Cannot assign ACL in terraform despite tag existing via online console

[bpatwa-sanimax]

Describe the bug

I cannot assign a new ACL in terraform despite the tag existing via online console. Why does this happen? Why is it not able access the tag information?

• Access Control file on console:

"tagOwners": {
		"tag:tag1":        ["autogroup:admin"],
		"tag:tag2":        ["autogroup:admin"],
		"tag:tag3":        ["autogroup:admin"],
	},

• Tailscale terraform ACL (authenticated via API key):

resource "tailscale_acl" "as_json" {
  acl = jsonencode({
    acls : [
      {
        // Allow all users access to all ports.
        action = "accept",
        users  = ["tag:tag1", "tag:tag2"],
        ports  = ["tag:tag3:*", ],
      },
    ],
  })
}

• The Error:

Error: ACL validation failed: src=tag not found: "tag:tag1"; []
│ 
│   with module.aws.tailscale_acl.as_json,
│   on modules/aws/ec2_tailscale.tf line 43, in resource "tailscale_acl" "as_hujson":
│   43: resource "tailscale_acl" "as_json" {

Desktop:

• OS: [Linux]
• Terraform Version [v1.3.1]
• Provider Version [0.16.1]

[bpatwa-sanimax]

Fixed. You need to send your full set of ACL and not just the part you want to update (as shown in docs, which are immensely lacking in detail). Tested it on Client API in Python and was reliably able to recreate the error and discover ways to fix it.

[bpatwa-sanimax]

The issue persists. Even simply fetching existing acl from the tailnet and applying it back to the resource gives an error during terraform apply.

[mpminardi]

Hello @bpatwa-sanimax! Is the error you are seeing now still the same validation error that you originally reported, or are you seeing a different error now when you fetch the existing ACL and attempt to apply that?

[bpatwa-sanimax]

Hello @mpminardi thanks for your response. I was able to debug the error from the error messages. I didn't knew the error messages existed in the diagnostics tab.

[mpminardi]

No worries, glad to hear you were able to resolve your issue!