search

browningluke / terraform-provider-opnsense

OPNsense Terraform Provider
https://registry.terraform.io/providers/browningluke/opnsense/latest
MIT License
57 stars 12 forks source link

opnsense_firewall_filter not accepting destination port range as alias #44

Closed enmanuelmoreira closed 9 months ago

enmanuelmoreira commented 10 months ago

When using the opnsense_firewall_filter resource, I got an error using an alias to group several ports:

Error: Invalid Attribute Value Match
│ 
│   with opnsense_firewall_filter.wifi_allow_whatsapp_tcp,
│   on wifi_firewall_rules.tf line 162, in resource "opnsense_firewall_filter" "wifi_allow_whatsapp_tcp":
│  162: resource "opnsense_firewall_filter" "wifi_allow_whatsapp_tcp" {
│ 
│ Attribute destination.port must be number (80), range (80-443) or well known name (http), got:
│ port_whatsapp_tcp
resource "opnsense_firewall_alias" "port_whatsapp_tcp" {
  enabled     = true
  name        = "port_whatsapp_tcp"
  description = "WhatsApp Videocalls TCP ports"

  type = "port"
  content = ["5222","5223","5228"]

  stats = true
}
resource "opnsense_firewall_filter" "allow_whatsapp_tcp" {
  enabled     = true
  description = "Allow access to WhatsApp Videocalls on the WIFI interface"
  action      = "pass"
  quick       = true
  log         = true
  interface   = ["int2"]

  direction   = "in"
  ip_protocol = "inet"
  protocol    = "TCP"

  source = {
    net    = "int2"
    invert = false
  }

  destination = {
    net  = "any"
    port = "port_whatsapp_tcp"
  }
}
browningluke commented 10 months ago

Hey @enmanuelmoreira, thanks for opening an issue. I'm currently traveling so I won't be able to look at this immediately, sorry. I hopefully should have some time in a few days.

browningluke commented 9 months ago

Sorry for the month delay, been super busy! This should be fixed in the latest version of the plugin.

One thing to note is that, if you have both the alias and filter resource in TF, make sure you set the correct dependency relation between them, otherwise the filter might be created before the alias, and it will result in an error. For example, you should do something like this:

resource "opnsense_firewall_alias" "port_whatsapp_tcp" {
  enabled     = true
  name        = "port_whatsapp_tcp"
  description = "WhatsApp Videocalls TCP ports"

  type = "port"
  content = ["5222","5223","5228"]

  stats = true
}

resource "opnsense_firewall_filter" "allow_whatsapp_tcp" {
  enabled     = true
  description = "Allow access to WhatsApp Videocalls on the WIFI interface"
  action      = "pass"
  quick       = true
  log         = true
  interface   = ["int2"]

  direction   = "in"
  ip_protocol = "inet"
  protocol    = "TCP"

  source = {
    net    = "int2"
    invert = false
  }

  destination = {
    net  = "any"
    port = opnsense_firewall_alias.port_whatsapp_tcp.name
  }
}

Let me know if you still run into the problem and I'll re-open the issue!