-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
FW Policy unordered lists for address groups #18134
Comments
Hi @lahughes35 We need the
As you can see in this link Finally when you talk about the |
Hello @ggtisc All of the elements you listed are created before this stack runs, it only adds rules to existing
Yes, I am referring to resource "google_compute_network_firewall_policy_rule" "default" {
for_each = local.all_rules
project = var.project_id
firewall_policy = "https://www.googleapis.com/compute/v1/projects/${var.project_id}/global/firewallPolicies/${each.value.fwpol_name}"
action = each.value.action
priority = each.value.priority
description = each.value.description
direction = each.value.direction
enable_logging = each.value.enable_logging
target_service_accounts = each.value.target_service_accounts
match {
src_address_groups = each.value.match.src_address_groups
dest_address_groups = each.value.match.dest_address_groups
src_threat_intelligences = each.value.match.src_threat_intelligences
dest_threat_intelligences = each.value.match.dest_threat_intelligences
src_ip_ranges = each.value.match.src_ip_ranges
dest_ip_ranges = each.value.match.dest_ip_ranges
dynamic "src_secure_tags" {
for_each = toset(coalesce(each.value.match.src_secure_tags, []))
content {
name = src_secure_tags.value
}
}
dynamic "layer4_configs" {
for_each = each.value.match.layer4_configs
content {
ip_protocol = layer4_configs.value.protocol
ports = layer4_configs.value.ports
}
}
}
dynamic "target_secure_tags" {
for_each = toset(
each.value.target_secure_tags == null ? [] : each.value.target_secure_tags
)
content {
name = target_secure_tags.value
}
}
} |
There are 2 locals in your code that aren't declared that are necessary to replicate this issue
But as you are saying that the important issue is to replicate the issue are the ones that map to the keys in the example yaml file maybe you can simplify this file to provide only the necessary to replicate this issue instead of share the complete configuration. |
Community Note
Terraform Version & Provider Version(s)
Terraform >=v1.4.6
on Linux x86
Affected Resource(s)
google_compute_network_firewall_policy_rule
Terraform Configuration
Debug Output
No response
Expected Behavior
After adding a FW policy rule with source (or destination) address groups, the rule would not need to update when it hasn't been changed.
Actual Behavior
I'm sending a list of source and destination address groups (in different rules) and their order is switching after an apply so TF tries to "update" the rules every run.
Steps to reproduce
Important Factoids
We don't see this behavior with lists of IPs in src_ip_ranges or dest_ip_ranges, just with the address groups.
References
No response
The text was updated successfully, but these errors were encountered: