Bug: Error when creating FirewallPolicyAssociation with Names Containing '/' Character"

[renato-rudnicki]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.5.7
on Linux Ubuntu 22.04.4 LTS

• provider registry.terraform.io/hashicorp/google v6.13.0
• provider registry.terraform.io/hashicorp/google-beta v6.13.0

Affected Resource(s)

google_compute_firewall_policy_association

Terraform Configuration

resource "google_folder" "folder" {
  display_name = "my-folder1833"
  parent      = "folders/167265850349"
}

resource "google_compute_firewall_policy" "default" {
  parent      = "folders/167265850349"
  short_name  = "my-policy"
  description = "Example Resource"
}

resource "google_compute_firewall_policy_association" "default" {
  firewall_policy = google_compute_firewall_policy.default.id
  attachment_target = google_folder.folder.name
  name = "my-association/1234567"
}

Debug Output

https://gist.github.com/renato-rudnicki/8f0636f7bfd0ced0cd9b36c12cab145b

Expected Behavior

Association should be created as expected even if containing a slash in the name.

Actual Behavior

If association name contains a slash '/' , then terraform apply will return the following error:

│ Error: Error creating FirewallPolicyAssociation: googleapi: Error 404: googleapi: Error 400: Invalid value for field 'name': '1234567'. An association with that name does not exist., invalid
│
│ with google_compute_firewall_policy_association.default,
│ on association.tf line 13, in resource "google_compute_firewall_policy_association" "default":
│ 13: resource "google_compute_firewall_policy_association" "default" {
│

Steps to reproduce

1. terraform apply

Important Factoids

As workaround, using a replace fix the issue:

resource "google_compute_firewall_policy_association" "association" {
for_each = toset(var.associations)

name = replace("${local.policy_id}-${each.value}", "/", "-")
firewall_policy = google_compute_firewall_policy.policy.id
attachment_target = each.value
}

References

terraform-google-modules/terraform-example-foundation#1354

b/388132921

[ggtisc]

Confirmed issue!

The Google Cloud API specifies that the argument google_compute_firewall_policy_association.name is a string but it is detecting the usage of the / character as an association