Skip to content

Invalid value for field 'resource.rateLimitOptions.enforceOnKeyName' when field is not set #13804

New issue
New issue
Closed
Closed
Invalid value for field 'resource.rateLimitOptions.enforceOnKeyName' when field is not set#13804
#13993 (+3)
Assignees
ScottSuarez
Labels
bugforward/reviewIn review; remove label to forwardservice/compute-security-policy
@bfrunza

Description

@bfrunza
bfrunza
opened on Feb 22, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.3.9
on darwin_arm64

  • provider registry.terraform.io/hashicorp/google v4.53.1
  • provider registry.terraform.io/hashicorp/google-beta v4.53.1

Affected Resource(s)

google_compute_security_policy

Terraform Configuration Files

* the version of the config before the change

resource "google_compute_security_policy" "policy" {
  name = "bfrunza-test"
  rule {
    action   = "rate_based_ban"
    preview  = true
    priority = 10502

    match {
      expr {
        expression = "request.path.matches('/svc/api3/v3')"
      }
    }

    rate_limit_options {
      ban_duration_sec    = 60
      conform_action      = "allow"
      enforce_on_key      = "HTTP_HEADER"
      enforce_on_key_name = "authorization"
      exceed_action       = "deny(429)"

      rate_limit_threshold {
        count        = 200
        interval_sec = 60
      }
    }
  }
  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule"
  }
}

* the version of the config after the change.

resource "google_compute_security_policy" "policy" {
  name = "bfrunza-test"
  rule {
    action   = "rate_based_ban"
    preview  = true
    priority = 10502

    match {
      expr {
        expression = "request.path.matches('/svc/api3/v3')"
      }
    }

    rate_limit_options {
      ban_duration_sec = 60
      conform_action   = "allow"
      enforce_on_key   = "IP"
      exceed_action    = "deny(429)"

      rate_limit_threshold {
        count        = 200
        interval_sec = 60
      }
    }
  }
  rule {
    action   = "allow"
    priority = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
    description = "default rule"
  }
}

Debug Output

2023-02-22T10:36:35.707+0200 [INFO] provider.terraform-provider-google_v4.53.1_x5: 2023/02/22 10:36:35 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
POST /compute/v1/projects/float-sandbox/global/securityPolicies/bfrunza-test/patchRule?alt=json&prettyPrint=false&priority=10502 HTTP/1.1
Host: compute.googleapis.com
User-Agent: google-api-go-client/0.5 Terraform/1.3.9 (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-google/4.53.1
Content-Length: 330
Content-Type: application/json
X-Goog-Api-Client: gl-go/1.18.1 gdcl/0.105.0
Accept-Encoding: gzip

{
"action": "rate_based_ban",
"description": "",
"headerAction": {},
"match": {
"expr": {
"expression": "request.path.matches('/svc/api3/v3')"
}
},
"preview": true,
"priority": 10502,
"rateLimitOptions": {
"banDurationSec": 60,
"conformAction": "allow",
"enforceOnKey": "IP",
"exceedAction": "deny(429)",
"rateLimitThreshold": {
"count": 200,
"intervalSec": 60
}
}
}

-----------------------------------------------------: timestamp=2023-02-22T10:36:35.706+0200
2023-02-22T10:36:36.474+0200 [INFO] provider.terraform-provider-google_v4.53.1_x5: 2023/02/22 10:36:36 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Wed, 22 Feb 2023 08:36:36 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
"error": {
"code": 400,
"message": "Invalid value for field 'resource.rateLimitOptions.enforceOnKeyName': ''. Enforce on key name cannot be set when the key type is IP.",
"errors": [
{
"message": "Invalid value for field 'resource.rateLimitOptions.enforceOnKeyName': ''. Enforce on key name cannot be set when the key type is IP.",
"domain": "global",
"reason": "invalid"
}
]
}
}

Expected Behavior

The terraform apply command should run successfully

Actual Behavior

The terraform apply command fails with an error

Steps to Reproduce

  1. run terraform apply using the configuration before the change
  2. run terraform apply using the configuration after the change

Metadata

Metadata

Assignees

Labels

bugforward/reviewIn review; remove label to forwardservice/compute-security-policy

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions