Regional Forwarding rule network behavior when "network" parameter is null

[jeheyer]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

1.3.6

Affected Resource(s)

• google_compute_forwarding_rule

Terraform Configuration Files

resource "google_compute_forwarding_rule" "default" {
 project                              = "myproject"
  name                               = "smtp-ilb"
  ports                                = [25,465,587]
  all_ports                           = false
  load_balancing_scheme   = "INTERNAL" 
  region                              = "us-central1"
  network                           = null
  subnetwork                     = "mysubnet"
}

Debug Output

TF plan output:

# google_compute_forwarding_rule.default will be created
  + resource "google_compute_forwarding_rule" "default" {
      + all_ports             = false
      + allow_global_access   = false
      + backend_service       = (known after apply)
      + creation_timestamp    = (known after apply)
      + id                    = (known after apply)
      + ip_address            = (known after apply)
      + ip_protocol           = (known after apply)
      + label_fingerprint     = (known after apply)
      + load_balancing_scheme = "INTERNAL"
      + name                  = "smtp-ilb"
      + network               = (known after apply)
      + network_tier          = (known after apply)
  + ports                 = [
          + "25",
          + "465",
          + "587",
        ]
      + project               = "myproject"
      + psc_connection_id     = (known after apply)
      + psc_connection_status = (known after apply)
      + region                = "us-central1"
      + self_link             = (known after apply)
      + service_name          = (known after apply)
      + subnetwork            = "projects/myproject/regions/us-central1/subnetworks/mysubnet"

Panic Output

n/a

Expected Behavior

Per both Terraform and Google documentation, network should be "default" since it was not specified.

Actual Behavior

For HTTP(S) load balancers, network = null does indeed default to the "default" network.
For internal TCP/UDP load balancers, network is the same network used by the backend instance group

Steps to Reproduce

1. Run terraform apply
2. Observe even with network parameter set to null, forwarding rule uses the same network and subnet as the backend instance groups
3. Use the same config with an HTTP(S) load balancer, the plan does in fact show the "default" network being used:

# google_compute_forwarding_rule.https will be created
  + resource "google_compute_forwarding_rule" "https" {
      + load_balancing_scheme = "INTERNAL_MANAGED"
      + network               = "projects/myproject/global/networks/default"

Important Factoids

The documented Terraform behavior is consistent with the documented Google API behavior. Unfortunately, both are slightly off.

This field is actually not required for internal TCP/UDP load balancers since the forwarding rule must always be on the same network / subnet as the backend instances.

This field would be required for envoy-based HTTP(S) LBs (both internal and external) so the proxy-only or regional-managed subnet can be determined. If set to null, it would make sense to try the "default" network.

References

• https://cloud.google.com/compute/docs/reference/rest/v1/forwardingRules/insert
• https://github.com/terraform-google-modules/terraform-google-lb-internal/issues/54

[c2thorn]

Labelling as upstream since the provider is defaulting to whatever the API returns, as well as using the same documentation.

[c2thorn]

Created b/272789525 internally to track.

[jeheyer]

Thanks, I'm working with Google right now to get a documentation bug on their end. I ended up having to do some trial & error testing to get this parameter working as expected and just trying to save other folks the headache.

[c2thorn]

API documentation was updated, and the provider documentation should be updated when https://github.com/GoogleCloudPlatform/magic-modules/pull/7625 is released.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.