Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NAT gateway with nat_ip_allocate_option=AUTO, no ip address output #7469

Open
dddomin3 opened this issue Oct 8, 2020 · 8 comments
Open

NAT gateway with nat_ip_allocate_option=AUTO, no ip address output #7469

dddomin3 opened this issue Oct 8, 2020 · 8 comments

Comments

@dddomin3
Copy link

dddomin3 commented Oct 8, 2020

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

v0.12.23

Google provider 3.7.0

Affected Resource(s)

  • google_cloud_nat

Issue summary

When creating a nat gateway with nat_ip_allocate_option=AUTO_ONLY, the nat gateway terraform module does not output the ip addresses that were assigned to the nat gateway. Deriving the ip address that is assigned to the nat gateway would involve a data resource, and doesn’t feel like best practice
I would expect the ip address to be outputted in the nat_ips array. The documentation suggests that this field is ignored if AUTO_ONLY is set, but it’s ambiguous if this extends to the outputted data.

Expected Behavior

I’d either expect there to be a different output for ips outright, or for the nat_ips array to be populated regardless of the nat_ip_allocate_option value

Actual Behavior

Try to get IP address out of "nat_ips" = [] and see that it's blank.

Steps to Reproduce

Create a NAT gateway with terraform. Set "nat_ip_allocate_option" = "AUTO_ONLY". Try to get IP address out of "nat_ips" = [] and see that it's blank.

  1. terraform apply

Important Factoids

I have none, but factoids are actually uh...

"an invented fact believed to be true because it appears in print"

References

terraform-google-modules/terraform-google-cloud-nat#37

  • #0000
@ghost ghost added the bug label Oct 8, 2020
@edwardmedia edwardmedia self-assigned this Oct 9, 2020
@edwardmedia edwardmedia removed their assignment Oct 9, 2020
@rileykarson
Copy link
Collaborator

I'm not aware if this information is available anywhere. For an AUTO_ONLY google_compute_router_nat resource, a GET call to the API returns the following:

    {
      "name": "tf-test-router-nat-f239otlnmn",
      "sourceSubnetworkIpRangesToNat": "ALL_SUBNETWORKS_ALL_IP_RANGES",
      "natIpAllocateOption": "AUTO_ONLY",
      "udpIdleTimeoutSec": 30,
      "icmpIdleTimeoutSec": 30,
      "tcpEstablishedIdleTimeoutSec": 1200,
      "tcpTransitoryIdleTimeoutSec": 30,
      "logConfig": {
        "enable": true,
        "filter": "ERRORS_ONLY"
      }
    }

Is this information available in the API somewhere that you're aware of?

@jtyr
Copy link

jtyr commented Jan 18, 2021

I think that the solution is to check all external IPs with the purpose of NAT_AUTO and extract address for such record which has the router in the list of users. This is how to get it by using gcloud and jq:

gcloud compute addresses list --filter=purpose=NAT_AUTO --format json | jq -r '.[] | select(.users[] | endswith("/tf-test-router-1")) | .address'

@rileykarson
Copy link
Collaborator

Hmm- the most viable way of getting access to that in Terraform is probably to add support for a google_compute_global_addresses datasource with filter as an input, similar to https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/projects.

@jtyr
Copy link

jtyr commented Jan 20, 2021

That would probably be good enough solution, @rileykarson. If the google_compute_global_address would have the filter argument implemented, we could get the IP by using this (referencing resources from here):

data "google_compute_global_address" "nat" {
  filter = "purpose=NAT_AUTO AND users:(/${google_compute_router.router.name})"
}

output "my_nat_ip" {
  value = google_compute_global_address.nat.address
}

You can test the filter with gcloud like this:

gcloud compute addresses list --filter="purpose=NAT_AUTO users:(/tf-test-router-1)"

@jtyr
Copy link

jtyr commented Jan 20, 2021

Actually, we would need to use google_compute_address instead of google_compute_global_address. And instead of adding filter into google_compute_address, we need completely new data called google_compute_addresses. Then we can retrieve the NAT GW IP like this:

data "google_compute_global_addresses" "nat" {
  filter = "purpose=NAT_AUTO AND users:(/${google_compute_router.router.name})"
}

data "google_compute_global_address" "nat" {
  name = data.google_compute_global_addresses.nat.addresses[0].name
}

output "my_nat_ip" {
  value = google_compute_global_address.nat.address
}

Interestingly, the filter used above works just fine in gcloud, but fails in the API. Might be related to an API issue reported here.

@rileykarson
Copy link
Collaborator

Whoops- address type mixup on my part, I'd figured that this would use external addresses and not internal ones.

gcloud is probably formatting the filter a little differently, it's implemented using the API. --log-http should get it to dump the http requests + responses to the console.

@jtyr
Copy link

jtyr commented Jan 20, 2021

Thanks. I just checked the requests gcloud is sending to the API and it looks like it's using aggregatedList instead of list. But unfortunately the aggregatedList fails the same way like list (Invalid list filter expression) if I set the filter parameter in the Web API. It looks like gcloud is not passing any filter to the API and it's applying the filter locally after it receives the results.

@benwh
Copy link

benwh commented Jan 2, 2025

I've also run into the absence of this information. It looks like, these days at least, there's an API for pulling the equivalent information:

https://cloud.google.com/compute/docs/reference/rest/v1/routers/getNatIpInfo

Which is what's being called by gcloud compute routers get-nat-ip-info, so it feels like it should be possible to integrate this.

Alternatively we we might end up with a new data source, e.g. google_compute_router_nat_addresses, rather than the attribute of google_cloud_nat being populated, to keep things cleaner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants