Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot update firewall rule from AddressGroup to Address #409

Open
StoneMonarch opened this issue Sep 11, 2023 · 0 comments
Open

Cannot update firewall rule from AddressGroup to Address #409

StoneMonarch opened this issue Sep 11, 2023 · 0 comments

Comments

@StoneMonarch
Copy link

Trying to modify a firewall rule from an address group to an address results in Unifi returning an error api.err.FirewallRuleCannotMixAddressWithAddressGroup. Filling out all the possible src attributes still results in the same error.

Comparing the .tfstate of two firewall rules created in Unifi, then imported, one with an ip address, and one with groups, shows that only src_address, src_firewall_group_ids, dst_address, dst_firewall_group_ids are meaningful different so I dont think I am missing an attribute that needs to be set. Setting the *group_ids to null also has no effect.

Also strictly creating the resource in Terraform and then modifying it produces the same error.

There seems to be a missing attribute in the Unifi provider that allows for switching the type from group to address to network, as there is this option in the Unifi Controller. The current workaround to destroy the firewall rule, then recreate it with the type, or just update it in Unifi.

r_firewall_rules.tf

resource "unifi_firewall_rule" "lan_in_allow_h_u" {
  name       = "Allow H to U"
  action     = "accept"
  rule_index = 2004
  ruleset    = "LAN_IN"
  protocol   = "all"
  enabled    = true

  # Source
  src_firewall_group_ids = ["63882be747c2b02d711119bf"]
  #   src_address = "10.10.100.2"

  # Destination
  dst_firewall_group_ids = ["61bc647a47c2b0311608c2e1"]
  #   dst_address = "192.164.1.14"

  # Matching
  state_established = true
  state_related     = true
  state_new         = true
}

.tfstate

"attributes": {
  "action": "accept",
  "dst_address": "",
  "dst_address_ipv6": "",
  "dst_firewall_group_ids": [
    "61bc647a47c2b0311608c2e1"
  ],
  "dst_network_id": "",
  "dst_network_type": "NETv4",
  "dst_port": "",
  "enabled": true,
  "icmp_typename": "",
  "icmp_v6_typename": "",
  "id": "61bda84847c2b004be0d2d9c",
  "ip_sec": "",
  "logging": false,
  "name": "Allow H to U",
  "protocol": "all",
  "protocol_v6": "",
  "rule_index": 2004,
  "ruleset": "LAN_IN",
  "site": "default",
  "src_address": "",
  "src_address_ipv6": "",
  "src_firewall_group_ids": [
    "63882be747c2b02d711119bf"
  ],
  "src_mac": "",
  "src_network_id": "",
  "src_network_type": "NETv4",
  "src_port": "",
  "state_established": true,
  "state_invalid": false,
  "state_new": true,
  "state_related": true
},
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@StoneMonarch