When a policy association is manually deleted from the UI, terraform throws a 404 when running a plan

[jinglejengel]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Imperva provider version

provider registry.terraform.io/imperva/incapsula v3.21.0

Affected resource(s)

incapsula_policy_asset_association though this also appears to affect the incapsula_policy resource as well when individually deleted from the UI.

Terraform configuration files

resource "incapsula_policy_asset_association" "policy_assoc" {
  policy_id  = var.policy_id
  asset_id   = incapsula_site.site.id
  asset_type = "WEBSITE"
}

Debug output

Redacted for security reasons but here is the relevant chunk from the debug logs slightly scrubbed (notably nothing else is showing the usual debug tracing of the endpoint call itself):

2023-12-06T16:33:59.511-0800 [INFO]  provider.terraform-provider-incapsula_v3.21.0: 2023/12/06 16:33:59 [DEBUG] Waiting for state to become: [success]: timestamp=2023-12-06T16:33:59.511-0800
2023-12-06T16:33:59.797-0800 [INFO]  provider.terraform-provider-incapsula_v3.21.0: 2023/12/06 16:33:59 [DEBUG] Incapsula Read Policy JSON response: {"value":"Failed to get Policy","isError":true}: timestamp=2023-12-06T16:33:59.797-0800
2023-12-06T16:33:59.797-0800 [INFO]  provider.terraform-provider-incapsula_v3.21.0: 2023/12/06 16:33:59 [ERROR] Could not get Incapsula policy: POLICY_ID_WAS_HERE - Error status code 404 from Incapsula service when reading Policy for ID POLICY_ID_WAS_HERE: {"value":"Failed to get Policy","isError":true}: timestamp=2023-12-06T16:33:59.797-0800
2023-12-06T16:33:59.797-0800 [ERROR] provider.terraform-provider-incapsula_v3.21.0: Response contains error diagnostic: @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:55 @module=sdk.proto diagnostic_summary="Error status code 404 from Incapsula service when reading Policy for ID POLICY_ID_WAS_HERE: {"value":"Failed to get Policy","isError":true}" tf_proto_version=5.3 tf_provider_addr=provider tf_resource_type=incapsula_policy diagnostic_detail= diagnostic_severity=ERROR tf_req_id=5583fba0-4bbb-6268-ee86-3fd508d456b3 tf_rpc=ReadResource timestamp=2023-12-06T16:33:59.797-0800
2023-12-06T16:33:59.798-0800 [ERROR] vertex "module.policies.incapsula_policy.foo_placeholder (orphan)" error: Error status code 404 from Incapsula service when reading Policy for ID POLICY_ID_WAS_HERE: {"value":"Failed to get Policy","isError":true}

Panic output

No response

Expected output

No plan error

Actual output

│ Error: Error status code 404 from Incapsula service when reading Policy for ID XXXXX: {"value":"Failed to get Policy","isError":true}

Steps to reproduce

1. Have a website with a policy attachment controlled via terraform
2. Manually remove the policy itself
3. Attempt a re-plan and receive a 404

Additional factoids

We did this manually detachment while troubleshooting a completely different issue and ran into this interesting problem with the plan. I would expect the provider to reconcile with the API to recognize the attachment no longer exists and skip the 404 as a "this is already deleted" like most providers do with similar types of resources and attempt a fresh plan as if the resource does not exist in the graph.

The workaround for now is to remove the policy from terraform state and then re-plan, and it will work fine.

References

No response