[Bug]: Can't import hcloud_firewall_attachment

[hadmut]

What happened?

Hi,

I do have a running setup in the Hetzner Cloud (hcloud) with servers, networks, firewall, bells, and whistles, running properly.

Now I am trying to write a terraform ruleset which would recreate exactly this setup, i.e. having

terraform plan

output nothing to do after importing the current setup with

terraform import ... , because the terraform configuration exactly matches the setup.

One problem remains:

I have written hcloud_firewall resources with rulesets, that exactly match my firewall setup, but

resource "hcloud_firewall_attachment" "webtest1wall" { firewall_id = hcloud_firewall.webwall.id server_ids = [hcloud_server.webtest1.id] }

always resulting in plan

hcloud_firewall_attachment.webtest1wall will be created

• resource "hcloud_firewall_attachment" "webtest1wall" {
  • firewall_id = SOMEID
  • id = (known after apply)
  • server_ids = [
    • SOMEOTHERID, ] }

although it alreaday exists, simply because I cannot import it and tell terraform, that this already exists.

whatever I try to do for importing, I always get

│ Error: resource hcloud_firewall_attachment doesn't support import

The description at https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall_attachment

doesn't mention importing either.

So how do I import the attachment?

What did you expect to happen?

Having a way to import a firewall attachment in order to tell terraform, that it already exists and does not need to be recreated.

Please provide a minimal working example

see above

Do create a

• server
• firewall
• attachment of the server to the firewall

• in the Hetzner Web GUI and try to write terraform configuration to describe the server, the firewall, the attachment.

Importing the server and the firewall into terraform is easy, but how to import the attachment in order to keep terraform recreating it?

regards

[hadmut]

Since there can be only a single list of attachments per firewall and thus the list does not need to be identified by name or id, shouldn't the attachment be imported by importing the firewall?

Or in other words: Does that resource make sense at all? Shouldn't the list of attached servers be just a property of the firewall resource?

[jooola]

Hi, You are correct, looking at the code, the firewall attachment terraform ID is set to the firewall ID, which does not feel right. We should be able to have multiple attachment per firewall. I don't know what prevented this to happen in the first place. Maybe this is because we cannot make a diff between the API and multiple firewall attachments.

Adding the import logic to handle the firewall ID is really easy, but I'd prefer waiting that we changed the ID of the firewall attachment to support multiple ones and then find a way to import them (not sure how, seems tricky).

I'll try to think of a solution, but this one sure is not an easy one (maybe the answer is that we have to wait to migrate to the Terraform plugin-framework)

For the time being, could you maybe delete the firewall in the console and create it using terraform?

[hadmut]

Not at the moment, this is a productive system.

I will soon perform more tests.

As far as I can see, there is not precisely "multiple attachments" for firewalls, but, following

https://docs.hetzner.cloud/#firewall-actions-apply-to-resources

an array each for each possible resource type. Actually there is e.g. only one attachment for resource type server, and this attachment is an array of attached server ids.

Although this is some bad design by Hetzner, this is the way it is.

An ID for a firewall attachment could be "[firewallID]-server", containing an array.

This is somewhat annoying, since the firewall config needs to know all servers, and rather the server should have a property identifying the firewall to use, but as long as Hetzner has designed it this way, the terraform config should follow Hetzner – for better or for worse.