terraform-provider-google icon indicating copy to clipboard operation
terraform-provider-google copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

google_compute_security_policy layer_7_ddos_defense_config forcing rule_visibility even though it's optional

Open paololazzari opened this issue 9 months ago • 7 comments

Terraform Version

Terraform v1.7.2 on darwin_arm64

  • provider registry.terraform.io/hashicorp/google v5.25.0

Affected Resource(s)

google_compute_security_policy

Terraform Configuration

resource "google_compute_security_policy" "policy" {
  name        = var.policy_name
  description = var.policy_description
  type        = "CLOUD_ARMOR"
  project     = var.project

  adaptive_protection_config {
    layer_7_ddos_defense_config {
      enable = true
    }
  }
}

Expected Behavior

terraform plan should not update the resource as there are no changes

Actual Behavior

I have imported an existing security policy. When I run terraform plan, I can see that terraform wants to add a rule_visibility field even though it's optional according to the documentation:

$ terraform plan
...
      ~ adaptive_protection_config {
          ~ layer_7_ddos_defense_config {
              + rule_visibility = "STANDARD"
                # (1 unchanged attribute hidden)
            }
        }
...
Plan: 0 to add, 1 to change, 0 to destroy.

paololazzari avatar Apr 26 '24 10:04 paololazzari

Hi @paololazzari!

This ticket was replicated successfully with the provided configuration, versions and specifications, but after importing the resource and executing the terraform plan the terminal message was:

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

If you are importing a resource in your terraform files I suggest you to follow the next steps:

  1. In your terraform configuration 'main.tf' write only this: resource "google_compute_security_policy" "policy" {}

  2. If the value of var.policy_name is my-policy in your terminal run terraform import google_compute_security_policy.policy my-policy

  3. Finally check your terraform.tfstate file and copy the imported values to your resource resource "google_compute_security_policy" "policy" {}. If you have everything as you shared then you will not find differences. But if you change something then the terraform plan will detect it.

If you continue having problems after this share your terraform.tfstatefile and the value of your var.policy_name

ggtisc avatar May 02 '24 18:05 ggtisc

@ggtisc can you confirm that when you attempted to reproduce this the resource did not have the rule_visibility field defined?

paololazzari avatar May 07 '24 07:05 paololazzari

As was mentioned in the above steps the unique initial code (step 1) was resource "google_compute_security_policy" "policy" {}

ggtisc avatar May 07 '24 15:05 ggtisc

Finally check your terraform.tfstate file and copy the imported values to your resource resource "google_compute_security_policy" "policy" {}. If you have everything as you shared then you will not find differences.

You misunderstood what this ticket is about. Of course if I copy the imported values to the resource no differences will be found. The problem here is that having imported an identical object, terraform still wants to apply a change when it shouldn't.

paololazzari avatar May 07 '24 15:05 paololazzari

Yes, and as it was explained in the 1st message with a correct import of the resource the message in terminal was:

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

ggtisc avatar May 07 '24 16:05 ggtisc

Hello @ggtisc ,

We are also facing a similar issue. We have and existing Security Policy which have "Adaptive Protection" Disabled on GCP Console.

Our Terraform Configuration:

  adaptive_protection_config {
    layer_7_ddos_defense_config {
      enable = false
    }
  }

During terraform plan we are seeing below drift:

  adaptive_protection_config {
       ~ layer_7_ddos_defense_config {
           + rule_visibility = "STANDARD"
              # (1 unchanged attribute hidden)

On the state file we have below configuration (this is same even after we tried your suggestion to import with empty resource block):

"adaptive_protection_config": [
  {
    "layer_7_ddos_defense_config": [
      {
        "enable": false,
        "rule_visibility": ""
      }
    ]
  }
],

This seems to be an issue with "rule_visibility" argument.

RGMishan avatar May 07 '24 19:05 RGMishan

@RGMishan could you please raise a new ticket with the next information, or share it?

  1. terraform configuration
  2. terraform version
  3. provider version

Also please mention if you are importing an existing google_compute_security_policy or creating a new one

ggtisc avatar May 07 '24 20:05 ggtisc

Related: https://github.com/hashicorp/terraform-provider-google/issues/12743

There's definitely something wrong here for layer_7_ddos_defense_config

paololazzari avatar May 16 '24 12:05 paololazzari

After many new attempts following the correct steps to import resources as I shared in a previous message it is not possible to obtain the same result as you. The message is still the same:

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Are you forgetting something important to reproduce this scenario like changing the provider or terraform version from version X to Y? And are following the shared steps to import existing resources correctly?

ggtisc avatar May 16 '24 20:05 ggtisc