Terraform-provider-google: Have firewall rule apply to all protocols, if specific protocol is omitted.

Created on 16 Nov 2017  ·  4Comments  ·  Source: hashicorp/terraform-provider-google

Summary

There is no current way to specify all protocols in a single allow/deny block of a google_compute_firewall resource. This is possible using the Google Cloud firewall API, where if no protocol is specified then the rule applies to all protocols. If the equivalent is attempted using TF, by omitting the mandatory protocol from the allow/deny block, then an error is generated.

Terraform Version

Terraform v0.10.8

Affected Resource(s)

  • google_compute_firewall

Terraform Configuration Files

resource "google_compute_firewall" "default_deny_egress" {
  name    = "default-deny-egress"
  project = "${module.vpc_host_project.project_number}"
  network = "${google_compute_network.default.name}"
  description = "Default rule denies all egress traffic"

  deny {}

  direction = "EGRESS"
  destination_ranges = ["0.0.0.0/0"]
}

Debug Output

terraform apply

Error: google_compute_firewall.default_deny_egress: "deny.0.protocol": required field is not set

Expected Behavior

Based on TF documentation, the error is expected.

What Should Happen

Based on Google Cloud API, omitting the protocol from an allow/deny block should cause the rule to apply to all protocols.

Important Factoids

N/A

References

Google Firewall documentation (Protocols and Ports)
https://cloud.google.com/vpc/docs/firewalls#protocols_and_ports

The protocol can be specified as a well-known protocol string (tcp, udp, icmp, esp, ah, sctp) or as the IP protocol number. If no protocols are specified, the rule applies to all protocols.

picture terraform-ctc

Most helpful comment

Hi,

Great news for you, we already support this ;)

You need to set the protocol field to "all" like this:

resource "google_compute_firewall" "my-firewall" {
  name = "my-firewall"
  network = "default"
  allow {
    protocol = "all"
  }
}
picture rosbo on 21 Nov 2017
👍3

All 4 comments

Hi,

Great news for you, we already support this ;)

You need to set the protocol field to "all" like this:

resource "google_compute_firewall" "my-firewall" {
  name = "my-firewall"
  network = "default"
  allow {
    protocol = "all"
  }
}
rosbo picture rosbo on 21 Nov 2017
👍3

That is great news! Small note, may want to add this info to documentation.

terraform-ctc picture terraform-ctc on 21 Nov 2017

Good point. I will update the docs

rosbo picture rosbo on 21 Nov 2017

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 30 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

kaifresh picture kaifresh  ·  4Comments
ewbankkit picture ewbankkit  ·  4Comments
jcanseco picture jcanseco  ·  3Comments
Evesy picture Evesy  ·  3Comments
roidelapluie picture roidelapluie  ·  4Comments