feat(accesscontextmanager): support in-place updates for IngressPolicy and EgressPolicy#17044
Conversation
…y and EgressPolicy
Remove resource-level immutable: true from ServicePerimeterIngressPolicy
and ServicePerimeterEgressPolicy. Add update_verb and update_url to enable
the Update function, which uses the same PATCH endpoint already used by
Create and Delete.
The Google REST API supports modifying ingress/egress policies in-place via
PATCH with updateMask=status.ingressPolicies. The previous behavior forced
a destroy+create cycle for any field change, causing a non-atomic gap where
traffic matching the rule was denied.
Changes:
- Remove immutable: true at resource level (both Ingress and Egress)
- Add update_verb: PATCH and update_url: {{perimeter}}
- Mark title property as immutable: true (identity field)
- Remove obsolete create_before_destroy note from descriptions
modular-magician
added
the
awaiting-approval
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Googlers: For automatic test runs see go/terraform-auto-test-runs. @melinath, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
|
Closing to reopen from the correct account (CLA author mismatch). |
|
Closed CLA confict, sorry! |
4 participants
Description
Remove resource-level
immutable: truefromServicePerimeterIngressPolicyandServicePerimeterEgressPolicyto enable in-place updates viaPATCH.Problem
Both resources are marked
immutable: true, which setsForceNew: trueon every field. Any change — even adding a single project toingress_from.sources.resource— triggers a destroy + create cycle.This is a non-atomic operation: the old policy is removed first, then the new one is added. During the gap, traffic matching that ingress/egress rule is denied.
Root cause
The Google REST API already supports in-place updates. Both Create and Delete internally use
PATCHwithupdateMask=status.ingressPolicieson the parent perimeter. The same endpoint works for updates — but the Terraform resource never generates anUpdatefunction becauseimmutable: trueprevents it.Fix
immutable: trueat resource levelupdate_verb: PATCHandupdate_url: "{{perimeter}}"→ generatesresourceXxxUpdatefunctiontitleasimmutable: trueat property level (it is an identity field used for matching)create_before_destroynote (no longer needed — updates are now in-place)The existing
PatchUpdateEncoderinnested_query.go.tmplhandles the update logic:ingressFrom,ingressTo,title)Resources affected
google_access_context_manager_service_perimeter_ingress_policygoogle_access_context_manager_service_perimeter_egress_policyReferences