feat(accesscontextmanager): support in-place updates for IngressPolicy and EgressPolicy#17045
Open
yerbis09 wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
Open
Conversation
…y and EgressPolicy
Remove resource-level immutable: true from ServicePerimeterIngressPolicy
and ServicePerimeterEgressPolicy. Add update_verb and update_url to enable
the Update function, which uses the same PATCH endpoint already used by
Create and Delete.
The Google REST API supports modifying ingress/egress policies in-place via
PATCH with updateMask=status.ingressPolicies. The previous behavior forced
a destroy+create cycle for any field change, causing a non-atomic gap where
traffic matching the rule was denied.
Changes:
- Remove immutable: true at resource level (both Ingress and Egress)
- Add update_verb: PATCH and update_url: {{perimeter}}
- Mark title property as immutable: true (identity field)
- Remove obsolete create_before_destroy note from descriptions
modular-magician
added
the
awaiting-approval
|
Googlers: For automatic test runs see go/terraform-auto-test-runs. @rileykarson, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Remove resource-level
immutable: truefromServicePerimeterIngressPolicyandServicePerimeterEgressPolicyto enable in-place updates viaPATCH.Problem
Both resources are marked
immutable: true, which setsForceNew: trueon every field. Any change — even adding a single project toingress_from.sources.resource— triggers a destroy + create cycle.This is a non-atomic operation: the old policy is removed first, then the new one is added. During the gap, traffic matching that ingress/egress rule is denied.
Root cause
The Google REST API already supports in-place updates. Both Create and Delete internally use
PATCHwithupdateMask=status.ingressPolicieson the parent perimeter. The same endpoint works for updates — but the Terraform resource never generates anUpdatefunction becauseimmutable: trueprevents it.Fix
immutable: trueat resource levelupdate_verb: PATCHandupdate_url: "{{perimeter}}"to generateresourceXxxUpdatefunctiontitleasimmutable: trueat property level (it is an identity field used for matching)create_before_destroynote (no longer needed — updates are now in-place)The existing
PatchUpdateEncoderinnested_query.go.tmplhandles the update logic:ingressFrom,ingressTo,title)Resources affected
google_access_context_manager_service_perimeter_ingress_policygoogle_access_context_manager_service_perimeter_egress_policyFixes hashicorp/terraform-provider-google#26842
References