Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall rule name conflicts if var.name is too long since it'll be truncated. #1527

Closed
awx-fuyuanchu opened this issue Jan 11, 2023 · 3 comments
Closed

Firewall rule name conflicts if var.name is too long since it'll be truncated. #1527

awx-fuyuanchu opened this issue Jan 11, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@awx-fuyuanchu
Copy link

awx-fuyuanchu commented Jan 11, 2023
edited

TL;DR

Firewall rule name conflicts if var.name is too long since it'll be truncated.

"gke-${substr(var.name, 0, min(25, length(var.name)))}-webhooks"

Expected behavior

Generate unique firewall rule names regardless of the length of var.name

Observed behavior

If I have two clusters with a long name variable such as
var.name = a-cluster-running-in-region-hk
var.name = a-cluster-running-in-region-sg

The firewall rule name generated for webhook will be the same since var.name will be truncated.

Terraform Configuration

Nothing special.
Just create two clusters with long names that share the same 25 characters.
And set add_master_webhook_firewall_rules to true

# google_client_config and kubernetes provider must be explicitly specified like the following.
data "google_client_config" "default" {}

provider "kubernetes" {
  host                   = "https://${module.gke.endpoint}"
  token                  = data.google_client_config.default.access_token
  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}

module "gke" {
  source                     = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"
  project_id                 = "<PROJECT ID>"
  name                       = "a-cluster-running-in-region-sg"
  add_master_webhook_firewall_rules    = true
  region                     = "us-central1"
  zones                      = ["us-central1-a", "us-central1-b", "us-central1-f"]
  network                    = "vpc-01"
  subnetwork                 = "us-central1-01"
  ip_range_pods              = "us-central1-01-gke-01-pods"
  ip_range_services          = "us-central1-01-gke-01-services"
  http_load_balancing        = false
  network_policy             = false
  horizontal_pod_autoscaling = true
  filestore_csi_driver       = false
  enable_private_endpoint    = true
  enable_private_nodes       = true
  master_ipv4_cidr_block     = "10.0.0.0/28"
  istio                      = true
  cloudrun                   = true
  dns_cache                  = false

  node_pools = [
    {
      name                      = "default-node-pool"
      machine_type              = "e2-medium"
      node_locations            = "us-central1-b,us-central1-c"
      min_count                 = 1
      max_count                 = 100
      local_ssd_count           = 0
      spot                      = false
      local_ssd_ephemeral_count = 0
      disk_size_gb              = 100
      disk_type                 = "pd-standard"
      image_type                = "COS_CONTAINERD"
      enable_gcfs               = false
      enable_gvnic              = false
      auto_repair               = true
      auto_upgrade              = true
      service_account           = "project-service-account@<PROJECT ID>.iam.gserviceaccount.com"
      preemptible               = false
      initial_node_count        = 80
    },
  ]

  node_pools_oauth_scopes = {
    all = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
    ]
  }

  node_pools_labels = {
    all = {}

    default-node-pool = {
      default-node-pool = true
    }
  }

  node_pools_metadata = {
    all = {}

    default-node-pool = {
      node-pool-metadata-custom-value = "my-node-pool"
    }
  }

  node_pools_taints = {
    all = []

    default-node-pool = [
      {
        key    = "default-node-pool"
        value  = true
        effect = "PREFER_NO_SCHEDULE"
      },
    ]
  }

  node_pools_tags = {
    all = []

    default-node-pool = [
      "default-node-pool",
    ]
  }
}
# google_client_config and kubernetes provider must be explicitly specified like the following.
data "google_client_config" "default" {}

provider "kubernetes" {
  host                   = "https://${module.gke.endpoint}"
  token                  = data.google_client_config.default.access_token
  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
}

module "gke" {
  source                     = "terraform-google-modules/kubernetes-engine/google//modules/beta-private-cluster"
  project_id                 = "<PROJECT ID>"
  name                       = "a-cluster-running-in-region-hk"
  add_master_webhook_firewall_rules    = true
  region                     = "us-central1"
  zones                      = ["us-central1-a", "us-central1-b", "us-central1-f"]
  network                    = "vpc-01"
  subnetwork                 = "us-central1-01"
  ip_range_pods              = "us-central1-01-gke-01-pods"
  ip_range_services          = "us-central1-01-gke-01-services"
  http_load_balancing        = false
  network_policy             = false
  horizontal_pod_autoscaling = true
  filestore_csi_driver       = false
  enable_private_endpoint    = true
  enable_private_nodes       = true
  master_ipv4_cidr_block     = "10.0.0.0/28"
  istio                      = true
  cloudrun                   = true
  dns_cache                  = false

  node_pools = [
    {
      name                      = "default-node-pool"
      machine_type              = "e2-medium"
      node_locations            = "us-central1-b,us-central1-c"
      min_count                 = 1
      max_count                 = 100
      local_ssd_count           = 0
      spot                      = false
      local_ssd_ephemeral_count = 0
      disk_size_gb              = 100
      disk_type                 = "pd-standard"
      image_type                = "COS_CONTAINERD"
      enable_gcfs               = false
      enable_gvnic              = false
      auto_repair               = true
      auto_upgrade              = true
      service_account           = "project-service-account@<PROJECT ID>.iam.gserviceaccount.com"
      preemptible               = false
      initial_node_count        = 80
    },
  ]

  node_pools_oauth_scopes = {
    all = [
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring",
    ]
  }

  node_pools_labels = {
    all = {}

    default-node-pool = {
      default-node-pool = true
    }
  }

  node_pools_metadata = {
    all = {}

    default-node-pool = {
      node-pool-metadata-custom-value = "my-node-pool"
    }
  }

  node_pools_taints = {
    all = []

    default-node-pool = [
      {
        key    = "default-node-pool"
        value  = true
        effect = "PREFER_NO_SCHEDULE"
      },
    ]
  }

  node_pools_tags = {
    all = []

    default-node-pool = [
      "default-node-pool",
    ]
  }
}

Terraform Version

Terraform v1.0.8

Additional information

Error log

module.gke.google_compute_firewall.master_webhooks[0]: Creating...
╷
│ Error: Error creating Firewall: googleapi: Error 409: The resource 'projects/xxxxxx/global/firewalls/gke-xxxxxxxxxxxxxxxxxxxxxxxxx-webhooks' already exists, alreadyExists
│ 
│   with module.gke.google_compute_firewall.master_webhooks[0],
│   on .terraform/modules/gke/modules/beta-private-cluster/firewall.tf line 93, in resource "google_compute_firewall" "master_webhooks":
│   93: resource "google_compute_firewall" "master_webhooks" {
│
@awx-fuyuanchu awx-fuyuanchu added the bug Something isn't working label Jan 11, 2023
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the Stale label Mar 12, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 19, 2023
@awx-fuyuanchu
Copy link
Author

bump
any suggestions?

@apeabody apeabody removed the Stale label Mar 30, 2023
NissesSenap added a commit to NissesSenap/terraform-google-kubernetes-engine that referenced this issue May 25, 2023
@NissesSenap
Set max firewall name to 36
2199542 
This to be able to have longer and unique names.
The firewall API supports 64 charters
Solves terraform-google-modules#1527
NissesSenap added a commit to NissesSenap/terraform-google-kubernetes-engine that referenced this issue May 25, 2023
@NissesSenap
Set max firewall name to 36
470f742 
This to be able to have longer and unique names.
The firewall API supports 64 charters
Solves terraform-google-modules#1527

Signed-off-by: Edvin Norling <edvin.norling@kognic.com>
@NissesSenap NissesSenap mentioned this issue May 25, 2023
Merged
@NissesSenap
Copy link
Contributor

NissesSenap commented May 25, 2023
edited

@FuyuanChu I created a PR to solve this. Let's see if it gets merged.
In the meantime, I have renamed my clusters to make them unique within 25 characters.

NissesSenap added a commit to NissesSenap/terraform-google-kubernetes-engine that referenced this issue Jun 13, 2023
@NissesSenap
Set max firewall name to 36
7acceda 
This to be able to have longer and unique names.
The firewall API supports 64 charters
Solves terraform-google-modules#1527

Signed-off-by: Edvin Norling <edvin.norling@kognic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@apeabody @NissesSenap @awx-fuyuanchu