Invalid combination of arguments when optional back end health_check not specified

[av603]

TL;DR

The health_check defined for each backend was made optional in version 11.0 HOWEVER the module still attempts to create a google_compute_firewall rule for the non existent health_check.

The google_compute_firewall rule fails to be created as the google_compute_firewall dynamic allow block relies on the health_check being specified. As the health check is missing, this leads to error Error: Invalid combination of arguments. "deny": one of "allow,deny" must be specified.

Expected behavior

Do not attempt to create a health check related firewall rule if the optional health_check is not defined.

Observed behavior

Module attempts to create a firewall rule for a non defined backend health_check leading to error Error: Invalid combination of arguments. "deny": one of "allow,deny" must be specified.

Terraform Configuration

module "http_load_balancer" {
  source  = "GoogleCloudPlatform/lb-http/google"
  version = "~> 12.0"

  project               = local.project
  name                  = "lb"
  load_balancing_scheme = "EXTERNAL"

  https_redirect = true

  ssl                       = true
  random_certificate_suffix = true
  managed_ssl_certificate_domains = concat(
    [
      for dns_name in values(local.lb_dns_names) : trimsuffix(dns_name, ".")
    ],
    (local.webapp_custom_dns_name != "") ? [trimsuffix(local.webapp_custom_dns_name, ".")] : []
  )

  create_url_map = false
  url_map        = google_compute_url_map.acme.name

  backends = {
    for key, value in local.acme_endpoints : key => {
      description             = "ACME backend - ${key}"
      enable_cdn              = false
      custom_request_headers  = local.workspace_custom_request_header
      custom_response_headers = null

      # health_check = {
      # NOTE: optional `health_check` not defined here.
      # }

      security_policy = module.security_policy.policy.self_link

      log_config = {
        enable      = true
        sample_rate = 1.0
      }

      groups = [
        {
          group = google_compute_global_network_endpoint_group.acme[key].id
        }
      ]

      iap_config = {
        enable               = false
        oauth2_client_id     = null
        oauth2_client_secret = null
      }
    }
  }
}

Terraform Version

Terraform v1.4.7
on linux_arm64
+ provider registry.terraform.io/hashicorp/google v6.14.1
+ provider registry.terraform.io/hashicorp/google-beta v6.14.1
+ provider registry.terraform.io/hashicorp/random v3.6.3

Additional information

No response

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days