Dynamic `servers` block in `avi_pool` causes an update on each plan/apply within NSXT Cloud

[jakauppila]

Describe the bug

When using avi_pool in an NSXT cloud when specifying the nsx_securitygroup argument on the resource to leverage NSX Security Groups as the basis of pool membership, it causes an update on each plan/apply due to it resolving the servers behind the group and adding them which then causes the API to return them when state is being refreshed.

Related: #571

Reproduction steps

1. Create a pool that defines an nsx_securitygroup to populate pool members
2. Run Terraform apply to create resource
3. Run Terraform apply to see that it wants to perform an update

Reproduction Terraform:

terraform {
  required_providers {
    avi = {
      source  = "vmware/avi"
      version = "30.2.2"
    }
  }
}

provider "avi" {
  avi_username   = "USER"
  avi_password   = "PASSWORD"
  avi_controller = "avicontroller.contoso.com"
  avi_tenant     = "admin"
  avi_version    = "30.2.2"
}

data "avi_cloud" "cloud" {
  name = "nonprod"
}

resource "avi_pool" "pool" {
  cloud_ref = data.avi_cloud.cloud.id

  name                     = "pool"
  connection_ramp_duration = 10
  default_server_port      = 443
  inline_health_monitor = true

  nsx_securitygroup = ["/infra/domains/default/groups/f24d373c-c11a-451e-b5da-2e2fc6b0ed83"]
}

Second Terraform Plan/Apply output:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # avi_pool.pool will be updated in-place
  ~ resource "avi_pool" "pool" {
        id                                    = "https://avi-controller.contoso.com/api/pool/pool-14cd3d5c-bcff-47bd-a755-ccab63900e4e"
        name                                  = "pool"
        # (38 unchanged attributes hidden)

      - servers {
          - autoscaling_group_name    = "/infra/domains/default/groups/f24d373c-c11a-451e-b5da-2e2fc6b0ed83" -> null
          - enabled                   = "true" -> null
          - external_uuid             = "10.10.232.13" -> null
          - hostname                  = "10.10.232.13" -> null
          - ratio                     = "1" -> null
          - resolve_server_by_dns     = "false" -> null
          - rewrite_host_header       = "false" -> null
          - static                    = "false" -> null
          - verify_network            = "false" -> null
            # (10 unchanged attributes hidden)

          - ip {
              - addr = "10.10.232.13" -> null
              - type = "V4" -> null
            }
        }

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected behavior

Terraform should recognize the resource as unchanged if no configuration alterations have been made. In this instance, perhaps it should recognize that I defined an nsx_securitygroup chose to ignore the incoming servers object from the backend API calls.

Additional context

Environment:

• Terraform v1.9.4
• terraform-provider-avi v30.2.2
• AVI 30.2.2

[jakauppila]

I would note that I considered leveraging a lifecycle block to simply ignore changes to the servers block

lifecycle {
  ignore_changes = [servers]
}

But the problem here is that if I remove the nsx_securitygroup argument from the resource, that the servers that were previously discovered persist.

It works as expected if you change nsx_securitygroup to a new value as I presume it hits NSXT to retrieve IPs and simply removes the old, but when you go to an empty value, the old servers never get purged.