instanceResourceModel) (
 	[]instanceResourceExternalIPModel, diag.Diagnostics) {
 	var diags diag.Diagnostics
 	externalIPs := make([]instanceResourceExternalIPModel, 0)
 
+	// The [oxide.Client.InstanceExternalIpList] method does not return the IP pool
+	// ID for ephemeral external IPs. See https://github.com/oxidecomputer/omicron/issues/6825.
+	//
+	// Pull the IP pool ID out of the model to populate the external IP model that
+	// we're building to prevent erroneous Terraform diffs (e.g., state contains
+	// IP pool ID and refresh doesn't). It's safe to stop at the first ephemeral
+	// external IP encountered since the configuration enforces at most one
+	// ephemeral external IP.
+	ephemeralIPPoolID := ""
+	for _, externalIP := range model.ExternalIPs {
+		if externalIP.Type.ValueString() == string(oxide.ExternalIpCreateTypeEphemeral) {
+			ephemeralIPPoolID = externalIP.ID.ValueString()
+			break
+		}
+	}
+
 	externalIPResponse, err := client.InstanceExternalIpList(ctx, oxide.InstanceExternalIpListParams{
-		Instance: oxide.NameOrId(instanceID),
+		Instance: oxide.NameOrId(model.ID.ValueString()),
 	})
 	if err != nil {
 		diags.AddError(
@@ -1092,10 +1113,23 @@ func newAttachedExternalIPModel(ctx context.Context, client *oxide.Client, insta
 	}
 
 	for _, externalIP := range externalIPResponse.Items {
-		externalIPs = append(externalIPs, instanceResourceExternalIPModel{
-			ID:   types.StringValue(externalIP.Id),
-			Type: types.StringValue(string(externalIP.Kind)),
-		})
+		switch externalIP.Kind {
+		case oxide.ExternalIpKindEphemeral:
+			externalIPs = append(externalIPs, instanceResourceExternalIPModel{
+				ID:   types.StringValue(ephemeralIPPoolID),
+				Type: types.StringValue(string(externalIP.Kind)),
+			})
+		case oxide.ExternalIpKindFloating:
+			externalIPs = append(externalIPs, instanceResourceExternalIPModel{
+				ID:   types.StringValue(externalIP.IpPoolId),
+				Type: types.StringValue(string(externalIP.Kind)),
+			})
+		default:
+			diags.AddError(
+				"Invalid external IP kind:",
+				fmt.Sprintf("Encountered unexpected external IP kind: %s", externalIP.Kind),
+			)
+		}
 	}
 
 	return externalIPs, nil
diff --git a/internal/provider/resource_instance_test.go b/internal/provider/resource_instance_test.go
@@ -7,6 +7,7 @@ package provider
 import (
 	"context"
 	"fmt"
+	"os"
 	"reflect"
 	"testing"
 	"time"
@@ -196,18 +197,32 @@ resource "oxide_instance" "{{.BlockName}}" {
 	})
 }
 
+// TestAccCloudResourceInstance_extIPs tests whether Terraform can create
+// `oxide_instance` resources with the `external_ips` attribute populated. It
+// assumes an IP pool named `default` already exists in the silo the test is
+// running against. The `OXIDE_TEST_IP_POOL_NAME` environment variable can be
+// used to override the IP pool if necessary.
+//
+// This test is also meant to catch regressions of the following issue.
+// https://github.com/oxidecomputer/terraform-provider-oxide/issues/459.
 func TestAccCloudResourceInstance_extIPs(t *testing.T) {
 	type resourceInstanceConfig struct {
 		BlockName        string
 		InstanceName     string
 		SupportBlockName string
+		IPPoolBlockName  string
+		IPPoolName       string
 	}
 
 	resourceInstanceExternalIPConfigTpl := `
 data "oxide_project" "{{.SupportBlockName}}" {
 	name = "tf-acc-test"
 }
 
+data "oxide_ip_pool" "{{.IPPoolBlockName}}" {
+	name = "{{.IPPoolName}}"
+}
+
 resource "oxide_instance" "{{.BlockName}}" {
   project_id      = data.oxide_project.{{.SupportBlockName}}.id
   description     = "a test instance"
@@ -219,12 +234,13 @@ resource "oxide_instance" "{{.BlockName}}" {
   external_ips = [
 	{
 	  type = "ephemeral"
+	  id   = data.oxide_ip_pool.{{.IPPoolBlockName}}.id
 	}
   ]
 }
 `
 
-	resourceInstanceExternalIPConfigUpdateTpl := `
+	resourceInstanceExternalIPConfigUpdate1Tpl := `
 data "oxide_project" "{{.SupportBlockName}}" {
 	name = "tf-acc-test"
 }
@@ -237,56 +253,105 @@ resource "oxide_instance" "{{.BlockName}}" {
   memory          = 1073741824
   ncpus           = 1
   start_on_create = false
+  external_ips = [
+	{
+	  type = "ephemeral"
+	}
+  ]
 }
 `
 
+	resourceInstanceExternalIPConfigUpdate2Tpl := `
+data "oxide_project" "{{.SupportBlockName}}" {
+	name = "tf-acc-test"
+}
+
+resource "oxide_instance" "{{.BlockName}}" {
+  project_id      = data.oxide_project.{{.SupportBlockName}}.id
+  description     = "a test instance"
+  name            = "{{.InstanceName}}"
+  host_name       = "terraform-acc-myhost"
+  memory          = 1073741824
+  ncpus           = 1
+  start_on_create = false
+}
+`
+
+	// Some test environments may not have an IP pool named `default`. This allows a
+	// user to override the IP pool name used for this test.
+	ipPoolName, ok := os.LookupEnv("OXIDE_TEST_IP_POOL_NAME")
+	if !ok || ipPoolName == "" {
+		ipPoolName = "default"
+	}
+
 	instanceName := newResourceName()
 	blockName := newBlockName("instance")
 	supportBlockName := newBlockName("support")
+	ipPoolBlockName := newBlockName("ip-pool")
 	resourceName := fmt.Sprintf("oxide_instance.%s", blockName)
 	initialConfig, err := parsedAccConfig(
 		resourceInstanceConfig{
 			BlockName:        blockName,
 			InstanceName:     instanceName,
 			SupportBlockName: supportBlockName,
+			IPPoolBlockName:  ipPoolBlockName,
+			IPPoolName:       ipPoolName,
 		},
 		resourceInstanceExternalIPConfigTpl,
 	)
 	if err != nil {
 		t.Errorf("error parsing initial config template data: %e", err)
 	}
 
-	updateConfig, err := parsedAccConfig(
+	updateConfig1, err := parsedAccConfig(
+		resourceInstanceConfig{
+			BlockName:        blockName,
+			InstanceName:     instanceName,
+			SupportBlockName: supportBlockName,
+		},
+		resourceInstanceExternalIPConfigUpdate1Tpl,
+	)
+	if err != nil {
+		t.Errorf("error parsing first update config template data: %e", err)
+	}
+
+	updateConfig2, err := parsedAccConfig(
 		resourceInstanceConfig{
 			BlockName:        blockName,
 			InstanceName:     instanceName,
 			SupportBlockName: supportBlockName,
 		},
-		resourceInstanceExternalIPConfigUpdateTpl,
+		resourceInstanceExternalIPConfigUpdate2Tpl,
 	)
 	if err != nil {
-		t.Errorf("error parsing update config template data: %e", err)
+		t.Errorf("error parsing second update config template data: %e", err)
 	}
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:                 func() { testAccPreCheck(t) },
 		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories(),
 		CheckDestroy:             testAccInstanceDestroy,
 		Steps: []resource.TestStep{
+			// Ephemeral external IP with specified IP pool ID.
 			{
 				Config: initialConfig,
 				Check:  checkResourceInstanceIP(resourceName, instanceName),
 			},
-			// Detach the external IP.
+			// Ephemeral external IP with default silo IP pool ID.
 			{
-				Config: updateConfig,
-				Check:  checkResourceInstanceIPUpdate(resourceName, instanceName),
+				Config: updateConfig1,
+				Check:  checkResourceInstanceIPUpdate1(resourceName, instanceName),
 			},
-			// Attach an external IP.
+			// Ephemeral external IP with specified IP pool ID.
 			{
 				Config: initialConfig,
 				Check:  checkResourceInstanceIP(resourceName, instanceName),
 			},
+			// Detach all external IPs.
+			{
+				Config: updateConfig2,
+				Check:  checkResourceInstanceIPUpdate2(resourceName, instanceName),
+			},
 			{
 				ResourceName:      resourceName,
 				ImportState:       true,
@@ -1007,14 +1072,32 @@ func checkResourceInstanceIP(resourceName, instanceName string) resource.TestChe
 		resource.TestCheckResourceAttr(resourceName, "memory", "1073741824"),
 		resource.TestCheckResourceAttr(resourceName, "ncpus", "1"),
 		resource.TestCheckResourceAttr(resourceName, "external_ips.0.type", "ephemeral"),
+		resource.TestCheckResourceAttrSet(resourceName, "external_ips.0.id"),
 		resource.TestCheckResourceAttr(resourceName, "start_on_create", "false"),
 		resource.TestCheckResourceAttrSet(resourceName, "project_id"),
 		resource.TestCheckResourceAttrSet(resourceName, "time_created"),
 		resource.TestCheckResourceAttrSet(resourceName, "time_modified"),
 	}...)
 }
 
-func checkResourceInstanceIPUpdate(resourceName, instanceName string) resource.TestCheckFunc {
+func checkResourceInstanceIPUpdate1(resourceName, instanceName string) resource.TestCheckFunc {
+	return resource.ComposeAggregateTestCheckFunc([]resource.TestCheckFunc{
+		resource.TestCheckResourceAttrSet(resourceName, "id"),
+		resource.TestCheckResourceAttr(resourceName, "description", "a test instance"),
+		resource.TestCheckResourceAttr(resourceName, "name", instanceName),
+		resource.TestCheckResourceAttr(resourceName, "host_name", "terraform-acc-myhost"),
+		resource.TestCheckResourceAttr(resourceName, "memory", "1073741824"),
+		resource.TestCheckResourceAttr(resourceName, "ncpus", "1"),
+		resource.TestCheckResourceAttr(resourceName, "start_on_create", "false"),
+		resource.TestCheckResourceAttrSet(resourceName, "project_id"),
+		resource.TestCheckResourceAttrSet(resourceName, "time_created"),
+		resource.TestCheckResourceAttrSet(resourceName, "time_modified"),
+		resource.TestCheckResourceAttr(resourceName, "external_ips.0.type", "ephemeral"),
+		resource.TestCheckResourceAttr(resourceName, "external_ips.0.id", ""),
+	}...)
+}
+
+func checkResourceInstanceIPUpdate2(resourceName, instanceName string) resource.TestCheckFunc {
 	return resource.ComposeAggregateTestCheckFunc([]resource.TestCheckFunc{
 		resource.TestCheckResourceAttrSet(resourceName, "id"),
 		resource.TestCheckResourceAttr(resourceName, "description", "a test instance"),
