TLS_JA3_FINGERPRINT is not supported in google_compute_security_policy resource

[mqmr]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

[NOT A CONTRIBUTION]

It seems both of version of the provider - "stable" and "beta", don't support setting TLS_JA3_FINGERPRINT in google_compute_security_policy resource, while the documentation [1] and examples [2] show it's possible.

│ Error: expected rule.60.rate_limit_options.0.enforce_on_key to be one of ["ALL" "IP" "HTTP_HEADER" "XFF_IP" "HTTP_COOKIE" "HTTP_PATH" "SNI" "REGION_CODE" ""], got TLS_JA3_FINGERPRINT

│ Error: expected rule.60.rate_limit_options.0.enforce_on_key_configs.0.enforce_on_key_type to be one of ["ALL" "IP" "HTTP_HEADER" "XFF_IP" "HTTP_COOKIE" "HTTP_PATH" "SNI" "REGION_CODE"], got TLS_JA3_FINGERPRINT

• https://github.com/hashicorp/terraform-provider-google-beta/blob/f3462a7e0dd9c004586d6fb3e231356ec4d1b2f3/google-beta/services/compute/resource_compute_security_policy.go#L288

• terraform-provider-google/google/services/compute/resource_compute_security_policy.go

  Line 221 in ef4977a

  ValidateFunc: validation.StringInSlice([]string{"ALL", "IP", "HTTP_HEADER", "XFF_IP", "HTTP_COOKIE", "HTTP_PATH", "SNI", "REGION_CODE", ""}, false),

New or Affected Resource(s)

• google_compute_security_policy

Potential Terraform Configuration

References

Docs:
[1] https://cloud.google.com/armor/docs/rate-limiting-overview#identifying_clients_for_rate_limiting
[2] https://cloud.google.com/armor/docs/configure-rate-limiting#ja3

b/328077803

[melinath]

Note from triage: If this field changes frequently, it may be worth removing the enum validation so that the provider doesn't need to be updated when new values are added.

[rojomisin]

a workaround is to add a custom header to the backend and rate limit off the that

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.