Grafana Access Policies -> Conditions Allowed_subnet Conditional?
Introduction
In this article, we will explore the behavior of the conditions block in the grafana_cloud_access_policy resource, specifically the allowed_subnet condition. We will discuss the expected behavior, the actual behavior, and provide steps to reproduce the issue.
Background
The grafana_cloud_access_policy resource was introduced in version 3.21.0 of the Terraform Grafana provider. This resource allows users to manage access policies for their Grafana Cloud instance. The conditions block is an optional block that can be used to specify conditions for the access policy.
Terraform Configuration Files
We have a Grafana Module that uses the grafana_cloud_access_policy resource. The module is configured to create an access policy for each Azure region. The conditions block is not specified in the module.
resource "grafana_cloud_access_policy" "az_ingst" {
for_each = local.has_azure_labels ? local.az_cloud_access_policies : {}
provider = grafana.azure
name = each.value.name
display_name = each.value.display_name
region = var.stack_azure.region
scopes = each.value.scopes
realm {
identifier = var.stack_azure.cap_identifier
type = var.stack_azure.cap_type
dynamic "label_policy" {
for_each = each.value.labels
content {
selector = format("{%s=\"%s\"}", label_policy.value.key, label_policy.value.value)
}
}
}
}
Expected Behavior
We expect that the conditions block will be optional and will not cause a state drift when not specified.
Actual Behavior
However, when using this module with Terragrunt, we experience a permanent state drift. The conditions block is set to null, and the allowed_subnets attribute is also set to null.
10:13:37.477 STDOUT terraform: # grafana_cloud_access_policy.gcp_ingst["write"] will be updated in-place
10:13:37.477 STDOUT terraform: ~ resource "grafana_cloud_access_policy" "gcp_ingst" {
10:13:37.477 STDOUT terraform: id = "eu:REDACTED"
10:13:37.477 STDOUT terraform: name = "REDACTEDt"
10:13:37.477 STDOUT terraform: # (6 unchanged attributes hidden)
10:13:37.477 STDOUT terraform: - conditions {
10:13:37.477 STDOUT terraform: - allowed_subnets = [] -> null
10:13:37.477 STDOUT terraform: }
10:13:37.477 STDOUT terraform: # (1 unchanged block hidden)
10:13:37.477 STDOUT terraform: }
10:13:37.477 STDOUT terraform: Plan: 0 to add, 2 to change, 0 to destroy
Steps to Reproduce
To reproduce this issue, follow these steps:
- Create a new Terraform configuration file using the Grafana Module.
- Run
terraform initto initialize the Terraform working directory. - Run
terraform applyto apply the configuration. - Observe the output and note the state drift.
Conclusion
In conclusion, the conditions block in the grafana_cloud_access_policy resource is not behaving as expected. When not specified, the allowed_subnets attribute is set to null, causing a state drift. This issue can be reproduced by following the steps outlined above.
Recommendations
To resolve this issue, we recommend the following:
- Specify the
conditionsblock in the Terraform configuration file. - Set the
allowed_subnetsattribute to an empty list or a specific value. - Run
terraform applyto apply the updated configuration.
Q&A
Q: What is the expected behavior of the conditions block in the grafana_cloud_access_policy resource?
A: The conditions block is expected to be optional, and not specifying it should not cause a state drift.
Q: What is the actual behavior of the conditions block in the grafana_cloud_access_policy resource?
A: The actual behavior is that when not specified, the conditions block is set to null, and the allowed_subnets attribute is also set to null, causing a state drift.
Q: Why is the allowed_subnets attribute being set to null?
A: The allowed_subnets attribute is being set to null because the Grafana Cloud instance is overriding the default behavior and setting it to null when not specified.
Q: How can I resolve this issue?
A: To resolve this issue, you can specify the conditions block in the Terraform configuration file and set the allowed_subnets attribute to an empty list or a specific value.
Q: What are the benefits of specifying the conditions block?
A: Specifying the conditions block allows you to control the behavior of the allowed_subnets attribute and avoid the state drift caused by the Grafana Cloud instance overriding the default behavior.
Q: Can I use the conditions block to specify multiple allowed subnets?
A: Yes, you can use the conditions block to specify multiple allowed subnets by adding multiple allowed_subnets attributes.
Q: How do I specify multiple allowed subnets in the conditions block?
A: To specify multiple allowed subnets in the conditions block, you can add multiple allowed_subnets attributes, like this:
conditions {
allowed_subnets = ["subnet1", "subnet2", "subnet3"]
}
Q: Can I use the conditions block to specify a specific allowed subnet?
A: Yes, you can use the conditions block to specify a specific allowed subnet by adding a single allowed_subnets attribute with the desired subnet value.
Q: How do I specify a specific allowed subnet in the conditions block?
A: To specify a specific allowed subnet in the conditions block, you can add a single allowed_subnets attribute with the desired subnet value, like this:
conditions {
allowed_subnets = ["subnet1"]
}
Q: What are the best practices for using the conditions block?
A: The best practices for using the conditions block are:
- Always specify the
conditionsblock when creating agrafana_cloud_access_policyresource. - Set the
allowed_subnetsattribute to an empty list or a specific value. - Use the
conditionsblock to specify multiple allowed subnets or a specific allowed subnet. - Avoid using the
conditionsblock to specify a null value for theallowed_subnetsattribute.
By following these best practices, you can ensure that your Grafana Cloud access policies are configured correctly and avoid the state drift caused by the Grafana Cloud instance overriding the default behavior.