Unable to set tags on network resources since 1.64

[lra]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform v1.7.5
on darwin_arm64
+ provider registry.terraform.io/ibm-cloud/ibm v1.64.0

Affected Resource(s)

• ibm_is_floating_ip
• ibm_is_public_gateway
• ibm_is_subnet
• ibm_is_vpc

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

locals {
  tags = [
    "environment:${var.environment}",
    "team:cloud",
    "cost-center:cloud-engineering",
  ]
}

resource "ibm_is_vpc" "vpc" {
  name                        = "${local.stack_name}-vpc"
  resource_group              = var.resource_group_id
  address_prefix_management   = "manual"
  default_network_acl_name    = "${local.stack_name}-default-acl"
  default_routing_table_name  = "${local.stack_name}-default-routing-table"
  default_security_group_name = "${local.stack_name}-default-sg"
  tags                        = local.tags
}

resource "ibm_is_floating_ip" "fip" {
  for_each       = toset(var.zone_names)
  name           = "${local.stack_name}-gateway-ip-${each.key}"
  resource_group = var.resource_group_id
  zone           = each.key
  tags           = local.tags
}

resource "ibm_is_public_gateway" "gateway" {
  for_each       = toset(var.zone_names)
  name           = "${local.stack_name}-gateway-${each.key}"
  resource_group = var.resource_group_id
  vpc            = ibm_is_vpc.vpc.id
  zone           = each.key
  floating_ip = {
    id = ibm_is_floating_ip.fip[each.key].id
  }
  tags = local.tags
}

Debug Output

Panic Output

Expected Behavior

$ terraform plan
No changes. Your infrastructure matches the configuration.

Actual Behavior

$ terraform plan

  # module.stack.module.vpc.ibm_is_floating_ip.fip["us-south-1"] will be updated in-place
  ~ resource "ibm_is_floating_ip" "fip" {
      ~ tags                    = [
          + "cost-center:cloud-engineering",
          + "environment:dev",
          + "team:cloud",
        ]
        # (13 unchanged attributes hidden)
    }
...
  # module.stack.module.vpc.ibm_is_public_gateway.gateway["us-south-1"] will be updated in-place
  ~ resource "ibm_is_public_gateway" "gateway" {
        id                      = "..."
        name                    = "..."
      ~ tags                    = [
          + "cost-center:cloud-engineering",
          + "environment:dev",
          + "team:cloud",
        ]
        # (12 unchanged attributes hidden)
    }
...
  # module.stack.module.vpc.ibm_is_subnet.subnet["us-south-3"] will be updated in-place
  ~ resource "ibm_is_subnet" "subnet" {
        id                           = "..."
        name                         = "..."
      ~ tags                         = [
          + "cost-center:cloud-engineering",
          + "environment:dev",
          + "team:cloud",
        ]
        # (18 unchanged attributes hidden)
    }

  # module.stack.module.vpc.ibm_is_vpc.vpc will be updated in-place
  ~ resource "ibm_is_vpc" "vpc" {
        id                          = "..."
        name                        = "..."
      ~ tags                        = [
          + "cost-center:cloud-engineering",
          + "environment:dev",
          + "team:cloud",
        ]
        # (24 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }
...

Steps to Reproduce

1. terraform plan

Important Factoids

Running apply does nothing, the tags are drifting to be added on the next plan

Workaround is to remove out tags:

tags = []

It worked on 1.63 and below.

[hkantare]

@ujjwal-ibm Can you check on this

[ujjwal-ibm]

looking at it

[ujjwal-ibm]

@lra

I ran the below configuration

variable "environment" {
  default = "test"
}
variable "zone_names" {
  default = ["us-south-1"]
}
locals {
  tags = [
    "environment:${var.environment}",
    "team:cloud",
    "cost-center:cloud-engineering",
  ]
  stack_name = "test"
}

resource "ibm_is_vpc" "vpc" {
  name                        = "${local.stack_name}-vpc"
  address_prefix_management   = "manual"
  default_network_acl_name    = "${local.stack_name}-default-acl"
  default_routing_table_name  = "${local.stack_name}-default-routing-table"
  default_security_group_name = "${local.stack_name}-default-sg"
  tags                        = local.tags
}

resource "ibm_is_floating_ip" "fip" {
  for_each       = toset(var.zone_names)
  name           = "${local.stack_name}-gateway-ip-${each.key}"
  zone           = each.key
  tags           = local.tags
}

resource "ibm_is_public_gateway" "gateway" {
  for_each       = toset(var.zone_names)
  name           = "${local.stack_name}-gateway-${each.key}"
  vpc            = ibm_is_vpc.vpc.id
  zone           = each.key
  floating_ip = {
    id = ibm_is_floating_ip.fip[each.key].id
  }
  tags = local.tags
}

Its working as expected

[ujjwal-ibm]

[ujjwal-ibm]

@lra
can you turn on the trace logs using export TF_LOG=TRACE and share us the logs.

[lra]

It does not look like it's a terraform problem, with new resources I can tag and untag them with terraform.
Looks like a bunch of our existing resources lost their tags and cannot be tagged anymore.

I guess I'll open a ticket with support as it's a problem with the IBM tags service itself.

[lra]

If you are interested, I opened a case: CS3880346