diff --git a/.changelog/5526.txt b/.changelog/5526.txt new file mode 100644 index 0000000000..9718dc97a6 --- /dev/null +++ b/.changelog/5526.txt @@ -0,0 +1,3 @@ +```release-note:bug +compute: fixed a bug where `google_compute_firewall` would incorrectly find `source_ranges` to be empty during validation +``` diff --git a/google-beta/resource_compute_firewall.go b/google-beta/resource_compute_firewall.go index 09e06a24f1..697deff7d7 100644 --- a/google-beta/resource_compute_firewall.go +++ b/google-beta/resource_compute_firewall.go @@ -87,10 +87,10 @@ func resourceComputeFirewallSourceFieldsCustomizeDiff(_ context.Context, diff *s _, sasOk := diff.GetOk("source_service_accounts") _, tagsExist := diff.GetOkExists("source_tags") - // ranges is computed, but this is what we're trying to avoid, so we're not going to check this + _, rangesExist := diff.GetOkExists("source_ranges") _, sasExist := diff.GetOkExists("source_service_accounts") - if !tagsOk && !rangesOk && !sasOk && !tagsExist && !sasExist { + if !tagsOk && !rangesOk && !sasOk && !tagsExist && !rangesExist && !sasExist { return fmt.Errorf("one of source_tags, source_ranges, or source_service_accounts must be defined") } } diff --git a/google-beta/resource_compute_firewall_test.go b/google-beta/resource_compute_firewall_test.go index 52324c5f80..a32c212e99 100644 --- a/google-beta/resource_compute_firewall_test.go +++ b/google-beta/resource_compute_firewall_test.go @@ -239,6 +239,29 @@ func TestAccComputeFirewall_enableLogging(t *testing.T) { }) } +func TestAccComputeFirewall_moduleOutput(t *testing.T) { + t.Parallel() + + networkName := fmt.Sprintf("tf-test-firewall-%s", randString(t, 10)) + firewallName := fmt.Sprintf("tf-test-firewall-%s", randString(t, 10)) + + vcrTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + Providers: testAccProviders, + CheckDestroy: testAccCheckComputeFirewallDestroyProducer(t), + Steps: []resource.TestStep{ + { + Config: testAccComputeFirewall_moduleOutput(networkName, firewallName), + }, + { + ResourceName: "google_compute_firewall.foobar", + ImportState: true, + ImportStateVerify: true, + }, + }, + }) +} + func testAccComputeFirewall_basic(network, firewall string) string { return fmt.Sprintf(` resource "google_compute_network" "foobar" { @@ -444,3 +467,40 @@ resource "google_compute_firewall" "foobar" { } `, network, firewall, enableLoggingCfg) } + +func testAccComputeFirewall_moduleOutput(network, firewall string) string { + return fmt.Sprintf(` +resource "google_compute_network" "foobar" { + name = "%s" + auto_create_subnetworks = false +} + +resource "google_compute_subnetwork" "foobar" { + name = "%s-subnet" + ip_cidr_range = "10.0.0.0/16" + region = "us-central1" + network = google_compute_network.foobar.name +} + +resource "google_compute_address" "foobar" { + name = "%s-address" + subnetwork = google_compute_subnetwork.foobar.id + address_type = "INTERNAL" + region = "us-central1" + } + +resource "google_compute_firewall" "foobar" { + name = "%s" + description = "Resource created for Terraform acceptance testing" + network = google_compute_network.foobar.name + direction = "INGRESS" + + source_ranges = ["${google_compute_address.foobar.address}/32"] + target_tags = ["foo"] + + allow { + protocol = "tcp" + } +} +`, network, network, network, firewall) +}