Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

google_compute_security_policy layer_7_ddos_defense_config forcing rule_visibility even though it's optional #17966

Open
paololazzari opened this issue Apr 26, 2024 · 7 comments
Open

google_compute_security_policy layer_7_ddos_defense_config forcing rule_visibility even though it's optional #17966

paololazzari opened this issue Apr 26, 2024 · 7 comments
Assignees
@ggtisc
Labels
bug forward/review In review; remove label to forward service/compute-security-policy waiting-response

Comments

@paololazzari
Copy link

paololazzari commented Apr 26, 2024
edited

Terraform Version

Terraform v1.7.2
on darwin_arm64

  • provider registry.terraform.io/hashicorp/google v5.25.0

Affected Resource(s)

google_compute_security_policy

Terraform Configuration

resource "google_compute_security_policy" "policy" {
  name        = var.policy_name
  description = var.policy_description
  type        = "CLOUD_ARMOR"
  project     = var.project

  adaptive_protection_config {
    layer_7_ddos_defense_config {
      enable = true
    }
  }
}

Expected Behavior

terraform plan should not update the resource as there are no changes

Actual Behavior

I have imported an existing security policy. When I run terraform plan, I can see that terraform wants to add a rule_visibility field even though it's optional according to the documentation:

$ terraform plan
...
      ~ adaptive_protection_config {
          ~ layer_7_ddos_defense_config {
              + rule_visibility = "STANDARD"
                # (1 unchanged attribute hidden)
            }
        }
...
Plan: 0 to add, 1 to change, 0 to destroy.
@github-actions github-actions bot added forward/review In review; remove label to forward service/compute-security-policy labels Apr 26, 2024
@ggtisc ggtisc self-assigned this May 2, 2024
@ggtisc
Copy link
Collaborator

ggtisc commented May 2, 2024

Hi @paololazzari!

This ticket was replicated successfully with the provided configuration, versions and specifications, but after importing the resource and executing the terraform plan the terminal message was:

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

If you are importing a resource in your terraform files I suggest you to follow the next steps:

  1. In your terraform configuration 'main.tf' write only this:
    resource "google_compute_security_policy" "policy" {}

  2. If the value of var.policy_name is my-policy in your terminal run terraform import google_compute_security_policy.policy my-policy

  3. Finally check your terraform.tfstate file and copy the imported values to your resource resource "google_compute_security_policy" "policy" {}. If you have everything as you shared then you will not find differences. But if you change something then the terraform plan will detect it.

If you continue having problems after this share your terraform.tfstatefile and the value of your var.policy_name

@paololazzari
Copy link
Author

@ggtisc can you confirm that when you attempted to reproduce this the resource did not have the rule_visibility field defined?

@ggtisc
Copy link
Collaborator

ggtisc commented May 7, 2024

As was mentioned in the above steps the unique initial code (step 1) was resource "google_compute_security_policy" "policy" {}

@paololazzari
Copy link
Author

Finally check your terraform.tfstate file and copy the imported values to your resource resource "google_compute_security_policy" "policy" {}. If you have everything as you shared then you will not find differences.

You misunderstood what this ticket is about. Of course if I copy the imported values to the resource no differences will be found. The problem here is that having imported an identical object, terraform still wants to apply a change when it shouldn't.

@ggtisc
Copy link
Collaborator

ggtisc commented May 7, 2024

Yes, and as it was explained in the 1st message with a correct import of the resource the message in terminal was:

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

@RGMishan
Copy link

RGMishan commented May 7, 2024

Hello @ggtisc ,

We are also facing a similar issue. We have and existing Security Policy which have "Adaptive Protection" Disabled on GCP Console.

Our Terraform Configuration:

  adaptive_protection_config {
    layer_7_ddos_defense_config {
      enable = false
    }
  }

During terraform plan we are seeing below drift:

  adaptive_protection_config {
       ~ layer_7_ddos_defense_config {
           + rule_visibility = "STANDARD"
              # (1 unchanged attribute hidden)

On the state file we have below configuration (this is same even after we tried your suggestion to import with empty resource block):

"adaptive_protection_config": [
  {
    "layer_7_ddos_defense_config": [
      {
        "enable": false,
        "rule_visibility": ""
      }
    ]
  }
],

This seems to be an issue with "rule_visibility" argument.

@ggtisc
Copy link
Collaborator

ggtisc commented May 7, 2024

@RGMishan could you please raise a new ticket with the next information, or share it?

  1. terraform configuration
  2. terraform version
  3. provider version

Also please mention if you are importing an existing google_compute_security_policy or creating a new one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ggtisc ggtisc

Labels
bug forward/review In review; remove label to forward service/compute-security-policy waiting-response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@paololazzari @RGMishan @ggtisc