Setting 127.0.0.1/24 as a CIDR is allowed in terraform plan

[MaT1g3R]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

0.12.3

Affected Resource(s)

• google_compute_firewall

Terraform Configuration Files

resource "google_compute_firewall" "name" {
  name          = "name"
  direction     = "INGRESS"
  target_tags   = ["tag"]
  source_ranges = ["127.0.0.1/24"]
  allow {
    protocol = "tcp"
    ports    = ["22"]
  }
  priority = 1000
  network  = "default"

Debug Output

Panic Output

Expected Behavior

An error from terraform plan to disallow invalid CIDR

Actual Behavior

Error: Error updating Firewall "name": googleapi: Error 400: Invalid value for field 'resource.sourceRanges[0]': '127.0.0.1/24'. Must be a valid IPV4 CIDR address range., invalid

Steps to Reproduce

1. terraform plan
2. terraform apply

[slevenick]

This is a constraint applied by the firewall API itself, not the terraform provider, so we will not be able to allow this via changes to terraform

Is there a particular reason you want to be able to use 127.0.0.1 in a firewall rule? It doesn't make much sense to me to create rules for a local address that would presumably not use the network anyways

[MaT1g3R]

We want to allow external computers through this firewall rule, but we don't know what these computers are right now so we use localhost as a placeholder instead of 0.0.0.0/0 so we don't get attacked.

I think doing CIDR validation in client code without going to Google API isn't unreasonable

[slevenick]

Terraform could do CIDR validation locally, but will have to send something to the API. Sending no values will result in the default 0.0.0.0/0 being added, so there isn't a way we can cause this behavior in the terraform provider alone.

Could you specify source_tags for a firewall rule? Specifying source_tags allows a firewall to have an empty source_ranges block

[MaT1g3R]

How does specifying source_tags behave with an unempty source_ranges block? Will it just allow the addresses in the source_ranges block to go through if nothing is using the tags in source_rags?

We are ultimately trying to control the source ranges with a list variable, it could be empty sometimes. if adding a source_tags block works with this model then it seems like a good solution.

Thank you for your help.

[slevenick]

According to this doc https://cloud.google.com/vpc/docs/firewalls you can specify both source_ranges and source_tags together. source_tags applies only to traffic from within your VPC.

As long as you have something in the source_tags block the API will not set a default source_ranges, so you should be able to use a list for source_ranges that could be empty and they should work together.

[MaT1g3R]

That works for our purposes then. Thank you very much for your help

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!