The project.allowed_ips is getting cleared during apply

[garethivatt]

We upgraded to 0.6.3 and now when we run apply it is clearing out our allowed IPs.

Terraform Version

1.5.5

Provider Version

0.6.3

Affected Resource(s)

• neon_project

Terraform Configuration Files

hcl
/**
 * A database provided by Neon (neon.tech).
 */

# every module has to define providers from 3rd party registry
# i.e. out of the Terraform registry: registry.terraform.io/hashicorp
terraform {
  required_providers {
    neon = {
      source  = "kislerdm/neon"
      version = "0.6.3" # always pin the exact version
    }
  }
}

locals {
  seconds_in_a_day = 86400
}

# Neon Project is a top-level container for all objects (except for API keys).
resource "neon_project" "default" {
  allowed_ips                         = var.allowed_ips
  allowed_ips_protected_branches_only = "yes"
  enable_logical_replication          = var.enable_logical_replication ? "yes" : "no"
  history_retention_seconds           = var.is_production_like ? 30 * local.seconds_in_a_day : 1 * local.seconds_in_a_day
  name                                = var.name 
  org_id                              = var.org_id
  pg_version                          = 15
  region_id                           = "aws-us-west-2"

  # configures the compute endpoint of the default branch
  default_endpoint_settings {
    autoscaling_limit_max_cu = 10   # 10 compute unit (CU) = 10 vCPU + 40GB RAM
    autoscaling_limit_min_cu = 0.25 # 0.25 compute unit (CU) = 0.25 vCPU + 1GB RAM
    suspend_timeout_seconds  = 0    # auto suspended after X seconds, 0 means global default (300 seconds)
  }

  lifecycle {
    prevent_destroy = true
  }
}

# Neon database roles
resource "neon_role" "default" {
  branch_id  = neon_project.default.default_branch_id
  name       = "postgres"
  project_id = neon_project.default.id
}

# If logical replication is enabled, create a role for the replication user
resource "neon_role" "replication_user" {
  count      = var.enable_logical_replication ? 1 : 0
  branch_id  = neon_project.default.default_branch_id
  name       = "replication_user"
  project_id = neon_project.default.id
}

# database for the App Service
resource "neon_database" "app" {
  branch_id  = neon_project.default.default_branch_id
  name       = "app"
  owner_name = neon_role.default.name
  project_id = neon_project.default.id

  lifecycle {
    prevent_destroy = true
  }
}

Debug Output

https://gist.github.com/garethivatt/a58feec7cc2101d2530dd24bfb5e8f16

Key Debug Output

2024-12-10T00:13:54.225Z [WARN]  Provider "provider[\"registry.terraform.io/kislerdm/neon\"]" produced an unexpected new value for module.single_tenant_fullstack[0].module.neon_database.neon_project.default, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .allowed_ips: element 0 has vanished
      - .allowed_ips: element 1 has vanished
      - .allowed_ips: element 2 has vanished

Panic Output

N/A

Expected Behavior

When the plan shows a list of IP addresses to be added, the allowed IPs should reflect the list of IP addresses after applying the plan.

Actual Behavior

The allowed IPs is always empty after applying.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Upgrade to 0.6.3
2. Update list of IP addresses to add an IP address
3. Run terraform plan, shows the new IP address to be added
4. Run terraform apply, all allowed_ips are cleared out

Important Factoids

We are using Terraform Cloud

References

None

[fabuzaid21]

Hi @kislerdm, you might remember me from #96. @garethivatt is one of the engineers on my team, and he ran into this bug, so I told him to file an issue with you. Thanks in advance for your help! 🙏🏼