Updated resource "Region Security Policy" to allow for rule creation when creating the policy resource #11894
Conversation
|
Hello! I am a robot. Tests will require approval from a repository maintainer to run. @melinath, a repository maintainer, has been assigned to review your changes. If you have not received review feedback within 2 business days, please leave a comment on this PR asking them to take a look. You can help make sure that review is quick by doing a self-review and by running impacted tests locally. |
modular-magician
added
the
awaiting-approval
modular-magician
added
service/compute-security-policy
and removed
awaiting-approval
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
Missing test reportYour PR includes resource fields which are not covered by any test. Resource: resource "google_compute_region_security_policy" "primary" {
rules {
network_match {
dest_ip_ranges = # value needed
dest_ports = # value needed
ip_protocols = # value needed
src_asns = # value needed
src_ip_ranges = # value needed
src_ports = # value needed
src_region_codes = # value needed
user_defined_fields {
name = # value needed
values = # value needed
}
}
preconfigured_waf_config {
exclusion {
request_cookie {
operator = # value needed
value = # value needed
}
request_header {
operator = # value needed
value = # value needed
}
request_query_param {
operator = # value needed
value = # value needed
}
request_uri {
operator = # value needed
value = # value needed
}
target_rule_ids = # value needed
target_rule_set = # value needed
}
}
preview = # value needed
rate_limit_options {
ban_duration_sec = # value needed
ban_threshold {
count = # value needed
interval_sec = # value needed
}
conform_action = # value needed
enforce_on_key = # value needed
enforce_on_key_configs {
enforce_on_key_name = # value needed
enforce_on_key_type = # value needed
}
enforce_on_key_name = # value needed
exceed_action = # value needed
rate_limit_threshold {
count = # value needed
interval_sec = # value needed
}
}
}
}
|
Tests analyticsTotal tests: 65 Click here to see the affected service packages
Tests were added that are skipped in VCR:
View the build log |
|
@melinath This PR has been waiting for review for 3 weekdays. Please take a look! Use the label |
|
WIP on extra tests |
There was a problem hiding this comment.
in addition to the additional tests - this is currently running into some kind of issue with float64 values in int fields while calculating the set hash for the rules:
panic: interface conversion: interface {} is float64, not int
goroutine 108163 [running]:
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.SerializeValueForHash(0xc001bdcf50?, {0x418bcc0?, 0xc0020acf60?}, 0x513c4c?)
/go/pkg/mod/github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/serialize.go:27 +0x297
I see there's logic in the PR related to converting floats to ints; perhaps there's a missed case?
…ctly gcp api); only works if adding a rule and policy separate, maybe a race condition
modular-magician
added
the
awaiting-approval
@melinath Could you tell me - how do I replicate this error? |
modular-magician
removed
the
awaiting-approval
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
Missing test reportYour PR includes resource fields which are not covered by any test. Resource: resource "google_compute_region_security_policy" "primary" {
rules {
preconfigured_waf_config {
exclusion {
request_cookie {
value = # value needed
}
}
}
rate_limit_options {
enforce_on_key_name = # value needed
}
}
}
|
Tests analyticsTotal tests: 1033 Click here to see the affected service packages
Action takenFound 9 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests
|
|
🟢 Tests passed during RECORDING mode: 🟢 No issues found for passed tests after REPLAYING rerun. 🔴 Tests failed during RECORDING mode: 🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR. |
Well... it looks like something you did fixed it, so there's no need. :-) |
There was a problem hiding this comment.
The two failing tests are not failing in our nightlies, so this seems likely to be related to your change. The error message for both is:
Error: Error updating RegionSecurityPolicy "projects/ci-test-project-188019/regions/us-central1/securityPolicies/tf-test490g73z6eh": googleapi: Error 400: Invalid value for field 'resource.rules[0].networkMatch': ''. Network matcher must have at least one field set., invalid
Looking through the test failures vs. our nightlies, the issue seems to be that in the nightlies, since the rules field doesn't exist at all, it isn't sent in the PATCH request. However, for your PR, since the rules field does exist (and it's default_from_api) the value returned by the API will be sent with the next API request - but only the fields supported by Terraform.
It looks like the security_policy logic for update has some pretty customized logic for determining whether to make any changes based on rule updates and calls a completely different API method. You PROBABLY don't need to replicate that; it probably pre-dates update support for the rules field via the standard PATCH method.
And it looks like the API is ignoring the updateMask parameter.
This is a very long way of saying: probably the best path forward is to also add support for the networkMatcher field (even though it isn't supported on the google_compute_security_policy resource) and potentially any other fields that are returned but not currently supported, to avoid breaking users' existing configs.
The default API response seems to be:
"rules": [
{
"kind": "compute#securityPolicyRule",
"description": "default rule",
"priority": 2147483647,
"networkMatch": {
"srcIpRanges": [
"*"
]
},
"action": "allow",
"preview": false,
"ruleNumber": "1"
}
],
https://googlecloudplatform.github.io/magic-modules/develop/test/run-tests/ has more information about how to get debug logs and run manual tests.
Additionally, please add test coverage for the fields mentioned here: #11894 (comment)
|
🟢 Tests passed during RECORDING mode: 🟢 No issues found for passed tests after REPLAYING rerun. 🔴 Tests failed during RECORDING mode: 🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR. |
modular-magician
added
awaiting-approval
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
Tests analyticsTotal tests: 1054 Click here to see the affected service packages
Action takenFound 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests
|
|
🔴 Tests failed during RECORDING mode: 🔴 Errors occurred during RECORDING mode. Please fix them to complete your PR. |
.../third_party/terraform/services/compute/resource_compute_region_security_policy_test.go.tmpl
Show resolved
Hide resolved
.../third_party/terraform/services/compute/resource_compute_region_security_policy_test.go.tmpl
Show resolved
Hide resolved
…egion_security_policy_test.go.tmpl Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
…egion_security_policy_test.go.tmpl Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
modular-magician
added
awaiting-approval
|
Hi there, I'm the Modular magician. I've detected the following information about your changes: Diff reportYour PR generated some diffs in downstreams - here they are.
|
Tests analyticsTotal tests: 1054 Click here to see the affected service packages
Action takenFound 1 affected test(s) by replaying old test recordings. Starting RECORDING based on the most recent commit. Click here to see the affected tests
|
|
🥳 |
Thank you for the support! |
…when creating the policy resource (GoogleCloudPlatform#11894) Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
…when creating the policy resource (GoogleCloudPlatform#11894) Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
…when creating the policy resource (GoogleCloudPlatform#11894) Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
…when creating the policy resource (GoogleCloudPlatform#11894) Co-authored-by: Stephen Lewis (Burrows) <[email protected]>
Updated resource "google_compute_region_security_policy" to allow rule creation at the same time when creating the policy. Functionality similar to what you can do with google_compute_security_policy.
It fixes a current issue that you cannot override the default created rule when (or after) creating a regional security policy. A default allow rule gets created at the same time, which cannot be controlled/changed without jumping through hoops to manually import it into your state: hashicorp/terraform-provider-google#15687
Release Note Template for Downstream PRs (will be copied)