Plan for harbor_robot_account always shows changes after upgrade

[BlueIce]

Describe the bug
When planing, a change is always shown for harbor_robot_account resource.

To Reproduce

1. Create harbor_robot_account with provider version 3.10.18 (or lower)
2. Upgrade to provider version 3.10.19
3. Do a planing
4. Observe changes in the plan

Applying the changes and doing a planing again will show the same changes again.

I tested with this configuration:

resource "harbor_robot_account" "project_robot" {
  name        = "test-robot"
  description = "project level robot account for testing"
  level       = "project"
  permissions {
    kind      = "project"
    namespace = "test-project"

    access {
      action   = "read"
      resource = "project"
    }
    access {
      action   = "update"
      resource = "project"
    }
    access {
      action   = "read"
      resource = "repository"
    }
    access {
      action   = "list"
      resource = "repository"
    }
  }
}

The plan looks like this:

14:25:36.312 STDOUT tofu: OpenTofu used the selected providers to generate the following execution
14:25:36.312 STDOUT tofu: plan. Resource actions are indicated with the following symbols:
14:25:36.312 STDOUT tofu:   ~ update in-place
14:25:36.312 STDOUT tofu: OpenTofu will perform the following actions:
14:25:36.312 STDOUT tofu:   # harbor_robot_account.project_robot will be updated in-place
14:25:36.312 STDOUT tofu:   ~ resource "harbor_robot_account" "project_robot" {
14:25:36.312 STDOUT tofu:         id          = "/robots/xxxxx"
14:25:36.312 STDOUT tofu:         name        = "test-robot"
14:25:36.312 STDOUT tofu:         # (7 unchanged attributes hidden)
14:25:36.312 STDOUT tofu:       - permissions {
14:25:36.312 STDOUT tofu:           - kind      = "project" -> null
14:25:36.312 STDOUT tofu:           - namespace = "test-project" -> null
14:25:36.313 STDOUT tofu:           - access {
14:25:36.313 STDOUT tofu:               - action   = "list" -> null
14:25:36.313 STDOUT tofu:               - effect   = "allow" -> null
14:25:36.313 STDOUT tofu:               - resource = "repository" -> null
14:25:36.313 STDOUT tofu:             }
14:25:36.313 STDOUT tofu:           - access {
14:25:36.313 STDOUT tofu:               - action   = "read" -> null
14:25:36.313 STDOUT tofu:               - effect   = "allow" -> null
14:25:36.313 STDOUT tofu:               - resource = "project" -> null
14:25:36.313 STDOUT tofu:             }
14:25:36.313 STDOUT tofu:           - access {
14:25:36.313 STDOUT tofu:               - action   = "read" -> null
14:25:36.313 STDOUT tofu:               - effect   = "allow" -> null
14:25:36.313 STDOUT tofu:               - resource = "repository" -> null
14:25:36.313 STDOUT tofu:             }
14:25:36.313 STDOUT tofu:           - access {
14:25:36.313 STDOUT tofu:               - action   = "update" -> null
14:25:36.313 STDOUT tofu:               - effect   = "allow" -> null
14:25:36.313 STDOUT tofu:               - resource = "project" -> null
14:25:36.313 STDOUT tofu:             }
14:25:36.313 STDOUT tofu:         }
14:25:36.313 STDOUT tofu:       + permissions {
14:25:36.313 STDOUT tofu:           + kind      = "project"
14:25:36.313 STDOUT tofu:           + namespace = "test-project"
14:25:36.313 STDOUT tofu:           + access {
14:25:36.313 STDOUT tofu:               + action   = "list"
14:25:36.313 STDOUT tofu:               + resource = "repository"
14:25:36.313 STDOUT tofu:             }
14:25:36.313 STDOUT tofu:           + access {
14:25:36.313 STDOUT tofu:               + action   = "read"
14:25:36.313 STDOUT tofu:               + resource = "project"
14:25:36.313 STDOUT tofu:             }
14:25:36.313 STDOUT tofu:           + access {
14:25:36.313 STDOUT tofu:               + action   = "read"
14:25:36.313 STDOUT tofu:               + resource = "repository"
14:25:36.313 STDOUT tofu:             }
14:25:36.313 STDOUT tofu:           + access {
14:25:36.313 STDOUT tofu:               + action   = "update"
14:25:36.313 STDOUT tofu:               + resource = "project"
14:25:36.313 STDOUT tofu:             }
14:25:36.313 STDOUT tofu:         }
14:25:36.313 STDOUT tofu:     }
14:25:36.313 STDOUT tofu: Plan: 0 to add, 1 to change, 0 to destroy.

Expected behavior
No changes are shown when planing

Additional context
When creating the same robot account directly with version 3.10.19, no change is shown when doing a plan and everything seems to be fine.
This could be related to the handling of effect which was changed in #494.

Another way to get rid of the changes in the plan seems to be to explicitly set effect = "allow".

• Provider Version 3.10.19
• OpenTofu Version 1.9.0
• Harbor Version 2.11.2

[yeswexav]

Same problem with

• Provider Version 3.10.19
• Terraform Version 1.10.5
• Harbor Version 2.11.2

[flbla]

Okay
Thank you for the bug report.
I had to do this to handle the creation of robots accounts from a robot account.
Does an apply fix it ?

[BlueIce]

No, unfortunately not. After apply, the next plan shows the same changes again.

I found two workarounds:

1. Either explicitly set effect = "allow"
2. Or delete the robot account and recreate it (with version 3.10.19)

[becker-s]

We also encounter the same issue since provider version 3.10.19.

I am not comfortable with deleting and re-creating the existing robot accounts with provider version 3.10.19 as I am not sure whether the behavior is the same after the default value "effect" = "allow" has been removed in #494.

Setting the previous default value for all permission rules is a bit tedious but acceptable to me when it is the only way to preserve the previous behavior with the new functionality.

Either way, this seems like a breaking change to me as manual changes are required to address this issue for existing robot accounts created with a previous provider version.
Semantic Versioning recommends that the breaking change is reverted in a patch release and then released in a new major release.

[flbla]

hi,
it fixes it, but it's a bit ugly, but I didn't find a better way to handle it: #498

let me know if you can give it a try, before I merge and build a new release