terraform-provider-google: Terraform crashing when planning a google compute firewall resource based on module output that do not exists yet

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

❯ terraform -v
Terraform v1.0.10
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v4.0.0
+ provider registry.terraform.io/hashicorp/google-beta v4.0.0
+ provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

google_compute_firewall

Terraform Configuration Files

resource "google_compute_firewall" "firewall_prometheus_node" {
  name = "prometheus-node"
  network = google_compute_network.vpc_network.self_link

  # unrelevant part are discarded for clarity
  log_config {
    metadata = "INCLUDE_ALL_METADATA"
  }

  source_ranges = [ module.xxxxxx.satellite_ip ]
}

Debug Output

Panic Output

TestSimplePlan 2021-11-04T09:48:28Z logger.go:66: │ Error: 1 error occurred:
TestSimplePlan 2021-11-04T09:48:28Z logger.go:66: │ 	* one of source_tags, source_ranges, or source_service_accounts must be defined
TestSimplePlan 2021-11-04T09:48:28Z logger.go:66: │ 
TestSimplePlan 2021-11-04T09:48:28Z logger.go:66: │ 
TestSimplePlan 2021-11-04T09:48:28Z logger.go:66: │ 
TestSimplePlan 2021-11-04T09:48:28Z logger.go:66: │   with google_compute_firewall.firewall_prometheus_node,
TestSimplePlan 2021-11-04T09:48:28Z logger.go:66: │   on firewall.tf line 94, in resource "google_compute_firewall" "firewall_prometheus_node":
TestSimplePlan 2021-11-04T09:48:28Z logger.go:66: │   94: resource "google_compute_firewall" "firewall_prometheus_node" {

Expected Behavior

the resource should be planned correctly if the module has not been created yet indicating a “known after apply” value for the source_range

Actual Behavior

Terraform is crashing because he can’t know the output of the module not created thus leading to all required argument of the resource google_compute_firewall not being set.

Steps to Reproduce

create a module that output a IP range
put that output in the source_ranges field of the google_compute_firewall resource
run terrform plan

Important Factoids

Nope

References

N/A

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 12
Comments: 16

Commits related to this issue

Temporarily applies an empty source_tags setting. * this should be removed once https://github.com/hashicorp/terraform-provider-google/issues/10494 is addressed — committed to rakuten-gcloud/terraform-google-kubernetes-engine by jackwhelpton 3 years ago
Adds unit test for firewall depending on module output * see https://github.com/hashicorp/terraform-provider-google/issues/10494 — committed to rakuten-gcloud/terraform-provider-google by jackwhelpton 3 years ago
Temporarily applies an empty source_tags setting. * this should be removed once https://github.com/hashicorp/terraform-provider-google/issues/10494 is addressed — committed to terraform-google-modules/terraform-google-kubernetes-engine by jackwhelpton 3 years ago
Temporarily applies an empty source_tags setting. * this should be removed once https://github.com/hashicorp/terraform-provider-google/issues/10494 is addressed — committed to terraform-google-modules/terraform-google-kubernetes-engine by jackwhelpton 3 years ago
feat!: update TPG version constraints to 4.0 (#1129) * feat: update TPG version constraints to allow 4.0 * Removes basic auth, renames namespace_identity * Regenerates modules and documentation... — committed to terraform-google-modules/terraform-google-kubernetes-engine by bharathkkb 2 years ago

Most upvoted comments

Should be fixed via https://github.com/GoogleCloudPlatform/magic-modules/pull/5526

slevenick on Jan 25, 2022

I was also able to repro this, below is an MCVE. Works fine with v3.90.1 but throws * one of source_tags, source_ranges, or source_service_accounts must be defined with v4.1.0.

locals {
  project_id = "YOUR_PROJECT_ID"
}

resource "google_compute_network" "vpc_network" {
  project                 = local.project_id
  name                    = "test-network"
  auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "subnet" {
  name          = "test-subnet"
  project       = local.project_id
  ip_cidr_range = "10.0.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.vpc_network.id
}

resource "google_compute_address" "address" {
  name         = "test-address"
  project      = local.project_id
  subnetwork   = google_compute_subnetwork.subnet.id
  address_type = "INTERNAL"
  region       = "us-central1"
}

resource "google_compute_firewall" "fw" {
  name      = "test-fw"
  project   = local.project_id
  network   = google_compute_network.vpc_network.id
  direction = "INGRESS"

  source_ranges = ["${google_compute_address.address.address}/32"]
  target_tags   = ["foo"]

  allow {
    protocol = "tcp"
  }
}

bharathkkb on Nov 29, 2021

Had the same problem today, solved by adding source_tags = [“mynetwork”]

resource “google_compute_firewall” “mynetwork-allow-http-ssh-rdp-icmp” { name = “mynetwork-allow-http-ssh-rdp-icmp” network = google_compute_network.mynetwork.self_link allow { protocol = “tcp” ports = [“22”, “80”, “3389”] } allow { protocol = “icmp” } source_tags = [“mynetwork”] }

Source: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_firewall

hudson-m on Nov 9, 2021