Open marcin-kolda opened 5 years ago
Is this the simple fix here? To just use one value lower on the priority? So, everything should be denied by rule 2147483646 before ever reaching rule priority 2147483647 right?
PRIORITY ACTION SOURCE_RANGE DESCRIPTION
1000 ALLOW <omitted>/30
2000 ALLOW <omitted>/32
2147483646 DENY *
2147483647 ALLOW * The default action.
Hi @goobysnack, this is exactly what we did as a workaround, but still it would be great to be able to change the default rule without importing.
@marcin-kolda not sure you still looking for response for this issue. Sorry for the delay. GCP doesn't allow to create a default app_engine_firewall_rule, only 'Edit` operation is permitted. The new firewall rules should use the priority value between 1 & (2147483647-1).
API doc - https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.firewall.ingressRules
Priority - A positive integer between [1, Int32.MaxValue-1] that defines the order of rule evaluation. Rules with the lowest priority are evaluated first.
A default rule at priority Int32.MaxValue matches all IPv4 and IPv6 traffic when no previous rule matches. Only the action of this rule can be modified by the user.
Please let me know if i can close this one if you already get past the issue
@marcin-kolda shall i close the issue as the needed info was provided few weeks ago ?
Hi @venkykuberan,
I'm aware of the workaround, where you can create a rule with priority 2147483646. Still there are cases like e.g. automatic scans, policy requirements where you need to have default rule set to deny. In such cases it would be great if TF could create such resource by editing existing rule.
Still, this is nice to have feature, as you can always import default rule first.
I will move this to enhancement bucket. We may be able to achieve it through a separate resource.
I know this is digging up an old issue, but another solution would be to allow exporting the app engine firewall rule(s). This will allow terraform-ers to get the definition and state of the default rule. Then they can modify it to be "DENY" for example. This will allow the default rule to be modified rather than creating a new rule with a priority value one lower.
Note from triage: Adding the acquire behaviour for the specific default priority
seems reasonable
Community Note
Terraform Version
Terraform v0.11.11
Affected Resource(s)
Terraform Configuration Files
Debug Output
Error creating FirewallRule: googleapi: Error 400: Cannot add rule at priority 2147483647. Max rule priority is 7.
Panic Output
Expected Behavior
Every new GAE application has default firewall rule already created with priority 2147483647. When the default rule is created via TF for the first time it should use
apps.firewall.ingressRules.patch
method instead ofapps.firewall.ingressRules.create
. Otherwise user has to always import GAE default firewall rule first.Actual Behavior
GAE Firewall rule was not created.
Steps to Reproduce
terraform apply
Important Factoids
References
b/343221315