The 04:15 JST sync pipeline’s doing jack all again after the AWS VPC endpoint policy refresh. Terraform 1.9.22 paired with nice-cxone 1.28.0 throws a 422 Unprocessable Entity on the nice_cxone_edge_byoc_nat_gateway subnet_association block. Console shows the NAT gateway already attached to the target subnets, but the state file insists on a recreation.
Ran a terraform state pull to compare against the backup snapshot from Tuesday. The subnet_ids array in the live state has a trailing comma in the API response payload. Provider parser chokes on it. Tried wiping the local cache, running terraform refresh with -target, and even bypassed the provider to hit the Edge API directly via curl. The API returns a 200 but the JSON structure lacks the routing_table_id field the Terraform schema expects.
Checked the provider debug logs. The PATCH request body includes force_recreate: true on the third retry. Platform API rejects it because the NAT gateway is actively processing traffic for the Tokyo-West routing edge. State drift backup got corrupted during the failed apply. Had to roll back to the .tfstate.backup from the 02:00 JST run.
Does the provider actually validate the subnet_association schema against the raw API response before triggering the recreation flag? The drift detection seems to ignore the status: active attribute and just compares the raw array length. The provider doesn’t handle the null injection correctly. It’s throwing the 422 because the Edge API expects a clean array.
resource "nice_cxone_edge_byoc_nat_gateway" "tokyo_nat" {
name = "prod-tky-nat-01"
subnet_ids = ["subnet-0a1b2c3d4e5f", "subnet-9g8h7i6j5k4l"]
routing_table_id = "rtb-0xyz123abc"
}
Logs show the provider sending {"subnet_ids": ["subnet-0a1b2c3d4e5f", "subnet-9g8h7i6j5k4l", null], "force_recreate": true} which the Edge API flags as malformed.