Closed chris-rockwell closed 2 weeks ago
Hi @chris-rockwell
Thanks for bringing that to our attention and apologies for the incovenience.
We are implementing a fix/validation for the dest_addresses
attribute to ensure the provider triggers an error if a non-supported value is provided in the field which will be available in the next minor release v3.0.3.
In the meantime, you can use a separate locals that leverages the Terraform meta-argument try
combined with regex
. The regex provided in the below example specifically matches IPv4 addresses and CIDR notations; hence excluding ipv6 addresses.
locals {
github_ips = [
for ip in jsondecode(data.http.github.response_body).git : ip
if try(regex("^(\\d{1,3}\\.){3}\\d{1,3}(\\/\\d{1,2})?$", ip) != "", false)
]
}
data "http" "github" {
url = "https://api.github.com/meta"
request_headers = {
Accept = "application/vnd.github.v3+json"
}
}
resource "zia_firewall_filtering_rule" "this1" {
name = "Allow Github SSH"
description = "Allow Github SSH"
action = "ALLOW"
state = "ENABLED"
order = index(local.zia_firewall_filtering_rule_order, "Allow Github SSH") + 1
dest_addresses = local.github_ips
nw_applications = ["SSH"]
}
Once the new version is released, we'll provide an update through this issue. Zscaler DevRel
Community Note
Terraform Version
Terraform v1.9.5 on darwin_arm64
Affected Resource(s)
Terraform Configuration Files
Plan
Expected Behavior
Update fails and an error is logged because the dest_addresses list contained an IPv6 address which is not supported.
Actual Behavior
Terraform attempted to update the firewall rule for over an hour and only stopped when the pipeline timed out. Each attempt to create it had an error logged in the ZIA audit log.