-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No-op changes keep appearing in plans for layer_7_ddos_defense_config #12743
No-op changes keep appearing in plans for layer_7_ddos_defense_config #12743
Comments
@bobdanek I do see below block in the API response in your log. But using your code above, I don't see this block in the response. I wonder how you created the resource. Can you share the API request that created it? "adaptiveProtectionConfig": {
"layer7DdosDefenseConfig": {
"enable": false
}
}, |
I don't have that info unfortunately. I'll see if I can reproduce this in a dev env and report back the details of an offending API request if so |
@bobdanek is this still an issue? |
Yes, still an issue. I can't reproduce exactly how the production resource I'm working with got into this state, but in a testing environment with the policy in my initial comment, I can reproduce it by:
|
I can see the issue now. But I doubt there is a viable solution at this moment. Basically below payload is sent to the api for the update. But there is no good way available to communicate with the api for removing the block from the config. For users, setting
|
any news here ? |
I observe the same issue.
I get the following error:
Provider version |
I've created a PR that fixes part of the issue in GoogleCloudPlatform/magic-modules#8060, but I'm not sure if that's the right way to go. |
I confirmed this with the API explorer. Removing the block (once this setting is disabled) through the API manually doesn't do anything; the API still returns the Something like GoogleCloudPlatform/magic-modules#8060 will at least allow the |
I managed to make the "change" disappear with the following combination of settings:
I also deleted the whole block manually from the state file first and had to do an "initial apply", so this might be part of the solution as well. |
Confirmed that this issue still exists in version 5.12 of the provider. marking Config to reproduce: resource "google_compute_security_policy" "policy" {
name = "my-policy"
rule {
action = "deny(403)"
priority = "1000"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["9.9.9.0/24"]
}
}
description = "Deny access to IPs in 9.9.9.0/24"
}
rule {
action = "allow"
priority = "2147483647"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
description = "default rule"
}
adaptive_protection_config {
layer_7_ddos_defense_config {
enable = true
}
}
} Apply this, then try to remove the adaptive_protection_config block. |
Confirming this issues remains. If the following block is present, when making a new security policy, the apply always fails with the following message TF Block: adaptive_protection_config {
layer_7_ddos_defense_config {
enable = false
}
} Error Message:
|
Took another look at this because I didn't leave enough details last time to remember what was going on. If I apply the config from my previous comment and then remove the |
I can also confirm that setting |
I've just merged GoogleCloudPlatform/magic-modules#10823 which should allow users to create new google_compute_security_policy resources where adaptive_protection_config.layer_7_ddos_defense_config is explicitly disabled:
That PR doesn't make it so the feature will be disabled when the layer_7_ddos_defense_config or adaptive_protection_config block is deleted. Is that sufficient to close this issue? |
It sounds like the primary issue here is the permadiff, which isn't yet addressed? So I'd be inclined to leave it open for now? |
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
This has been heavily redacted and trimmed, so please let me know if anything is missing or needs clarification and I'll be happy to provide it: https://gist.github.com/bobdanek/cdb9da6d062b828f1c7215b85189b9ae
Panic Output
None
Expected Behavior
Terraform plan should show no changes
Actual Behavior
This change continues to show up even after applying it repeatedly:
Attempted workarounds
First, I updated the google and google-beta providers to 4.39.0 to pick up this change: #12554
Same issue is occurring, so I next tried to silence this by adding those three lines. When I tried that the plan suggests setting
rule_visibility
toSTANDARD
:After which, the apply fails:
Steps to Reproduce
I'm unsure why only one of two existing network security policies are showing this issue, so I'm not entirely sure how to reproduce this. Both have adaptive protection disabled, both were created with Terraform, same version, same provider version, same GCP project, same region, within a few weeks of each other.
Important Factoids
References
b/321386288
The text was updated successfully, but these errors were encountered: