Error 409 when trying to update the resource google_compute_security_policy
#14738
Comments
|
@marcusricardoaguiar changing on two fields, What did you do to trigger the recreation? |
Hey @edwardmedia , for instance, the last time it happened, it was a rule that I replaced. I changed the rule priority and the expressions. Then, it triggered the security policy recreation. |
However, I haven't changed the project nor the name. |
|
@marcusricardoaguiar can you detail the steps to repro, specific the way to trigger recreation? Besides project and name, I do not see other fields that will trigger it. |
HI @edwardmedia , I've just found out what's going on. I've just created a Then, I tried to update the security policy and I added a new rule with a high priority: In this case, since this security policy has been used by the backend service, it will try to create the new one before deleting it. Then, it crashes because of name already exist (409 error). |
|
@marcusricardoaguiar Using below config, I tested by 1) initial apply and 2) uncomment the 3rd rule and apply, and did not hit the problem. Adding the 3rd rule did not trigger resource "google_compute_security_policy" "policy" {
name = "issue14738-1"
//type = "CLOUD_ARMOR"
type = "CLOUD_ARMOR_INTERNAL_SERVICE"
rule {
action = "deny(403)"
priority = "1000"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["9.9.9.0/24"]
}
}
description = "Deny access to IPs in 9.9.9.0/24"
}
rule {
action = "allow"
priority = "2147483647"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
description = "default rule"
}
/* uncomment for the 2nd apply
rule {
description = "Login rate limit"
action = "throttle"
priority = 28
match {
expr {
expression = join(" ", [
"request.method == 'POST'",
"&& !has(request.headers['*****'])"
])
}
}
rate_limit_options {
conform_action = "allow"
exceed_action = "deny(429)"
enforce_on_key = ""
rate_limit_threshold {
count = 5
interval_sec = 60
}
}
}
*/
}
resource "google_compute_backend_service" "default" {
name = "backend-service"
health_checks = [google_compute_http_health_check.default.id]
security_policy = google_compute_security_policy.policy.self_link
}
resource "google_compute_http_health_check" "default" {
name = "health-check"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
} |
Hi @edwardmedia , I've been using google-beta provider version 4.66.0. I've tried your suggestion and it worked as you mentioned. However, if we include the block |
|
@marcusricardoaguiar oh, yes, that is right. enforce_on_key_configs is only available in beta and it is a field that could trigger recreation. |
|
Ah I see, thanks @edwardmedia , so, do you know if this will not trigger recreation once it's not beta anymore? |
|
@marcusricardoaguiar any changes on that field will trigger recreation once it is GA. I do not have a solution off the top of my head to your situation. @ryanyuan what do you think? |
|
hey @edwardmedia, I reckon you wanted to tag @roaks3 |
|
I've checked through the code, and nothing stood out as an obvious cause of the 409. The force_replacement behavior will call the resource's delete function and then its create function, which both appear to properly retrieve operations and wait for them to complete. My suspicion at this point is that the resource is deleted and allowed to proceed to the create, but the resource's name is not yet available ( |
|
I could see the main potential issue here is: We are creating two separate resources here and mapping it after the resources are created. This will have an issue because the proper dependency is missing. |
github-actions
bot
added
forward/review
|
b/297932215 |
edwardmedia
added
forward/linked
and removed
forward/review
|
@santoshpandit1 even adding dependency between LB BE to Security policy didn't help. Is there any resolution? I was updating a |
|
Hello there, I just checked this has been available in beta for some time now so I am bumping it to GA. Additionally they removed the force_new flag for the enforce_on_key_configs block so now it updates-in-place instead of recreate. |
|
Yea, looks like @maxi-cit we should be able to close with your change (or even close it now), and then let users raise a new issue if there are still problems with the replacement. |
Community Note
modular-magicianuser, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot, a community member has claimed the issue already.Terraform Version
Version: 1.5.0
Affected Resource(s)
Terraform Configuration Files
After making some changes on the resource
google_compute_security_policythat triggers the resource recreation, it is trying to create the resource again first before deleting it. Then, since we already have the resource with the same name, it's crashing it.Debug Output
Panic Output
Expected Behavior
I would like that GCP/Terraform was able to handle this situation and, in this case, remove the resource first before creating the new one.
Actual Behavior
Since it tries to create before remove, it will crash when trying to create a resource with the same name as the existing one.
Steps to Reproduce
Use an already existing
google_compute_security_policyresource and make some changes on their terraform code. This might try to recreate the resource. However, you should have that already existing stuff.The text was updated successfully, but these errors were encountered: