google_compute_firewall does not remove source ranges when a source_tag is set

[filipVisko]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

Terraform v0.11.11
+ provider.google v1.20.0

Affected Resource(s)

• google_compute_firewall

Terraform Configuration Files

This config does not wipe away the source_range

resource "google_compute_firewall" "testing-intinf-prometheus-wmi-exporter-allow-from-internal" {
  name    = "testing-intinf-prometheus-wmi-exporter-allow-from-internal"
  network = "${google_compute_network.testing-intinf.self_link}"
  direction = "INGRESS"
  allow {
    protocol = "tcp"
    ports = ["9100"]
  }
  source_tags = ["testing-intinf"]
  target_tags = ["testing-intinf"]
  priority = 1000
  depends_on = ["google_compute_network.testing-intinf"]
}

This config is a workaround that does wipe away the source_range

resource "google_compute_firewall" "testing-intinf-prometheus-wmi-exporter-allow-from-internal" {
  name    = "testing-intinf-prometheus-wmi-exporter-allow-from-internal"
  network = "${google_compute_network.testing-intinf.self_link}"
  direction = "INGRESS"
  allow {
    protocol = "tcp"
    ports = ["9100"]
  }
  source_tags = ["testing-intinf"]
  target_tags = ["testing-intinf"]
  source_ranges= []
  priority = 1000
  depends_on = ["google_compute_network.testing-intinf"]
}

Debug Output

Panic Output

Starting state of resource

The firewall rule has no source or target tags, and has a source range of 0.0.0.0/0. See below for TF config.

Expected Behavior

According to the documentation for google_compute_firewall#source_ranges I would expect the first config file to remove the source_range from the firewall rule.

Actual Behavior

• The source and target tags are added as expected.
• The source range is not removed; unexpected.

Steps to Reproduce

resource "google_compute_network" "testing-intinf" {
  name = "testing-intinf"
  auto_create_subnetworks = "false"
}

resource "google_compute_subnetwork" "testing-intinf" {
  name          = "testing-intinf"
  ip_cidr_range = "10.52.0.0/20"
  network       = "${google_compute_network.testing-intinf.self_link}"

  region        = "europe-west1"

  secondary_ip_range {
    range_name = "k8s-pods"
    ip_cidr_range = "10.52.16.0/20"
  }
  secondary_ip_range {
    range_name = "k8s-services"
    ip_cidr_range = "10.52.32.0/20"
  }
}

resource "google_compute_firewall" "testing-intinf-prometheus-wmi-exporter-allow-from-internal" {
  name    = "testing-intinf-prometheus-wmi-exporter-allow-from-internal"
  network = "${google_compute_network.testing-intinf.self_link}"
  direction = "INGRESS"
  allow {
    protocol = "tcp"
    ports = ["9100"]
  }
  priority = 1000
  depends_on = ["google_compute_network.testing-intinf"]
}

1. Save the above to a file
2. terraform init
3. terraform apply

Important Factoids

References

• #0000

[andor44]

As an extension of this issue: when changing an ingress rule to an egress rule source_range is also not removed, plus your workaround cannot be used because terraform will complain about conflicting source_range and destinatio_ranges.

Perhaps it is as simple as removing source_range when it is not provided but maybe ingress -> egress change should force new resource.

[nat-henderson]

I agree - ingress to egress should be ForceNew. I'll make that change.

The rest of that is somewhat complicated. Since those fields are Computed (we made that choice in order to allow the use of defaults), the current value in GCP is used if they are not explicitly set. Removing a field with a Computed value is a challenge (it requires you to explicitly set the value to the empty value), and it's not something we can really fix in this provider. I hear you that it's possible to wind up in a broken state with this resource, though, and I'll make the change suggested.

I'll also remove that source_range/destination_range ConflictsWith, so the workaround will be valid for that case.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!