Open lahughes35 opened 4 months ago
Hi @lahughes35
We need the google_compute_network_firewall_policy_rule
code to replicate this issue and all other resources involved like:
google_network_security_address_group
google_compute_network_firewall_policy
google_compute_network
google_tags_tag_key
google_tags_tag_value
As you can see in this link
Finally when you talk about the source
, destination
or address groups
are you referring to the google_network_security_address_group
?
Hello @ggtisc
All of the elements you listed are created before this stack runs, it only adds rules to existing google_compute_network_firewall_policy
s. I will include the resource for google_compute_network_firewall_policy_rule
below, it just iterates over the all_rules
var created from reading in one or more yaml files like the example above. I did include the code to add things like threat intelligences and secure tags because those are used for other rules in my configs but the only parts necessary to replicate the issue are the ones that map to the keys in the example yaml file.
Finally when you talk about the
source
,destination
oraddress groups
are you referring to thegoogle_network_security_address_group
?
Yes, I am referring to google_network_security_address_group
when talking about source or destination address groups above.
resource "google_compute_network_firewall_policy_rule" "default" {
for_each = local.all_rules
project = var.project_id
firewall_policy = "https://www.googleapis.com/compute/v1/projects/${var.project_id}/global/firewallPolicies/${each.value.fwpol_name}"
action = each.value.action
priority = each.value.priority
description = each.value.description
direction = each.value.direction
enable_logging = each.value.enable_logging
target_service_accounts = each.value.target_service_accounts
match {
src_address_groups = each.value.match.src_address_groups
dest_address_groups = each.value.match.dest_address_groups
src_threat_intelligences = each.value.match.src_threat_intelligences
dest_threat_intelligences = each.value.match.dest_threat_intelligences
src_ip_ranges = each.value.match.src_ip_ranges
dest_ip_ranges = each.value.match.dest_ip_ranges
dynamic "src_secure_tags" {
for_each = toset(coalesce(each.value.match.src_secure_tags, []))
content {
name = src_secure_tags.value
}
}
dynamic "layer4_configs" {
for_each = each.value.match.layer4_configs
content {
ip_protocol = layer4_configs.value.protocol
ports = layer4_configs.value.ports
}
}
}
dynamic "target_secure_tags" {
for_each = toset(
each.value.target_secure_tags == null ? [] : each.value.target_secure_tags
)
content {
name = target_secure_tags.value
}
}
}
There are 2 locals in your code that aren't declared that are necessary to replicate this issue
But as you are saying that the important issue is to replicate the issue are the ones that map to the keys in the example yaml file maybe you can simplify this file to provide only the necessary to replicate this issue instead of share the complete configuration.
I created a much simplified example tf file that will reproduce the issue, it just needs to be pointed at an existing project by updating local.project_id. After the first apply, all subsequent plans will show an update even with no changes made.
locals {
project_id = "my-project"
firewall_policy = "my-fw-policy"
}
resource "google_compute_network_firewall_policy" "policy" {
name = local.firewall_policy
project = local.project_id
description = "Terraform test"
}
resource "google_network_security_address_group" "add-group1" {
name = "address-group-1"
parent = "projects/${local.project_id}"
location = "global"
type = "IPV4"
capacity = "10"
items = ["10.0.1.1/32"]
}
resource "google_network_security_address_group" "add-group2" {
name = "address-group-2"
parent = "projects/${local.project_id}"
location = "global"
type = "IPV4"
capacity = "10"
items = ["10.0.2.2/32"]
}
resource "google_network_security_address_group" "add-group3" {
name = "address-group-3"
parent = "projects/${local.project_id}"
location = "global"
type = "IPV4"
capacity = "10"
items = ["10.0.3.3/32"]
}
resource "google_compute_network_firewall_policy_rule" "basic_test" {
depends_on = [google_network_security_address_group.add-group1,
google_network_security_address_group.add-group2,
google_network_security_address_group.add-group3,
google_compute_network_firewall_policy.policy]
project = local.project_id
firewall_policy = "https://www.googleapis.com/compute/v1/projects/${local.project_id}/global/firewallPolicies/${local.firewall_policy}"
action = "allow"
priority = 1000
description = "Testing address group order issue"
direction = "INGRESS"
enable_logging = true
match {
src_address_groups = ["projects/${local.project_id}/locations/global/addressGroups/address-group-3",
"projects/${local.project_id}/locations/global/addressGroups/address-group-1"]
dest_ip_ranges = ["192.168.2.0/24", "10.0.3.4/32"]
layer4_configs {
ip_protocol = "all"
}
}
}
resource "google_compute_network_firewall_policy_rule" "basic_test_2" {
depends_on = [google_network_security_address_group.add-group1,
google_network_security_address_group.add-group2,
google_network_security_address_group.add-group3,
google_compute_network_firewall_policy.policy]
project = local.project_id
firewall_policy = "https://www.googleapis.com/compute/v1/projects/${local.project_id}/global/firewallPolicies/${local.firewall_policy}"
action = "allow"
priority = 1100
description = "Testing address group order issue"
direction = "EGRESS"
enable_logging = true
match {
dest_address_groups = ["projects/${local.project_id}/locations/global/addressGroups/address-group-3",
"projects/${local.project_id}/locations/global/addressGroups/address-group-2"]
src_ip_ranges = ["192.168.2.0/24", "10.0.3.4/32"]
layer4_configs {
ip_protocol = "all"
}
}
}
Confirmed issue!
After creating the resources each time a terraform apply
is executed terraform tries to update the google_compute_network_firewall_policy_rule.match.src_address_groups
and google_compute_network_firewall_policy_rule.match.dest_address_groups
even if there aren't changes to apply
Community Note
Terraform Version & Provider Version(s)
Terraform >=v1.4.6 on Linux x86
Affected Resource(s)
google_compute_network_firewall_policy_rule
Terraform Configuration
Debug Output
No response
Expected Behavior
After adding a FW policy rule with source (or destination) address groups, the rule would not need to update when it hasn't been changed.
Actual Behavior
I'm sending a list of source and destination address groups (in different rules) and their order is switching after an apply so TF tries to "update" the rules every run.
Steps to reproduce
Important Factoids
We don't see this behavior with lists of IPs in src_ip_ranges or dest_ip_ranges, just with the address groups.
References
No response
b/346940317