Properly manage default VLAN 1

[joekohlsdorf]

When a network is created, it always has a default VLAN 1 which the Terraform provider is not able to properly manage.
The import workaround given in #86 is not applicable if I require VLAN 1 to be absent. It is not possible to import and then destroy in one apply which is a blocker for me because I need to create a full network with a single apply

Ideally the API should be changed so that it becomes possible to enable VLANs on a network without creating any VLANs.

Possible workarounds I came up with:

• Have the meraki_appliance_vlans bulk resource eliminate all VLAN configuration which is not defined in the resource
  • To ensure backwards compatibility this could be a flag in the resource
  • Other bulk resources could also benefit from this "all or nothing" behavior
• Create a new resource which deletes VLAN 1
  • I currently do this with terracurl which is super clunky
  • This still doesn't help if you want to keep but modify VLAN 1, then you need the import approach but you can't use the bulk resource

On destroy of these resources, VLAN 1 has to be recreated because at least one VLAN has to exist.
Furthermore the API requires that the network of the VLAN does not conflict with networks defined on any VPN Hub. This is equally problematic because on network creation this check does not exist.

[danischm]

You can selectively import VLANs using the syntax described here: https://registry.terraform.io/providers/CiscoDevNet/meraki/latest/docs/guides/bulk_resources#importing-items-of-bulk-resources

Wouldn't something like this work to remove VLAN1 and add VLAN2 in one TF operation?

resource "meraki_appliance_vlans" "example" {
  network_id      = "L_123456"
  organization_id = "123456"
  items = [{
    vlan_id                   = "2"
    name                      = "Vlan2"
    subnet                    = "192.168.2.0/24"
  }]
}

import {
  to = meraki_appliance_vlans.example
  id = "123456,L_123456,[1]"
}

[joekohlsdorf]

I tested your proposal and encountered the following issues:

1. If you are trying to create a full network in one TF operation then the network ID is not known at plan time so you can't have something like id = "123456,${meraki_network.this_network.id},[1]" in the import resource. Terraform will give the following error: The import block "id" argument depends on resource attributes that cannot be determined until apply, so Terraform cannot plan to import this resource.

2. Even if you create the network first and then try your code it will still fail the validation, maybe the batch request is trying to delete VLAN 1 first: Failed to configure objects (Action Batch), got error: Batch request failed: ["Validation failed: At least one VLAN must be configured."]

3. Even if issue 2 could be fixed, you will then be unable to terraform destroy the network because destroying the meraki_appliance_vlans resource would leave the network with 0 VLANs which is not allowed. You have to recreate VLAN 1 (outside of the TF state so that it doesn't get destroyed) first.

I don't think these problems can be addressed properly without making changes to the API.