google_compute_firewall protocol ICMPv6 not supported

[pdostal]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

$ terraform -v
Terraform v1.6.3
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v5.7.0

Affected Resource(s)

• google v5.7.0

Terraform Configuration Files

resource "google_compute_firewall" "tf-firewall-ipv6" {
  name    = "tf-firewall-ipv6"
  network = google_compute_network.tf-network.name

  allow {
    protocol = "ICMPv6"
  }

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["::/0"]
}

Debug Output

│ Error: Error creating Firewall: googleapi: Error 400: Invalid value for field 'resource.allowed[0].IPProtocol': 'ICMPv6'. Must be one of ["ah", "all", "esp", "icmp", "ipip", "sctp", "tcp", "udp"] or an IP protocol number between 0 and 255., invalid
│
│   with google_compute_firewall.tf-firewall-ipv6,
│   on main.tf line 37, in resource "google_compute_firewall" "tf-firewall-ipv6":
│   37: resource "google_compute_firewall" "tf-firewall-ipv6" {

Expected Behavior

When I follow the Debug output and change:

   allow {
-    protocol = "ICMPv6"
+    protocol = "icmp"
   }

I get:

│ Error: Error creating Firewall: googleapi: Error 400: Invalid value for field 'resource.allowed[0].IPProtocol': 'icmp'. IPv6 is not compatible with the ICMP protocol. Use the ICMPv6 protocol instead., invalid
│
│   with google_compute_firewall.tf-firewall-ipv6,
│   on main.tf line 37, in resource "google_compute_firewall" "tf-firewall-ipv6":
│   37: resource "google_compute_firewall" "tf-firewall-ipv6" {

Steps to Reproduce

1. terraform apply

b/313059465

[edwardmedia]

I can repro this issue. These two errors are from the api, I think there are not much we can do at the provider level. But I agree these errors are confusing, neither protocols work.

[volqcapital-eworthington]

For those who have stumbled upon this article in search of a temporary solution, the workaround is set the protocol to "58" and this sets the correct protocol to "ipv6-icmp".

resource "google_compute_firewall" "icmp-v6" {
  name = "icmp-v6"
  network = google_compute_network.this.self_link

  source_ranges = ["::/0"]

  direction = "INGRESS"

  allow {
    protocol = "58"
  }

}