terraform-provider-hcloud icon indicating copy to clipboard operation
terraform-provider-hcloud copied to clipboard

Published 20 hours ago verified publisher icon hetznercloud

[Bug]: If a firewall ICMP rule doesn't containt a `port`, it gets recreated on each `terraform apply`...

Open ThomasLandauer opened this issue 3 years ago • 1 comments

What happened?

... if there is something else that needs to be changed.

I have this:

resource "hcloud_firewall" "foo" {
    name = "foo"
    rule {
        direction  = "in"
        protocol   = "icmp"
        source_ips = ["::/0"]
    }
}

If I run terraform apply twice, everything is fine (i.e. nothing happens on the second run).

However, if I change something else in the firewall, this is added to Terraform' s summary:

Terraform will perform the following actions:

  # hcloud_firewall.app will be updated in-place
  ~ resource "hcloud_firewall" "foo" {
        id     = "..."
        name   = "foo"
        # (1 unchanged attribute hidden)

      - rule {
          - destination_ips = [] -> null
          - direction       = "in" -> null
          - protocol        = "icmp" -> null
          - source_ips      = [
              - "::/0",
            ] -> null
        }
      + rule {
          + destination_ips = []
          + direction       = "in"
          + protocol        = "icmp"
          + source_ips      = [
              + "::/0",
            ]
        }
        # (9 unchanged blocks hidden)
    }

If I add port = "" to the rule, this is not happening.

What did you expect to happen?

See above.

Please provide a minimal working example

See above.

ThomasLandauer avatar Jul 25 '21 16:07 ThomasLandauer

Hey @ThomasLandauer,

i was not able to reproduce your issue. Can you please provide a full step-by-step guide to reproduce the issue?

LKaemmerling avatar Aug 26 '21 12:08 LKaemmerling

Hey @ThomasLandauer,

I too was unable to reproduce the issue. I am going to close it for the time being. Please feel free to reopen or create a new one, in case you still have issues.

apricote avatar Nov 21 '22 14:11 apricote

I have to say that it happens for me too. Somehow the state in Hetzner is not 100% identical to the one local and it rewrites the firewall, which actually is identical to the one desired, so things still work as expected.

It happens for me when I give source ips as variables (one case is for when we need to change current allowed public ip addresses to connect to ssh).

I see no critical issue with it, as we change those sources often, but I hope will not hide some real bug causing later real issues.

madalinignisca avatar Dec 15 '22 09:12 madalinignisca

Hey @madalinignisca,

what version of terraform and the provider are you using? Can you post a minimal configuration and steps to reproduce the issue?

apricote avatar Dec 15 '22 09:12 apricote

AH, sorry, rechecked very careful my variables and I had a bad testing entry. For me all is good.

https://github.com/madalinignisca/hetzner-iaac-lamp-and-more/blob/cbcd2ad4189db4cc590f3715ea4f013f51020bee/main.tf#L29

The firewall was actually applied as expected, and reapplied again and again.

Fixed the value, and no issues.

madalinignisca avatar Dec 19 '22 14:12 madalinignisca