Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

google_compute_security_policy - no error message when rule has same priority #5804

Closed
valtos opened this issue Mar 2, 2020 · 3 comments · Fixed by GoogleCloudPlatform/magic-modules#3202, #5834 or hashicorp/terraform-provider-google-beta#1828
Closed

google_compute_security_policy - no error message when rule has same priority #5804

valtos opened this issue Mar 2, 2020 · 3 comments · Fixed by GoogleCloudPlatform/magic-modules#3202, #5834 or hashicorp/terraform-provider-google-beta#1828
Assignees
@megan07
Labels
bug forward/review In review; remove label to forward service/compute-security-policy

Comments

@valtos
Copy link

valtos commented Mar 2, 2020

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.18

Affected Resource(s)

  • google_compute_security_policy

Terraform Configuration Files

  project = my_project_id

  name = "my-policy"

  rule {
    action   = "allow"
    priority = "1000"
    match {
      expr {
        expression = "inIpRange(origin.ip, 'my_first_ip/32') && request.path.startsWith('/admin')"
      }
    }
    description = "a"
  }

  rule {
    action   = "allow"
    priority = "1000"
    match {
      expr {
        expression = "inIpRange(origin.ip, 'my_second_ip/32') && request.path.startsWith('/')"
      }
    }
    description = "b"
  }

  rule {
    action   = "deny(404)"
    priority = "9999"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule : deny all"
  }

}

Debug Output

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Expected Behavior

Well it should have indicates that two rules with same priority isn't possible, and indicate the rule that didn't create

Actual Behavior

"Apply complete!" No error messages, looks like everything is ok with terraform apply ! => but in google console, only one rule was created

Steps to Reproduce

  1. Create a security policy with 2 rules with the same priority
  2. terraform apply

Important Factoids

This error happen with the security policy using the custom rules:
https://cloud.google.com/armor/docs/rules-language-reference
@ghost ghost added the bug label Mar 2, 2020
@edwardmedia edwardmedia self-assigned this Mar 2, 2020
@edwardmedia
Copy link
Contributor

edwardmedia commented Mar 2, 2020
edited
Loading

@megan07 after adding a rule in the resource, I got below plan. But there is only one POST call. You can see the rules in the console do not match the setting in the config. Also if you delete one rule from the config and then apply, I only see one POST call.

# google_compute_security_policy.name will be updated in-place
  ~ resource "google_compute_security_policy" "name" {
        fingerprint = "q8O-lq9XM_w="
        id          = "projects/myproject/global/securityPolicies/my-policy"
        name        = "my-policy"
        project     = "myproject"
        self_link   = "https://www.googleapis.com/compute/v1/projects/myproject/global/securityPolicies/my-policy"

      - rule {
          - action      = "allow" -> null
          - description = "default rule" -> null
          - preview     = false -> null
          - priority    = 2147483647 -> null

          - match {
              - versioned_expr = "SRC_IPS_V1" -> null

              - config {
                  - src_ip_ranges = [
                      - "*",
                    ] -> null
                }
            }
        }
      + rule {
          + action      = "allow"
          + description = "default rule"
          + priority    = 2147483647

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "*",
                    ]
                }
            }
        }
      + rule {
          + action      = "deny(403)"
          + description = "Deny access to IPs in 9.9.7.0/24"
          + priority    = 1000

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "9.9.7.0/24",
                    ]
                }
            }
        }
      - rule {
          - action      = "deny(404)" -> null
          - description = "Deny access to IPs in 9.9.8.0/24" -> null
          - preview     = false -> null
          - priority    = 1000 -> null

          - match {
              - versioned_expr = "SRC_IPS_V1" -> null

              - config {
                  - src_ip_ranges = [
                      - "9.9.8.0/24",
                    ] -> null
                }
            }
        }
      + rule {
          + action      = "deny(404)"
          + description = "Deny access to IPs in 9.9.8.0/24"
          + priority    = 1000

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "9.9.8.0/24",
                    ]
                }
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

---[ REQUEST ]---------------------------------------
POST /compute/beta/projects/myproject/global/securityPolicies/my-policy/patchRule?alt=json&prettyPrint=false&priority=1000 HTTP/1.1
{
 "action": "deny(403)",
 "description": "Deny access to IPs in 9.9.7.0/24",
 "match": {
  "config": {
   "srcIpRanges": [
    "9.9.7.0/24"
   ]
  },
  "versionedExpr": "SRC_IPS_V1"
 },
 "preview": false,
 "priority": 1000
}

@edwardmedia edwardmedia assigned megan07 and unassigned edwardmedia Mar 2, 2020
@valtos
Copy link
Author

valtos commented Mar 3, 2020

@edwardmedia , the error is specifically with security policy containing custom rules with Common Expression Language (CEL)
[https://cloud.google.com/armor/docs/rules-language-reference]

  rule {
    action   = "allow"
    priority = "1000"
    match {
      expr {
        expression = "inIpRange(origin.ip, 'my_first_ip/32') && request.path.startsWith('/admin')"
      }
    }
    description = "a"
  }

@megan07 megan07 mentioned this issue Mar 3, 2020
Merged
This was referenced Mar 5, 2020
Merged
Merged
@ghost
Copy link

ghost commented Apr 5, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

@ghost ghost locked and limited conversation to collaborators Apr 5, 2020
@github-actions github-actions bot added forward/review In review; remove label to forward service/compute-security-policy labels Jan 14, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@megan07 megan07

Labels
bug forward/review In review; remove label to forward service/compute-security-policy
Projects
None yet
Milestone
No milestone
3 participants
@valtos @megan07 @edwardmedia