google_compute_security_policy - no error message when rule has same priority

[valtos]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.18

Affected Resource(s)

• google_compute_security_policy

Terraform Configuration Files

  project = my_project_id

  name = "my-policy"

  rule {
    action   = "allow"
    priority = "1000"
    match {
      expr {
        expression = "inIpRange(origin.ip, 'my_first_ip/32') && request.path.startsWith('/admin')"
      }
    }
    description = "a"
  }

  rule {
    action   = "allow"
    priority = "1000"
    match {
      expr {
        expression = "inIpRange(origin.ip, 'my_second_ip/32') && request.path.startsWith('/')"
      }
    }
    description = "b"
  }

  rule {
    action   = "deny(404)"
    priority = "9999"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule : deny all"
  }

}

Debug Output

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Expected Behavior

Well it should have indicates that two rules with same priority isn't possible, and indicate the rule that didn't create

Actual Behavior

"Apply complete!" No error messages, looks like everything is ok with terraform apply ! => but in google console, only one rule was created

Steps to Reproduce

1. Create a security policy with 2 rules with the same priority
2. terraform apply

Important Factoids

This error happen with the security policy using the custom rules:
https://cloud.google.com/armor/docs/rules-language-reference

[edwardmedia]

@megan07 after adding a rule in the resource, I got below plan. But there is only one POST call. You can see the rules in the console do not match the setting in the config. Also if you delete one rule from the config and then apply, I only see one POST call.

# google_compute_security_policy.name will be updated in-place
  ~ resource "google_compute_security_policy" "name" {
        fingerprint = "q8O-lq9XM_w="
        id          = "projects/myproject/global/securityPolicies/my-policy"
        name        = "my-policy"
        project     = "myproject"
        self_link   = "https://www.googleapis.com/compute/v1/projects/myproject/global/securityPolicies/my-policy"

      - rule {
          - action      = "allow" -> null
          - description = "default rule" -> null
          - preview     = false -> null
          - priority    = 2147483647 -> null

          - match {
              - versioned_expr = "SRC_IPS_V1" -> null

              - config {
                  - src_ip_ranges = [
                      - "*",
                    ] -> null
                }
            }
        }
      + rule {
          + action      = "allow"
          + description = "default rule"
          + priority    = 2147483647

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "*",
                    ]
                }
            }
        }
      + rule {
          + action      = "deny(403)"
          + description = "Deny access to IPs in 9.9.7.0/24"
          + priority    = 1000

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "9.9.7.0/24",
                    ]
                }
            }
        }
      - rule {
          - action      = "deny(404)" -> null
          - description = "Deny access to IPs in 9.9.8.0/24" -> null
          - preview     = false -> null
          - priority    = 1000 -> null

          - match {
              - versioned_expr = "SRC_IPS_V1" -> null

              - config {
                  - src_ip_ranges = [
                      - "9.9.8.0/24",
                    ] -> null
                }
            }
        }
      + rule {
          + action      = "deny(404)"
          + description = "Deny access to IPs in 9.9.8.0/24"
          + priority    = 1000

          + match {
              + versioned_expr = "SRC_IPS_V1"

              + config {
                  + src_ip_ranges = [
                      + "9.9.8.0/24",
                    ]
                }
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

---[ REQUEST ]---------------------------------------
POST /compute/beta/projects/myproject/global/securityPolicies/my-policy/patchRule?alt=json&prettyPrint=false&priority=1000 HTTP/1.1
{
 "action": "deny(403)",
 "description": "Deny access to IPs in 9.9.7.0/24",
 "match": {
  "config": {
   "srcIpRanges": [
    "9.9.7.0/24"
   ]
  },
  "versionedExpr": "SRC_IPS_V1"
 },
 "preview": false,
 "priority": 1000
}

[valtos]

@edwardmedia , the error is specifically with security policy containing custom rules with Common Expression Language (CEL)
[https://cloud.google.com/armor/docs/rules-language-reference]

  rule {
    action   = "allow"
    priority = "1000"
    match {
      expr {
        expression = "inIpRange(origin.ip, 'my_first_ip/32') && request.path.startsWith('/admin')"
      }
    }
    description = "a"
  }

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!