google_compute_security_policy_rule constantly removing - expr_options { } #26097
Description
- creating a terraform stack for an existing environmental configuration. Cloud exported current configuration, am trying to break an inline security rule up into a list of explicit security_policy_rule resources.
rule {
action = "allow"
description = "Stripe - WebNotifications"
match {
expr {
expression = "origin.ip == '54.187.205.235' || \norigin.ip == '54.187.216.72'"
}
}
priority = 220
}
has become
resource "google_compute_security_policy_rule" "restrict_stripe_rule_3" {
security_policy = google_compute_security_policy.restrict_stripe_notification.name
description = "Stripe - WebNotifications"
action = "allow"
preview = false
#preconfigured_waf_config {}
match {
expr {
expression = "origin.ip == '54.187.205.235' || \norigin.ip == '54.187.216.72'"
}
}
priority = 220
}
These resources have been imported. Planning and a targeted apply produces the following result, even immediately after application. This is not limited to restrict_stripe_rule_3, it happens for all rules attached to the restrict_stripe_notification security policy.
~ resource "google_compute_security_policy_rule" "restrict_stripe_rule_3" {
id = "projects/[project ID]/global/securityPolicies/restrict-stripe-notification/priority/220"
# (6 unchanged attributes hidden)
~ match {
# (1 unchanged attribute hidden)
- expr_options {
}
# (1 unchanged block hidden)
}
}
It's possibly I'm mishandling it- if so, how should I be not-defining (or removing) expr_options?
Terraform Version & Provider Version(s)
Terraform v1.14.5
on
- provider registry.terraform.io/hashicorp/google v7.16.0
Affected Resource(s)
google_compute_security_policy
google_compute_security_policy_rule
Terraform Configuration
resource "google_compute_security_policy" "restrict_stripe_notification" {
advanced_options_config {
json_parsing = "STANDARD"
log_level = "NORMAL"
}
adaptive_protection_config {
layer_7_ddos_defense_config {
enable = false
}
}
description = "Ensure receiving Stripe WebHook Notifications from API Gateway only"
name = "restrict-stripe-notification"
project = var.PROJECT_ID
type = "CLOUD_ARMOR"
}
resource "google_compute_security_policy_rule" "restrict_stripe_rule_3" {
security_policy = google_compute_security_policy.restrict_stripe_notification.name
description = "Stripe - WebNotifications"
action = "allow"
preview = false
#preconfigured_waf_config {}
match {
expr {
expression = "origin.ip == '54.187.205.235' || \norigin.ip == '54.187.216.72'"
}
}
priority = 220
}Debug Output
module.erp-billing-module.google_compute_security_policy_rule.restrict_stripe_rule_3 will be updated in-place
~ resource "google_compute_security_policy_rule" "restrict_stripe_rule_3" {
id = "projects/PROJECT_ID/global/securityPolicies/restrict-stripe-notification/priority/220"
# (6 unchanged attributes hidden)
~ match {
# (1 unchanged attribute hidden)
- expr_options {
}
# (1 unchanged block hidden)
}
}
Expected Behavior
It should not be removing an expr_option, or, having removed it, it should not want to remove it again.
Actual Behavior
Every time it applies, it wishes to make a change to remove the expr_option, even if no other changes are present and it was immediately run successfully previously.
Steps to reproduce
terraform apply
Important Factoids
No response
References
No response