Merge pull request #15 from ms-henglu/acceptance-test-absorb-indexed-block-drift

feat: support block drift on indexed resources in absorb

Author: ms-henglu

docs/design/absorb-support-scope.md

@@ -129,18 +129,14 @@ Resources using `for_each` (e.g., `azurerm_resource_group.main["web"]`,
 
 ---
 
-## TODO
-
 ### 7. Block Drift for Indexed Resources (Category 2/3)
 
 Category 2 (single nested block) and Category 3 (multiple sibling blocks)
-drift within `count`/`for_each` resources is not yet supported with
-per-instance differentiation.
-
-**Proposed approach — `dynamic` blocks with `lookup()`:**
+drift within `count`/`for_each` resources uses `dynamic` blocks with
+`lookup()` for per-instance differentiation.
 
-For block-type attributes that differ across indexed instances, replace static
-blocks with `dynamic` blocks that select content per-instance:
+For block-type attributes that differ across indexed instances, static
+blocks are replaced with `dynamic` blocks that select content per-instance:
 
 ```hcl
 dynamic "security_rule" {
@@ -155,11 +151,22 @@ dynamic "security_rule" {
 }
 ```
 
-**Open problem:** The `graft.source` fallback cannot be used with `dynamic`
-block `for_each` because the original source has static blocks (not a list
-expression). A different fallback mechanism is needed.
-
-**Current behavior:** When block drift occurs on indexed resources, blocks from
-the first instance are emitted (lossy). This is a known limitation.
+- A `_graft { remove = ["block_type"] }` directive is added to remove the
+  original static blocks before the dynamic block generates replacements.
+- The fallback value is `[]` (empty list). Instances without block drift
+  for a given block type will produce no dynamic iterations.
+- For single nested blocks (Category 2), the value is wrapped in a
+  single-element array: `[{ ... }]`.
+- For nested blocks within the content, nested `dynamic` blocks with
+  `try(parent.value.nested, [])` are generated recursively.
+- Full (pre-deep-diff) block values are used in the lookup map since
+  dynamic blocks replace the entire block, not just changed attributes.
+
+**Known limitation:** The `graft.source` fallback cannot be used with
+`dynamic` block `for_each` because the original source has static blocks
+(not a list expression). Instances without block drift in the lookup map
+will have their original static blocks removed by `_graft remove`.
+
+✅ Supported. See [Example 15](../../examples/15-absorb-indexed-block-drift).
 
 ---

examples/15-absorb-indexed-block-drift/absorb.graft.hcl

@@ -0,0 +1,115 @@
+# Generated by graft absorb
+# This manifest contains overrides to match the current remote state
+
+override {
+  # Absorb drift for: azurerm_linux_virtual_machine.vm["web"], azurerm_linux_virtual_machine.vm["api"]
+  resource "azurerm_linux_virtual_machine" "vm" {
+    dynamic "os_disk" {
+      for_each = lookup({
+        "api" = [{
+          caching              = "ReadOnly"
+          disk_size_gb         = 64
+          storage_account_type = "StandardSSD_LRS"
+        }]
+        "web" = [{
+          caching              = "ReadWrite"
+          disk_size_gb         = 50
+          storage_account_type = "Premium_LRS"
+        }]
+      }, each.key, [])
+      content {
+        caching              = os_disk.value.caching
+        disk_size_gb         = os_disk.value.disk_size_gb
+        storage_account_type = os_disk.value.storage_account_type
+      }
+    }
+    _graft {
+      remove = ["os_disk"]
+    }
+  }
+
+  # Absorb drift for: azurerm_network_security_group.nsg[0], azurerm_network_security_group.nsg[1]
+  resource "azurerm_network_security_group" "nsg" {
+    tags = lookup({
+      0 = {
+        environment = "production"
+        project     = "graft"
+      }
+      1 = {
+        environment = "staging"
+        project     = "graft"
+      }
+    }, count.index, graft.source)
+    dynamic "security_rule" {
+      for_each = lookup({
+        0 = [{
+          access                     = "Allow"
+          destination_address_prefix = "*"
+          destination_port_range     = "22"
+          direction                  = "Inbound"
+          name                       = "allow-ssh"
+          priority                   = 100
+          protocol                   = "Tcp"
+          source_address_prefix      = "10.0.0.0/8"
+          source_port_range          = "*"
+          }, {
+          access                     = "Allow"
+          destination_address_prefix = "*"
+          destination_port_range     = "443"
+          direction                  = "Inbound"
+          name                       = "allow-https"
+          priority                   = 200
+          protocol                   = "Tcp"
+          source_address_prefix      = "10.0.0.0/8"
+          source_port_range          = "*"
+        }]
+        1 = [{
+          access                     = "Allow"
+          destination_address_prefix = "*"
+          destination_port_range     = "80"
+          direction                  = "Inbound"
+          name                       = "allow-http"
+          priority                   = 100
+          protocol                   = "Tcp"
+          source_address_prefix      = "10.0.0.0/8"
+          source_port_range          = "*"
+          }, {
+          access                     = "Allow"
+          destination_address_prefix = "*"
+          destination_port_range     = "443"
+          direction                  = "Inbound"
+          name                       = "allow-https"
+          priority                   = 200
+          protocol                   = "Tcp"
+          source_address_prefix      = "10.0.0.0/8"
+          source_port_range          = "*"
+          }, {
+          access                     = "Deny"
+          destination_address_prefix = "*"
+          destination_port_range     = "*"
+          direction                  = "Inbound"
+          name                       = "deny-all"
+          priority                   = 4096
+          protocol                   = "*"
+          source_address_prefix      = "*"
+          source_port_range          = "*"
+        }]
+      }, count.index, [])
+      content {
+        access                     = security_rule.value.access
+        destination_address_prefix = security_rule.value.destination_address_prefix
+        destination_port_range     = security_rule.value.destination_port_range
+        direction                  = security_rule.value.direction
+        name                       = security_rule.value.name
+        priority                   = security_rule.value.priority
+        protocol                   = security_rule.value.protocol
+        source_address_prefix      = security_rule.value.source_address_prefix
+        source_port_range          = security_rule.value.source_port_range
+      }
+    }
+    _graft {
+      remove = ["security_rule"]
+    }
+  }
+
+}

examples/15-absorb-indexed-block-drift/main.tf

@@ -0,0 +1,64 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+
+# count-indexed NSG with security rules (Category 3 — multiple sibling blocks)
+resource "azurerm_network_security_group" "nsg" {
+  count               = 2
+  name                = "graft-absorb-${count.index}-nsg"
+  location            = "eastus"
+  resource_group_name = "graft-test-rg"
+
+  security_rule {
+    name                       = "allow-ssh"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+
+  tags = {
+    environment = "test"
+    project     = "graft"
+  }
+}
+
+# for_each-indexed VM with os_disk (Category 2 — single nested block)
+resource "azurerm_linux_virtual_machine" "vm" {
+  for_each            = toset(["web", "api"])
+  name                = "graft-${each.key}-vm"
+  location            = "eastus"
+  resource_group_name = "graft-test-rg"
+  size                = "Standard_DS1_v2"
+
+  admin_username = "adminuser"
+  admin_password = "P@ssw0rd1234!"
+
+  network_interface_ids = []
+
+  os_disk {
+    caching              = "ReadOnly"
+    storage_account_type = "Standard_LRS"
+    disk_size_gb         = 30
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "UbuntuServer"
+    sku       = "18.04-LTS"
+    version   = "latest"
+  }
+}