custom error policies (beta) failing on google_compute_url_map

[dgillman]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.5.6 on darwin_amd64

• provider registry.terraform.io/hashicorp/google v5.39.1
• provider registry.terraform.io/hashicorp/google-beta v5.39.1

Affected Resource(s)

google_compute_url_map

Terraform Configuration

Before

resource "google_compute_url_map" "https_url" {
  name            = "${local.prefix}-front-https"
  default_service = var.backends.default_backend_id

  host_rule {
    hosts        = var.domains
    path_matcher = "routes"
  }

  path_matcher {
    name            = "routes"
    default_service = var.backends.default_backend_id
    dynamic "path_rule" {
      for_each = toset(var.backends.path_rules)
      content {
        paths   = path_rule.value.paths
        service = path_rule.value.backend_id
      }
    }
  }
}

After

resource "google_compute_url_map" "https_url" {
  provider        = google-beta
  name            = "${local.prefix}-front-https"
  default_service = var.backends.default_backend_id

  host_rule {
    hosts        = var.domains
    path_matcher = "routes"
  }

  path_matcher {
    name            = "routes"
    default_service = var.backends.default_backend_id
    dynamic "path_rule" {
      for_each = toset(var.backends.path_rules)
      content {
        paths   = path_rule.value.paths
        service = path_rule.value.backend_id
        custom_error_response_policy {
          error_response_rule {
            match_response_codes   = ["404"]
            path                   = path_rule.value.error_path
            override_response_code = 200
          }
          error_service = path_rule.value.backend_id
        }
      }
    }
  }
  default_custom_error_response_policy {
    error_response_rule {
      match_response_codes   = ["404"]
      path                   = "/index.html"
      override_response_code = 200
    }
    error_service = var.backends.default_backend_id
  }
}

Debug Output

https://gist.github.com/dgillman/cc57044a2104fa18e10a6c4a3397c73d

Expected Behavior

Error response policies should be created on the existing URL map.

Actual Behavior

The provider reports a 400 response from the Google compute API with an uninterpretable error message:

Error waiting for Updating UrlMap: generic::invalid_argument: Message does not pass whitelist validation. The offending field is a submessage of UrlMap (UrlMap) at field number 10 (UnknownField::Type 3).

Steps to reproduce

1. terraform apply

Important Factoids

I have attempted to directly configure these same resources using the gcloud command line tool based on instructions from Google documentation. That attempt fails with a different error message. Details of that issue are contained in a ticket lodged with the Google API team: https://issuetracker.google.com/issues/356907809

References

No response

[ggtisc]

Hi @dgillman!

I tried to replicate this issue, but everything was successful without errors. So I suggest you modify your code just for test purposes without using locals, variables and for each block and check each one of these components to confirm their values are correct.

It is important to say that this is a good practice but it is just for test purposes since we don't have access to that information, or if you don't have any sensitive data you could share the full code to make other try.

[dgillman]

Thanks, @ggtisc. I got to the bottom of this through a bunch of trial and error. The issue was the google_compute_global_forwarding_rule which ultimately orchestrated the front end load balancer. It was declared with load_balancing_scheme = "EXTERNAL" (ie. classic load balancer). Custom error polices are not supported in this configuration. The error is probably complicated by the URL Map and Forwarding Rule having already existed, as the API calls would have been incompatible updates on existing resources instead of a new configuration.

I guess root causing this, it was a lack of clarity on the constraints around the underlying resources that the underlying load balancing resources. But it took a lot of digging to get there. If there is any validation phase which might have caught this, I'd happily take a crack at a PR to pre-empt errors like this with a sanity check. But this is definitely edge case-y.

Anyway, thanks for giving this your time. Closing the issue

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.