civo/terraform-provider-civo

Missing `direction` in `civo_firewall_rule`'s state

zulh-civo opened this issue · 2 comments

zulh-civo commented

The API is giving null for firewall rule's direction field.

Screenshots:

Screenshot 2021-08-27 at 2 58 34 PM

Screenshot 2021-08-27 at 2 59 58 PM

Due to that, the direction state becomes empty. Example state file:

{
   "version":4,
   "terraform_version":"1.0.3",
   "serial":68,
   "lineage":"3ad22ac4-06de-aaeb-c6ea-fb1a3171e837",
   "outputs":{
      
   },
   "resources":[
      {
         "mode":"managed",
         "type":"civo_firewall_rule",
         "name":"http",
         "provider":"provider[\"registry.terraform.io/civo/civo\"]",
         "instances":[
            {
               "schema_version":0,
               "attributes":{
                  "cidr":[
                     ""
                  ],
                  "direction":"",
                  "end_port":"80",
                  "firewall_id":"35b1a10e-f8ff-4dca-9ca7-18bcefca21a0",
                  "id":"01fe67e3-6f09-44b1-8b3d-37f74b2f017b",
                  "label":"web-server",
                  "protocol":"tcp",
                  "region":null,
                  "start_port":"80"
               },
               "sensitive_attributes":[
                  
               ],
               "private":"bnVsbA==",
               "dependencies":[
                  "civo_firewall.my_custom_firewall",
                  "civo_network.my_custom_network"
               ]
            }
         ]
      }
   ]
}

Since we have ForceNew attribute for direction schema, a new firewall rule will always get created when we run terraform apply command — even we didn't change anything in the Terraform configuration file.

Example:

Screenshot 2021-08-27 at 3 15 43 PM

This happens because the current state is ("") and Terraform sees otherwise in our Terraform configuration file (e.g. ingress) and it thinks the direction field has changed and say "let's create a new one".

To fix:

Not much we can do here or in civogo. The change needs to be in Civo API. This issue was created just for tracking purpose so we can retest it again after the API is updated to correctly return direction value.

zulh-civo commented

The issue* was fixed by API team and I can see the correct direction from the API response now.

Screenshot 2021-09-03 at 1 25 44 PM

I will retest this again and report back here.

* Tracked internally at Civo (note for Civo staff: as at issue 17 in civo/api).

zulh-civo commented

The API is working as expected and no longer returning null. But when we create firewall and and provide empty string direction, the API will return an empty string ("") back to us.

$ curl --location --request POST 'https://api.civo.com/v2/firewalls/82b333f5-50e0-4dcf-8314-44f8ed2ea912/rules' \
--header 'Authorization: Bearer api-token' \
--form 'region="NYC1"' \
--form 'protocol="tcp"' \
--form 'start_port="80"' \
--form 'end_port="80"' \
--form 'cidr="0.0.0.0/0"' \
--form 'direction=""' \
--form 'label="http"'

{"id":"f4ab21a8-a32f-4bf1-addd-5c38d281e4bd","firewall_id":"82b333f5-50e0-4dcf-8314-44f8ed2ea912","protocol":"tcp","start_port":"80","cidr":["0.0.0.0/0"],"direction":"","label":"http"}

To ensure we not getting an empty string, I've created PR #91 above to check if direction is set in the configuration file or not. If it wasn't set, we will set it to ingress before hitting the create firewall rule endpoint.