Reputation: 1534
GCP App Engine Firewall not reflected on GCP console when applied using terraform
I am using terraform to import the state of existing GCP App Engine Resource firewall rules so that the firewall rules can be later managed with terraform . Also planning to add one more additional rule on top of it with priority 999.
I imported using below command
terraform import google_app_engine_firewall_rule.newrule <project>/1000
After that I executed terraform show to identify the state of existing resources and created main.tf from it. My existing rules are as follows
PRIORITY ACTION SOURCE_RANGE DESCRIPTION
1000 DENY X.X.X.X/32
2147483647 ALLOW * The default action.
After adding the information of new firewall in main.tf , the file looks as below
# google_app_engine_firewall_rule.default:
resource "google_app_engine_firewall_rule" "default" {
action = "ALLOW"
description = "The default action."
priority = 2147483647
project = "<<project>>"
source_range = "*"
timeouts {}
}
# google_app_engine_firewall_rule.newrule:
resource "google_app_engine_firewall_rule" "newrule" {
action = "DENY"
priority = 1000
project = "<<project>>"
source_range = "X.X.X.X/32"
timeouts {}
}
resource "google_app_engine_firewall_rule" "newrule1" {
action = "DENY"
priority = 999
project = "<<project>>"
source_range = "X.X.X.X/32"
timeouts {}
}
terraform plan showed no error and terraform apply executed successfully . Validating with gcloud command looks the rule is added successfully . The first rule from below output with priority 999.
$ gcloud app firewall-rules list
PRIORITY ACTION SOURCE_RANGE DESCRIPTION
999 DENY X.X.X.X/32
1000 DENY X.X.X.X/32
2147483647 ALLOW * The default action.
But when I check it from front end using GCP-console , I cannot find the rule . It is still showing the old rules.
PRIORITY ACTION SOURCE_RANGE DESCRIPTION
1000 DENY X.X.X.X/32
2147483647 ALLOW * The default action.
Please clarify on this behaviour.
Upvotes: 0
Views: 242
Answers (2)
Reputation: 1534
The issue seems to be related with browser refresh . I was browsing between different menu items from App Engine Dashboard thinking that it will refresh the firewall page too but that is not the case . When I refreshed it from the browser , the new firewall rules are reflected .
Also , when I add a new firewall rule using gcloud command as shown below , in order to get it reflected in the GUI Console , I need to do a browser refresh
gcloud app firewall-rules create 997 --action=allow --source-range=35.X.X.X/32
May be a refresh button in the GUI will be helpful
Upvotes: 1
Reputation: 1872
When I applied your main.tf file in the Cloud Shell with terraform apply it showed me the following error
Error: Error creating FirewallRule: googleapi: Error 400: Cannot add rule at priority 2147483647. The priority for new rules must be less than the priority 2
147483647 for the Default Action.
When I changed the priority to 147483646 it was successfully applied.
Upvotes: 1
Related Questions
- How to enable Allow HTTP traffic / Allow HTTP traffic on Google Compute Engine with terraform
- GCP Request is prohibited by organization's policy
- Unable to create gcp vpc using terraform
- Terraform config not exposing http port on GCP
- Adding firewall rule for GKE nodes
- Terraform failing to set some attributes for GCP Compute Engine during deploying
- Firewall rule defined in GCP but cannot access Angular default app
- Terraform import app engine failed due to 403
- HTTPS Firewall always disablen when turned on
- With Terraform, how to create a google firewall from port to port