-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Terraform crashing when planning a google compute firewall resource based on module output that do not exists yet #10494
Comments
Could you provide a complete minimum configuration so I can debug this scenario? |
Am facing the same problem the plan never proceeds it asks for |
Recently i am also seeing this issue earlier same set of terraform cmd for .tf file was executing. resource "google_compute_firewall" "testlogs-test" { allow { @ScottSuarez could you please help |
Had the same problem today, solved by adding source_tags = ["mynetwork"] resource "google_compute_firewall" "mynetwork-allow-http-ssh-rdp-icmp" { Source: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall |
@hudson-m Dude, adding source_tags = ["mynetwork"] solved the issue. Thank u so much! |
@hudson-m Thank you for the suggested fix. Our terraform plan is now running successfully. Does adding the source_tags = ["xxx"] have any effect on the firewall rule? I see in the official terraform docs https://registry.terraform.io/providers/hashicorp/google/3.90.0/docs/resources/compute_firewall#source_tags "The connection does not need to match both properties for the firewall to apply". |
@hudson-m having the same issue using source "gruntwork-io/network/google//modules/vpc-network" and i cant just add source_tag |
I am facing the same issue, the code I`m using:
Using terraform-provider-google v4.1.0, the code was working properly with v3.90.0. The error is
and it can be seen that I have source_ranges. The workaround with adding source_tags is successful but I can not put it in live systems. I hope to be fixed soon. |
I was also able to repro this, below is an MCVE. Works fine with locals {
project_id = "YOUR_PROJECT_ID"
}
resource "google_compute_network" "vpc_network" {
project = local.project_id
name = "test-network"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "subnet" {
name = "test-subnet"
project = local.project_id
ip_cidr_range = "10.0.0.0/16"
region = "us-central1"
network = google_compute_network.vpc_network.id
}
resource "google_compute_address" "address" {
name = "test-address"
project = local.project_id
subnetwork = google_compute_subnetwork.subnet.id
address_type = "INTERNAL"
region = "us-central1"
}
resource "google_compute_firewall" "fw" {
name = "test-fw"
project = local.project_id
network = google_compute_network.vpc_network.id
direction = "INGRESS"
source_ranges = ["${google_compute_address.address.address}/32"]
target_tags = ["foo"]
allow {
protocol = "tcp"
}
} |
I was wondering if I could help out here, as this is blocking use of the provider in several other modules. I've just been trying to get the existing tests to run, as I was thinking adding something that shows the problem would be a good first start. However, I'm seeing this error:
Am I missing something, configuration-wise? Update: aha. I'm running the tests within WSL, so I need to have Terraform installed there. That gets me over this error. |
* this should be removed once hashicorp/terraform-provider-google#10494 is addressed
Some progress: I have a test in place now on my own branch that demonstrates the problem. As suspected, the problematic logic is here: If we add the same I'm wading through Update: perhaps adding this suffices? If I do that and comment out the |
@jackwhelpton @slevenick Does GoogleCloudPlatform/magic-modules#5526 fix this? Wasnt sure from the PR description on GoogleCloudPlatform/magic-modules#5526 |
@bharathkkb : this looks an upstream/magic modules version of the fix I proposed. As @slevenick notes on that PR, whilst it does appear to address the issue, it has its own problems: it won't throw an error if I'm not clear if there's a better approach, though... that's a little above my current grasp of the provider code. I was hoping somebody else would volunteer a possible solution to that problem. |
* this should be removed once hashicorp/terraform-provider-google#10494 is addressed
* this should be removed once hashicorp/terraform-provider-google#10494 is addressed
* feat: update TPG version constraints to allow 4.0 * Removes basic auth, renames namespace_identity * Regenerates modules and documentation * Updates tests to use latest Google provider * addresses warning about multiple provider blocks * Updates network module for Google provider 4.0 compatibility * Temporarily uses "main" for gcloud module (until next release is cut) * Comments out version constraint (temporary change) * fetches main branch by default? * Uses master branch for gcloud module (until release is cut) * Uses kubectl-wrapper where appropriate * Uses released version of gcloud module * Returns instance group URLs per node pool * Extends use of cluster_output_node_pools_ variables * Fixes documentation * Updates more modules * Updates READMEs to match variables * Uses master branch of bastion * temporary change until new version is released * Updates node pools versions description * Adds locals for node pool instance group URLs * Uses master branch of terraform-google-project-factory * temporary change until new version of that dependency is released * Updates project version ready for release * Updates pinned version of Google provider for example * Updates pinned version of Google provider in example * Addresses code review comments * Temporarily applies an empty source_tags setting. * this should be removed once hashicorp/terraform-provider-google#10494 is addressed * Fixes indentation * Uses newly-released version of project factory * Uses released version of bastion host * Removes use of SECURE mode (deprecated) * test empty source tag workaround * fix wi test * refactor IAM test for loose match * map old node meta value, add validations * update docs * Update autogen/main/variables.tf.tmpl Co-authored-by: Morgante Pell <morgantep@google.com> * remove local Co-authored-by: cloud-foundation-bot <cloud-foundation-bot@google.com> Co-authored-by: Jack Whelpton <jack.whelpton@rakuten.com> Co-authored-by: Morgante Pell <morgantep@google.com>
I hope that we will have a fix soon. |
Should be fixed via GoogleCloudPlatform/magic-modules#5526 |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
the resource should be planned correctly if the module has not been created yet indicating a "known after apply" value for the source_range
Actual Behavior
Terraform is crashing because he can't know the output of the module not created thus leading to all required argument of the resource
google_compute_firewall
not being set.Steps to Reproduce
source_ranges
field of thegoogle_compute_firewall
resourceImportant Factoids
Nope
References
N/A
The text was updated successfully, but these errors were encountered: