Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get state for google_compute_firewall_policy_rule fails with provider 6.13.0 #20660

Closed
Flektoma opened this issue Dec 11, 2024 · 3 comments
Closed

Comments

@Flektoma
Copy link

Flektoma commented Dec 11, 2024

Community Note

After update of provider from 6.12.0 to 6.13.0, we can see issue with terraform not properly getting state for google_compute_firewall_policy_rule resource. State refresh phase uses different link to get the resource than before and fails to fetch it, resulting in inaccurate plan attempting to create existing resource.

Roll back to provider 6.12.0 solved the issue and you can actually see in debug logs that URL used to fetch this resource has changed.

Provided gists of debug output for both provider versions for the same resource.

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.6.6
on darwin_arm64

  • provider registry.terraform.io/hashicorp/google v6.13.0

Affected Resource(s)

google_compute_firewall_policy_rule

Debug Output

https://gist.github.com/Flektoma/d0dff1c0dc3b86a30dde33dd01331e2e

Expected Behavior

The terraform should have found the resource as it used to before for provider 6.12.0
https://gist.github.com/Flektoma/072b12cea2b01b8bdc039b99771eab75

b/383894751

@gorge511
Copy link

gorge511 commented Dec 11, 2024

I think I found the issue we have.

Until TPG v4.70.0 there was firewall_policy = google_compute_firewall_policy.default.id in the documentation and since our code is quite old, we fill the firewall_policy field with policy id in form locations/global/firewallPolicies/{firewall_policy}. Since TPG v4.71.0 there is name parameter used for firewall_policy field under google_compute_firewall_policy_rule resource.

This caused that we have firewall_policy parameter in the "long" form in our state files. Providers with DCL version of google_compute_firewall_policy_rule can manage it and parse the policy id correctly. However when google_compute_firewall_policy_rule resource was migrated to MMv1 the policy id is not parsed correctly and whole string is used in api url which causes this problem.

Unfortunately I didn't find any solution other than changing the firewall_policy in all state files manually to only {firewall_policy} and also our code to use policy name instead of policy id.

EDIT: It seems that there is an option to add legacy_long_form_project: true to the MMv1 resource definition which will solve the issue on the provider side. Do you know if it can have some bad side effects?

@trodge you did the migration from DCL to MMv1, do you have any idea how to fix the provider and make the new provider version compatible with old state files?

@c2thorn
Copy link
Collaborator

c2thorn commented Dec 12, 2024

Assigning to @trodge since this is directly related to the GA DCL -> MMv1 firewall migration

@c2thorn c2thorn removed the forward/review In review; remove label to forward label Dec 12, 2024
@shuyama1
Copy link
Collaborator

This seems similar to #20725 and is expected to be resolved by #20733, scheduled for release in v6.14.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants