Invalid value for field 'resource.rateLimitOptions.enforceOnKeyName' when field is not set

[bfrunza]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.3.9
on darwin_arm64

• provider registry.terraform.io/hashicorp/google v4.53.1
• provider registry.terraform.io/hashicorp/google-beta v4.53.1

Affected Resource(s)

google_compute_security_policy

Terraform Configuration Files

* the version of the config before the change

resource "google_compute_security_policy" "policy" {
  name = "bfrunza-test"
  rule {
    action   = "rate_based_ban"
    preview  = true
    priority = 10502

    match {
      expr {
        expression = "request.path.matches('/svc/api3/v3')"
      }
    }

    rate_limit_options {
      ban_duration_sec    = 60
      conform_action      = "allow"
      enforce_on_key      = "HTTP_HEADER"
      enforce_on_key_name = "authorization"
      exceed_action       = "deny(429)"

      rate_limit_threshold {
        count        = 200
        interval_sec = 60
      }
    }
  }
  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule"
  }
}

* the version of the config after the change.

resource "google_compute_security_policy" "policy" {
  name = "bfrunza-test"
  rule {
    action   = "rate_based_ban"
    preview  = true
    priority = 10502

    match {
      expr {
        expression = "request.path.matches('/svc/api3/v3')"
      }
    }

    rate_limit_options {
      ban_duration_sec = 60
      conform_action   = "allow"
      enforce_on_key   = "IP"
      exceed_action    = "deny(429)"

      rate_limit_threshold {
        count        = 200
        interval_sec = 60
      }
    }
  }
  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule"
  }
}

Debug Output

2023-02-22T10:36:35.707+0200 [INFO] provider.terraform-provider-google_v4.53.1_x5: 2023/02/22 10:36:35 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
POST /compute/v1/projects/float-sandbox/global/securityPolicies/bfrunza-test/patchRule?alt=json&prettyPrint=false&priority=10502 HTTP/1.1
Host: compute.googleapis.com
User-Agent: google-api-go-client/0.5 Terraform/1.3.9 (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google/4.53.1
Content-Length: 330
Content-Type: application/json
X-Goog-Api-Client: gl-go/1.18.1 gdcl/0.105.0
Accept-Encoding: gzip

{
"action": "rate_based_ban",
"description": "",
"headerAction": {},
"match": {
"expr": {
"expression": "request.path.matches('/svc/api3/v3')"
}
},
"preview": true,
"priority": 10502,
"rateLimitOptions": {
"banDurationSec": 60,
"conformAction": "allow",
"enforceOnKey": "IP",
"exceedAction": "deny(429)",
"rateLimitThreshold": {
"count": 200,
"intervalSec": 60
}
}
}

-----------------------------------------------------: timestamp=2023-02-22T10:36:35.706+0200
2023-02-22T10:36:36.474+0200 [INFO] provider.terraform-provider-google_v4.53.1_x5: 2023/02/22 10:36:36 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Wed, 22 Feb 2023 08:36:36 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
"error": {
"code": 400,
"message": "Invalid value for field 'resource.rateLimitOptions.enforceOnKeyName': ''. Enforce on key name cannot be set when the key type is IP.",
"errors": [
{
"message": "Invalid value for field 'resource.rateLimitOptions.enforceOnKeyName': ''. Enforce on key name cannot be set when the key type is IP.",
"domain": "global",
"reason": "invalid"
}
]
}
}

Expected Behavior

The terraform apply command should run successfully

Actual Behavior

The terraform apply command fails with an error

Steps to Reproduce

1. run terraform apply using the configuration before the change
2. run terraform apply using the configuration after the change

[edwardmedia]

@bfrunza I see the same. This check is done on the API. Why do you think it is wrong?

Enforce on key name cannot be set when the key type is IP.

[edwardmedia]

I see where is the problem is. enforceOnKeyName needs to be added in this case

{
 "action": "rate_based_ban",
 "description": "",
 "headerAction": {},
 "match": {
  "expr": {
   "expression": "request.path.matches('/svc/api3/v3')"
  }
 },
 "preview": true,
 "priority": 10502,
 "rateLimitOptions": {
  "banDurationSec": 60,
  "conformAction": "allow",
  "enforceOnKey": "IP",
"enforceOnKeyName": "", <---- still need to be included 
  "exceedAction": "deny(429)",
  "rateLimitThreshold": {
   "count": 200,
   "intervalSec": 60
  }
 }
}

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.