search

hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.25k stars 1.7k forks source link

google_app_engine_firewall_rule unable to create default rule #3074

Open marcin-kolda opened 5 years ago

marcin-kolda commented 5 years ago

Community Note

Terraform Version

Terraform v0.11.11

Affected Resource(s)

Terraform Configuration Files

resource "google_app_engine_firewall_rule" "gae_firewall_rule_deny_all" {
  provider = "google-beta"
  project = "my-project"
  priority = 2147483647
  action = "DENY"
  source_range = "*"
  description = "Deny all access by default"
}

provider "google-beta" {}

Debug Output

Error creating FirewallRule: googleapi: Error 400: Cannot add rule at priority 2147483647. Max rule priority is 7.

Panic Output

Expected Behavior

Every new GAE application has default firewall rule already created with priority 2147483647. When the default rule is created via TF for the first time it should use apps.firewall.ingressRules.patch method instead of apps.firewall.ingressRules.create. Otherwise user has to always import GAE default firewall rule first.

Actual Behavior

GAE Firewall rule was not created.

Steps to Reproduce

  1. terraform apply

Important Factoids

References

b/343221315

goobysnack commented 4 years ago

Is this the simple fix here? To just use one value lower on the priority? So, everything should be denied by rule 2147483646 before ever reaching rule priority 2147483647 right?

PRIORITY    ACTION  SOURCE_RANGE        DESCRIPTION
1000        ALLOW   <omitted>/30
2000        ALLOW   <omitted>/32
2147483646  DENY    *
2147483647  ALLOW   *                   The default action.
marcin-kolda commented 4 years ago

Hi @goobysnack, this is exactly what we did as a workaround, but still it would be great to be able to change the default rule without importing.

venkykuberan commented 4 years ago

@marcin-kolda not sure you still looking for response for this issue. Sorry for the delay. GCP doesn't allow to create a default app_engine_firewall_rule, only 'Edit` operation is permitted. The new firewall rules should use the priority value between 1 & (2147483647-1).

API doc - https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.firewall.ingressRules

Priority - A positive integer between [1, Int32.MaxValue-1] that defines the order of rule evaluation. Rules with the lowest priority are evaluated first.

A default rule at priority Int32.MaxValue matches all IPv4 and IPv6 traffic when no previous rule matches. Only the action of this rule can be modified by the user.

Please let me know if i can close this one if you already get past the issue

venkykuberan commented 4 years ago

@marcin-kolda shall i close the issue as the needed info was provided few weeks ago ?

marcin-kolda commented 4 years ago

Hi @venkykuberan,

I'm aware of the workaround, where you can create a rule with priority 2147483646. Still there are cases like e.g. automatic scans, policy requirements where you need to have default rule set to deny. In such cases it would be great if TF could create such resource by editing existing rule.

Still, this is nice to have feature, as you can always import default rule first.

venkykuberan commented 4 years ago

I will move this to enhancement bucket. We may be able to achieve it through a separate resource.

marchchad commented 1 year ago

I know this is digging up an old issue, but another solution would be to allow exporting the app engine firewall rule(s). This will allow terraform-ers to get the definition and state of the default rule. Then they can modify it to be "DENY" for example. This will allow the default rule to be modified rather than creating a new rule with a priority value one lower.

rileykarson commented 1 month ago

Note from triage: Adding the acquire behaviour for the specific default priority seems reasonable