Comments (11)
andrewsomething
commented on July 26, 2024
1
I'm happy to say that yesterday, we release version 1.0.0 of the DigitalOcean Terraform provider. It should include a fix for this issue.
You can find the full changelog here: https://github.com/terraform-providers/terraform-provider-digitalocean/blob/master/CHANGELOG.md#100-september-27-2018
In order to upgrade an existing project to the latest version, run:
terraform init -upgrade
If you believe that this issue is being closed by mistake or the problem has not been resolved, please let me know or feel free to open a new issue with additional details.
Thanks for your patience!
from terraform-provider-digitalocean.
dghubble
commented on July 26, 2024
I see this behavior as well as terraform trying to always update the port_range.
inbound_rule.3.port_range: "0" => "all"
inbound_rule.4.port_range: "0" => "all"
outbound_rule.1.port_range: "0" => "all"
outbound_rule.2.port_range: "0" => "all"
The firewall resource type seems have issues with using a stable sort of the list of rules and with comparing its string values (like "all") with what the DO API will return on subsequent requests.
from terraform-provider-digitalocean.
siwyd
commented on July 26, 2024
I can confirm this behaviour, I have the following resource:
resource "digitalocean_firewall" "vuilbak" {
name = "vuilbak"
droplet_ids = ["${digitalocean_droplet.vuilbak.id}"]
inbound_rule = [
{
protocol = "icmp"
source_addresses = ["0.0.0.0/0"]
},
{
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0"]
}
]
outbound_rule = [
{
protocol = "icmp"
destination_addresses = ["0.0.0.0/0"]
},
{
protocol = "tcp"
port_range = "all"
destination_addresses = ["0.0.0.0/0"]
},
{
protocol = "udp"
port_range = "all"
destination_addresses = ["0.0.0.0/0"]
}
]
}
terraform plan on a subsequent run with no code changes reports the following:
~ digitalocean_firewall.vuilbak
inbound_rule.0.port_range: "22" => ""
inbound_rule.0.protocol: "tcp" => "icmp"
inbound_rule.1.port_range: "0" => "22"
inbound_rule.1.protocol: "icmp" => "tcp"
outbound_rule.0.port_range: "0" => ""
outbound_rule.0.protocol: "tcp" => "icmp"
outbound_rule.1.port_range: "0" => "all"
outbound_rule.1.protocol: "udp" => "tcp"
outbound_rule.2.port_range: "0" => "all"
outbound_rule.2.protocol: "icmp" => "udp"
It seems like it simply wants to switch the order of the rules around.
from terraform-provider-digitalocean.
BrianHicks
commented on July 26, 2024
I'm getting the same behavior with the same version. I've found that I can deal with shuffling the rules around to however it ends up sorting them after I make a change (it is stable, if not exactly predictable) but sill am having trouble with the "0" => "all" lines.
from terraform-provider-digitalocean.
danrabinowitz
commented on July 26, 2024
It looks like the "0" => "all" issue is fixed by this PR: https://github.com/terraform-providers/terraform-provider-digitalocean/pull/41
That should be released in the next release of terraform-provider-digitalocean, version 0.1.3.
from terraform-provider-digitalocean.
pschirch
commented on July 26, 2024
This issue still exists.
Terraform v0.11.3
+ provider.digitalocean v0.1.3
Create a new firewall works.
resource "digitalocean_tag" "default-firewall" {
name = "Default-Firewall"
}
resource "digitalocean_firewall" "default-firewall" {
name = "Default-Firewall"
tags = ["${digitalocean_tag.default-firewall.id}"]
inbound_rule = [
{
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
},
]
outbound_rule = [
{
protocol = "icmp"
destination_addresses = ["0.0.0.0/0", "::/0"]
},
{
protocol = "tcp"
port_range = "all"
destination_addresses = ["0.0.0.0/0", "::/0"]
},
{
protocol = "udp"
port_range = "all"
destination_addresses = ["0.0.0.0/0", "::/0"]
},
]
}
But if you run terraform plan next time Terraform wants to change firewall configuration although there are no changes.
Terraform will perform the following actions:
~ digitalocean_firewall.default-firewall
outbound_rule.0.port_range: "0" => ""
This results in an error if you want run terraform apply for changes that are really wanted.
* digitalocean_firewall.default-firewall: Error updating firewall: PUT https://api.digitalocean.com/v2/firewalls/525e50a2-ad47-44a8-8bcd-52c7dc8ebab5: 422 (request "3d967ce0-cf0d-4a8b-912d-a1a9625e5a3a") You must specify a positive value for ports.
Any updates on this issue?
from terraform-provider-digitalocean.
pschirch
commented on July 26, 2024
Same error occurs if you want to add the ICMP rule to an existing firewall.
Create a new firewall.
resource "digitalocean_tag" "default-firewall" {
name = "Default-Firewall"
}
resource "digitalocean_firewall" "default-firewall" {
name = "Default-Firewall"
tags = ["${digitalocean_tag.default-firewall.id}"]
inbound_rule = [
{
protocol = "tcp"
port_range = "22"
source_addresses = ["0.0.0.0/0", "::/0"]
},
]
outbound_rule = [
{
protocol = "tcp"
port_range = "all"
destination_addresses = ["0.0.0.0/0", "::/0"]
},
{
protocol = "udp"
port_range = "all"
destination_addresses = ["0.0.0.0/0", "::/0"]
},
]
}
Now let's say you forgot the ICMP rule and want to add it.
outbound_rule = [
{
protocol = "icmp"
destination_addresses = ["0.0.0.0/0", "::/0"]
},
...
]
* digitalocean_firewall.default-firewall: Error updating firewall: PUT https://api.digitalocean.com/v2/firewalls/525e50a2-ad47-44a8-8bcd-52c7dc8ebab5: 422 (request "433d0f00-bf77-4992-b90b-1e7ed7981650") You must specify a positive value for ports.
Any advice?
from terraform-provider-digitalocean.
Kaderovski-zz
commented on July 26, 2024
Working for me by doing this :
outbound_rule = [
{
protocol = "tcp"
port_range = "all"
destination_addresses = [
"0.0.0.0/0",
"::/0"]
},
{
protocol = "udp"
port_range = "all"
destination_addresses = [
"0.0.0.0/0",
"::/0"]
},
{
protocol = "icmp"
port_range = "1-65535"
destination_addresses = [
"0.0.0.0/0",
"::/0"]
},
]
I know it's a bit weird to put port_range = "1-65535" on icmp rule, but it's the only way I've found to make it works.
Hope it helps !
from terraform-provider-digitalocean.
pschirch
commented on July 26, 2024
@F00b4rch In case you create a completely new firewall and do not change the ICMP rule definition this workaround helps. But in case yout want to edit a firewall, e.g. to add or delete the ICMP rule an error ouccurs as well.
* digitalocean_firewall.default-firewall: Error updating firewall: PUT https://api.digitalocean.com/v2/firewalls/f8ddaabe-7190-4d60-9b7d-2f24af010e43: 422 (request "5415d903-c8e8-4e14-a346-9b9e44198571") You must specify a positive value for ports.
from terraform-provider-digitalocean.
pschirch
commented on July 26, 2024
This error also occurs if you editing a firewall that initially have a ICMP rule defined. So actually you can not seriously manage a Digital Ocean firewall with Terraform. Unfortunately an unsatisfactory condition.
from terraform-provider-digitalocean.
z3ntu
commented on July 26, 2024
In my opinion an example for ICMP should be listed in the docs.
from terraform-provider-digitalocean.
Related Issues (20)
- Release v2.35.0 HOT 1
- Add droplet monitor alert for cloud-init completion
- digitalocean_spaces_bucket_cors_configuration: Updating allowed origins has no effect HOT 4
- Add optional "signature" field for `digitalocean_custom_image` resources
- Missing registry_credentials in digitalocean_app.service.image for registry_type = "GHCR" HOT 4
- feature: resource for firewall rule
- digitalocean_cdn custom domain certificate fails "invalid certificate issued by Cloudflare origin CA" HOT 1
- Add Postgres database attributes HOT 2
- digitalocean_spaces_bucket_cors_configuration: Does not allow to order CORS rules
- `digitalocean_project` created on failure, absent from TF state HOT 2
- App Platform image credentials set as required HOT 3
- Dedicated egress IP addresses support for App platform
- digitalocean_spaces_bucket NoSuchBucket while creating bucket HOT 3
- digitalocean_kubernetes_cluster. to support database operator HOT 2
- Consider adding GPG key to OpenTofu registry for the digitalocean provider HOT 2
- Support for database fork
- digitalocean_firewall blocks all ports
- digitalocean_ssh_key race condition (roduced an unexpected new value: Root object was present, but now absent) HOT 1
- digitalocean_database_cluster password is always empty HOT 5
- functions: feature: add resource, and data source for functions and namespaces
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-digitalocean.