Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy rules order mixup #136

Open
Tensho opened this issue Oct 24, 2024 · 3 comments
Open

Policy rules order mixup #136

Tensho opened this issue Oct 24, 2024 · 3 comments
Labels
question Further information is requested

Comments

@Tensho
Copy link

Tensho commented Oct 24, 2024
edited
Loading

The google_compute_security_policy resource mixes up rules because of Set data structure behind it, which doesn't define elements order. Here is an example of the drift:

  # google_compute_security_policy.policy will be updated in-place
  ~ resource "google_compute_security_policy" "policy" {
        id          = "projects/com-livelinklabs-2-1/global/securityPolicies/baddies"
        name        = "baddies"
        # (5 unchanged attributes hidden)

      ~ adaptive_protection_config {
          + auto_deploy_config {}

            # (1 unchanged block hidden)
        }

      - rule {
          - action      = "allow" -> null
          - description = "Default rule, higher priority overrides it" -> null
          - preview     = false -> null
          - priority    = 2147483647 -> null

          - match {
              - versioned_expr = "SRC_IPS_V1" -> null

              - config {
                  - src_ip_ranges = [
                      - "*",
                    ] -> null
                }
            }

          - preconfigured_waf_config {
            }
        }
...
      + rule {
          + action      = "allow"
          + description = "Default rule, higher priority overrides it"
          + preview     = (known after apply)
          + priority    = 2147483647

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "*",
                    ]
                }
            }
        }

There is google_compute_security_policy_rule resource which manages rules independently. Does switching from policy inline rule blocks to separate resources fix ordering issues?
@imrannayer
Copy link
Member

@Tensho can u plz post this question on provider site?

@Tensho
Copy link
Author

Tensho commented Oct 25, 2024

@imrannayer Sure, meanwhile, I'm pondering workarounds on the module side.

@imrannayer
Copy link
Member

@Tensho were you able to recreate this issue without using module?

@imrannayer imrannayer added the question Further information is requested label Nov 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Tensho @imrannayer