paultyng/terraform-provider-unifi

Cannot update firewall rule from AddressGroup to Address

Opened this issue · 0 comments

StoneMonarch commented

Trying to modify a firewall rule from an address group to an address results in Unifi returning an error api.err.FirewallRuleCannotMixAddressWithAddressGroup. Filling out all the possible src attributes still results in the same error.

Comparing the .tfstate of two firewall rules created in Unifi, then imported, one with an ip address, and one with groups, shows that only src_address, src_firewall_group_ids, dst_address, dst_firewall_group_ids are meaningful different so I dont think I am missing an attribute that needs to be set. Setting the *group_ids to null also has no effect.

Also strictly creating the resource in Terraform and then modifying it produces the same error.

There seems to be a missing attribute in the Unifi provider that allows for switching the type from group to address to network, as there is this option in the Unifi Controller. The current workaround to destroy the firewall rule, then recreate it with the type, or just update it in Unifi.

r_firewall_rules.tf

resource "unifi_firewall_rule" "lan_in_allow_h_u" {
  name       = "Allow H to U"
  action     = "accept"
  rule_index = 2004
  ruleset    = "LAN_IN"
  protocol   = "all"
  enabled    = true

  # Source
  src_firewall_group_ids = ["63882be747c2b02d711119bf"]
  #   src_address = "10.10.100.2"

  # Destination
  dst_firewall_group_ids = ["61bc647a47c2b0311608c2e1"]
  #   dst_address = "192.164.1.14"

  # Matching
  state_established = true
  state_related     = true
  state_new         = true
}

.tfstate

"attributes": {
  "action": "accept",
  "dst_address": "",
  "dst_address_ipv6": "",
  "dst_firewall_group_ids": [
    "61bc647a47c2b0311608c2e1"
  ],
  "dst_network_id": "",
  "dst_network_type": "NETv4",
  "dst_port": "",
  "enabled": true,
  "icmp_typename": "",
  "icmp_v6_typename": "",
  "id": "61bda84847c2b004be0d2d9c",
  "ip_sec": "",
  "logging": false,
  "name": "Allow H to U",
  "protocol": "all",
  "protocol_v6": "",
  "rule_index": 2004,
  "ruleset": "LAN_IN",
  "site": "default",
  "src_address": "",
  "src_address_ipv6": "",
  "src_firewall_group_ids": [
    "63882be747c2b02d711119bf"
  ],
  "src_mac": "",
  "src_network_id": "",
  "src_network_type": "NETv4",
  "src_port": "",
  "state_established": true,
  "state_invalid": false,
  "state_new": true,
  "state_related": true
},