In-place update is not working while using enfore_on_key_configs

[pranav-joshi-harness]

While adding new or changing below rule, my entire policy is getting recreated instead of in-place update. This is only happening while using enforce_on_key_configs.

throttle_501 = {
action = "throttle"
priority = 502
description = "test-description"
expression = <<-EOT
(request.path.startsWith('/test/')) && (has(request.headers['x-api-key']) && request.headers['x-api-key'] != "") && !(request.path.contains('/test/123/'))
EOT
rate_limit_options = {
exceed_action = "deny(429)"
rate_limit_http_request_count = 1000
rate_limit_http_request_interval_sec = 60
enforce_on_key = ""
enforce_on_key_configs = [
{
enforce_on_key_type = "HTTP_HEADER"
enforce_on_key_name = "x-api-key"
}
]
}
}

[imrannayer]

@pranav-joshi-harness It seems like a provider or API issue. I tested it without module and here is what I found:
Rules with rule.action: rate_based_ban, redirect and throttle are always recreated on any change in policy. Policy is not recreated just the rules.
You might wana create an issue on provider github

[pranav-joshi-harness]

@imrannayer It's only getting recreated while using below block:

enforce_on_key = ""
enforce_on_key_configs = [
{
enforce_on_key_type = "HTTP_HEADER"
enforce_on_key_name = "x-api-key"
}
]

[imrannayer]

@pranav-joshi-harness Yes cos your rule.action is throttle. Throttle, rate_based_ban and redirect rules recreated on every change in the rule or any other rule in the policy.

[pranav-joshi-harness]

@imrannayer I don't think so. Below are my observations:

1. TF was able to perform in place update for rules.
2. TF was able to create new cloud armor rule without recreating all rules when enforce_on_key_configs was excluded.
3. TF is recreating resources when Cloud armor rule is added with

enforce_on_key_configs = [
          {
            enforce_on_key_type = "HTTP_HEADER"
            enforce_on_key_name = "x-api-key"
          }
 

4. enforce_on_key_configs supported in module version 1.0 and not older module versions, so we are using version = "~> 1.0"

5. We found an open issues, reported ~4 weeks ago.
   enforce_on_key = "" # forces replacement hashicorp/terraform-provider-google#14905
   fix enforce_on_key_configs magic-modules#8165

6. ForceNew= True is causing CA rules to recreate.

https://github.com/hashicorp/terraform-provider-google-beta/blob/941f882014ba6f90ba7bbe16203c899f4fefca3a/google-beta/services/compute/resource_compute_security_policy.go#L277

[imrannayer]

@pranav-joshi-harness thanks for the reference. In all my examples for throttle, rate_based_ban and redirect enforce_key = "" which is why I see the pattern. Seems like it is fixed in issue 14905. I will tag this as upstream issue. Fix is already merged.

[pranav-joshi-harness]

@imrannayer I've already tried and facing same issue.

[imrannayer]

@pranav-joshi-harness lets wait for the merge to release.

[pranav-joshi-harness]

@imrannayer Any ETA?

[imrannayer]

@pranav-joshi-harness Provider released every Monday. I am not sure about the timeline for this Issue. It might be this Monday or next.

[imrannayer]

@pranav-joshi-harness seems like fix will be part of next provider release 4.76

[imrannayer]

Issue fixed in 4.76

[nikhil-doit]

@pranav-joshi-harness Have you tested after the fix ?

[pranav-joshi-harness]

Yes. It's working now.
Thank you.

[adrian-pipolhub]

I keep running on this issue even when there's no change between the current state and the desired state. Each "terraform apply" will propose to destroy/create each of my rules, be them "rate_based_ban", "throttle" or any other, only to replace them with the exact same config.

For ref my versions are TF v1.3.0 / google provider v5.6.0

[imrannayer]

@adrian-pipolhub thats a provider issue. You can recreate by creating policy using resource directly. Can you plz create an issue for provider here