search

zscaler / terraform-provider-zia

:cloud: Terraform Provider for Zscaler Internet Access :cloud:
MIT License
37 stars 5 forks source link

Firewall rule update error causes infinite retry #367

Closed chris-rockwell closed 2 weeks ago

chris-rockwell commented 2 weeks ago

Community Note

Terraform Version

Terraform v1.9.5 on darwin_arm64

Affected Resource(s)

Terraform Configuration Files

resource "zia_firewall_filtering_rule" "allow_github_ssh" {
  name            = "Allow Github SSH"
  description     = ""
  order           = index(local.zia_firewall_filtering_rule_order, "Allow Github SSH") + 1
  action          = "ALLOW"
  state           = "ENABLED"
  dest_addresses  = jsondecode(data.http.github.response_body).git
  nw_applications = ["SSH"]
}

Plan

  # zia_firewall_filtering_rule.allow_github_ssh will be updated in-place
  ~ resource "zia_firewall_filtering_rule" "allow_github_ssh" {
      ~ dest_addresses      = [
          - "github.com",
          + "140.82.112.0/20",
          + "143.55.64.0/20",
          + "185.199.108.0/22",
          + "192.30.252.0/22",
          + "20.175.192.146/32",
          + "20.175.192.147/32",
          + "20.199.39.227/32",
          + "20.199.39.232/32",
          + "20.200.245.247/32",
          + "20.200.245.248/32",
          + "20.201.28.151/32",
          + "20.201.28.152/32",
          + "20.205.243.160/32",
          + "20.205.243.166/32",
          + "20.207.73.82/32",
          + "20.207.73.83/32",
          + "20.233.83.145/32",
          + "20.233.83.149/32",
          + "20.26.156.214/32",
          + "20.26.156.215/32",
          + "20.27.177.113/32",
          + "20.27.177.118/32",
          + "20.29.134.19/32",
          + "20.29.134.23/32",
          + "20.87.245.0/32",
          + "20.87.245.4/32",
          + "2606:50c0::/32",
          + "2a0a:a440::/29",
          + "4.208.26.197/32",
          + "4.208.26.198/32",
          + "4.237.22.38/32",
          + "4.237.22.40/32",
        }

        # (15 unchanged blocks hidden)
    }

Expected Behavior

Update fails and an error is logged because the dest_addresses list contained an IPv6 address which is not supported.

Actual Behavior

Terraform attempted to update the firewall rule for over an hour and only stopped when the pipeline timed out. Each attempt to create it had an error logged in the ZIA audit log.

willguibr commented 2 weeks ago

Hi @chris-rockwell Thanks for bringing that to our attention and apologies for the incovenience. We are implementing a fix/validation for the dest_addresses attribute to ensure the provider triggers an error if a non-supported value is provided in the field which will be available in the next minor release v3.0.3. In the meantime, you can use a separate locals that leverages the Terraform meta-argument try combined with regex. The regex provided in the below example specifically matches IPv4 addresses and CIDR notations; hence excluding ipv6 addresses.

locals {
  github_ips = [
    for ip in jsondecode(data.http.github.response_body).git : ip
    if try(regex("^(\\d{1,3}\\.){3}\\d{1,3}(\\/\\d{1,2})?$", ip) != "", false)
  ]
}

data "http" "github" {
  url = "https://api.github.com/meta"

  request_headers = {
    Accept = "application/vnd.github.v3+json"
  }
}

resource "zia_firewall_filtering_rule" "this1" {
  name           = "Allow Github SSH"
  description    = "Allow Github SSH"
  action         = "ALLOW"
  state          = "ENABLED"
  order          = index(local.zia_firewall_filtering_rule_order, "Allow Github SSH") + 1
   dest_addresses = local.github_ips
  nw_applications = ["SSH"]
}

Once the new version is released, we'll provide an update through this issue. Zscaler DevRel