[Bug]: Applying server_network adds server to network, but in next apply removes it

[MohammedNoureldin]

What happened?

Considering the example shown below, where I want to add a server created by a module to network created by me. For this I am using server_network resource.

When I call terraform apply -state .tfstate it works and my VPS gets added to the network. However, when I call apply again, it wants to "destroy" meaning remove the server from the network, so after every apply it toggles the state of the resource between adding and removing the server from the network.

Here is the log:

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

OpenTofu will perform the following actions:

  # module.cluster_provision.hcloud_server.nodes["control-plane-01"] will be updated in-place
  ~ resource "hcloud_server" "nodes" {
        id                         = "7654321"
        name                       = "control-plane-01.DOMAIN"
        # (19 unchanged attributes hidden)

      - network {
          - alias_ips   = [] -> null
          - ip          = "10.254.0.2" -> null
          - mac_address = "11:22:33:44:55:66" -> null
          - network_id  = 1234567 -> null
        }

        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Here you can see, it wants to destroy / remove the server from the network, although I did nothing except calling apply again.

What did you expect to happen?

Calling apply must not remove the server from the network.

Please provide a minimal working example

resource "hcloud_network" "clusters_control_planes" {
    name = "clusters-control-planes"
    ip_range = "10.254.0.0/16"
}

resource "hcloud_network_subnet" "clusters_control_planes" {
    network_id   = hcloud_network.clusters_control_planes.id
    type         = "cloud"
    network_zone = "eu-central"
    ip_range = "10.254.0.0/16"
}

resource "hcloud_server_network" "clusters_control_planes" {
    for_each = module.cluster_provision.control_planes
    server_id  = each.value.id
    network_id = hcloud_network.clusters_control_planes.id
}

Notice that server id comes from a module.

[MohammedNoureldin]

Btw, I tried this workaround, but this does NOT work. #650 (comment)

[apricote]

Hey @MohammedNoureldin,

could you add the code for the hcloud_server resource? As this resource removes the network attachment, I would like to take a closer look at it.

[MohammedNoureldin]

Hi @apricote,

Thank you for your reply. Here is the code:

resource "hcloud_server" "nodes" {
  for_each = local.nodes
  name = each.value.fqdn
  image = "ubuntu-22.04"
  server_type = "cax21" # cax21 is Arm64, cpx21 is x86.
  location = var.hcloud_location
  placement_group_id = hcloud_placement_group.node_placement_group.id
  ssh_keys = [ var.hcloud_ssh_public_key_name ]
  labels = {
    "domain" : var.cluster_element_label
    "role": each.value.role
  }

  public_net {
    ipv4_enabled = true
    ipv4 = hcloud_primary_ip.node_ipv4_addresses[each.key].id
    ipv6_enabled = true
    ipv6 = hcloud_primary_ip.node_ipv6_addresses[each.key].id
  }

  network {
    network_id = hcloud_network.nodes.id
    ip = each.value.private_ip_address
  }
}

[apricote]

Okay, so the issue is that you define a network block on the hcloud_server resource. If you do that, the hcloud_server resource will take over responsibility of all private network attachments to the server.

If you move that to a new hcloud_server_network resource, your other network should not be removed anymore.

[MohammedNoureldin]

So in the end should I have two separate hcloud_server_network?

• a new hcloud_server_network, for example in the same module where I defined the hcloud_server and move the network block to it,
• in addition to the hcloud_server_network.clusters_control_planes

Is that correct?

[apricote]

Yes, if you want to attach the server to two networks.

[MohammedNoureldin]

I have just tested it. This seems to be working. I just saw shortly that not all network changes were applied from the first apply, but I cannot reproduce it quickly. Anyway, the original issue seems to be clarified and resolved. Thank you!