firewall module seems to not function at all

[ideasculptor]

The simplest possible config seems to result in an error:

module "net-firewall" {   
  source                  = "terraform-google-modules/network/google//modules/fabric-net-firewall"
  project_id              = data.terraform_remote_state.vpc.outputs.project_id
  network                 = data.terraform_remote_state.vpc.outputs.network_name
  admin_ranges            = local.admin_ranges
  admin_ranges_enabled    = true
  internal_ranges_enabled = true
  internal_ranges         = local.all_ranges
  ssh_source_ranges       = ["0.0.0.0/0"]
}

Always errors out because of conflict between having both allow and deny dynamic blocks when setting up custom_rules, even when there are NO custom_rules.

[terragrunt] 2019/10/27 11:09:47 Running command: terraform apply

Error: "deny": conflicts with allow

  on .terraform/modules/net-firewall/terraform-google-modules-terraform-google-network-7810346/modules/fabric-net-firewall/main.tf line 112, in resource "google_compute_firewall" "custom":
 112: resource "google_compute_firewall" "custom" {



Error: "allow": conflicts with deny

  on .terraform/modules/net-firewall/terraform-google-modules-terraform-google-network-7810346/modules/fabric-net-firewall/main.tf line 112, in resource "google_compute_firewall" "custom":
 112: resource "google_compute_firewall" "custom" {


[terragrunt] 2019/10/27 11:09:50 Hit multiple errors:
exit status 1

[ludoo]

That's weird, let me look into it.

[ideasculptor]

I just split the thing up into 2 resources, one with a dynamic allow block and one with a dynamic deny block, and everything functioned correctly. It seems as if terraform complains about the conflict between allow and deny before it resolves whether the dynamic nature of the block will actually result in content or not.

I can provide a PR, but I screwed up with my other PR and committed it to master in my local repo, so I have to do extra work to make a PR for this fix which doesn't also contain my other fix, so it'll take me a few

[ideasculptor]

$ terraform --version
Terraform v0.12.10

so not quite up to date, but pretty recent. And I do have the latest google provider unless a new one shipped since friday.

[ludoo]

No worries, the actual change is trivial no need for a PR. Let me run some checks tomorrow first, as I've been using it extensively since adding dynamic rules, and never hit this issue.

[ideasculptor]

I'm upgrading my local terraform now. I'll report back if it fixes the problem

[ludoo]

Hmmm there's something I'm not getting here. I slightly modified a setup I already have to match yours by also adding internal ranges and setting ssh source (which shouldn't make a difference, but whatever):

  source               = "terraform-google-modules/network/google//modules/fabric-net-firewall"
  version              = "1.4.0"
  project_id           = module.project.project_id
  network              = module.vpc-remote.network_name
  admin_ranges_enabled = true
  admin_ranges = concat(
    module.vpc-shared.subnets_ips,
    module.vpc-peered.subnets_ips,
    module.vpc-remote.subnets_ips,
    ["130.211.0.0/22", "35.191.0.0/16", "35.235.240.0/20"]
  )
  internal_ranges_enabled = true
  internal_ranges         = ["172.16.20.0/24"]
  ssh_source_ranges       = ["0.0.0.0/0"]
}

And I'm not seeing any errors. I'll try deleting and recreating the resources, but I don't suspect anything will change. Terraform version same as yours, google provider version 2.17.

[ludoo]

Recreating the firewall resources from scratch makes no difference, I'm not getting any errors. There's something different with your setup, and looking at your errors it looks like you're using terragrunt and that's what I'd start checking.

[ideasculptor]

It was my provider version. I was working in a directory that someone else had (incorrectly) fixed the provider to a particular version