Problem to associate a Firewall to a VPC Subnet #1590

d0schuma · 2022-01-06T08:53:47Z

d0schuma
Jan 6, 2022

Hello,

I am trying to associate a successfully created firewall included rules with a VPC subnet. However, it fails or the documentation is unfortunately somewhat unclear. Can you help me, please? What is the problem here?

I get the following error message when I try to add the firewall via ports = formatlist("%s", opentelekomcloud_networking_port_v2.ports[*].id) inside of the resource "opentelekomcloud_fw_firewall_group_v2" "firewall_group_1" {}:

Error: Expected HTTP response code [200] when accessing [PUT https://vpc.eu-de.otc.t-systems.com/v2.0/fwaas/firewall_groups/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx], but got 409 instead`
{"NeutronError": {"message": "Firewall Group Port xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx is invalid", "type": "FirewallGroupPortInvalid", "detail": ""}}

   with opentelekomcloud_fw_firewall_group_v2.firewall_group_1,
   on firewall.tf line 18, in resource "opentelekomcloud_fw_firewall_group_v2" "firewall_group_1":
   18: resource "opentelekomcloud_fw_firewall_group_v2" "firewall_group_1" {

The following are the necessary .tf files:

networks.tf

resource "opentelekomcloud_networking_network_v2" "network" {
  name           = "${var.project}-network"
  admin_state_up = "true"
}

resource "opentelekomcloud_networking_subnet_v2" "subnet" {
  name       = "${var.project}-vault-subnet"
  network_id = "${opentelekomcloud_networking_network_v2.network.id}"
  cidr       = "10.0.0.0/8"
  ip_version = 4
  dns_nameservers = ["8.8.8.8"]
}

resource "opentelekomcloud_networking_port_v2" "interfaces" {
  count               = "${var.ecs_count}"
  name                = "${var.environment}-${var.project}-interface-0${count.index + 1}"
  network_id          = "${opentelekomcloud_networking_network_v2.network.id}"
  admin_state_up      = "true"

  fixed_ip {
    subnet_id  = "${opentelekomcloud_networking_subnet_v2.subnet.id}"
    ip_address = "10.0.10.5${count.index + 1}"
  }
}

routers.tf

resource "opentelekomcloud_networking_router_v2" "router" {
  name              = "${var.project}-router"
  admin_state_up    = "true"
}

resource "opentelekomcloud_networking_router_interface_v2" "router_interface" {
  router_id = "${opentelekomcloud_networking_router_v2.router.id}"
  subnet_id = "${opentelekomcloud_networking_subnet_v2.subnet.id}"
}

firewall.tf

resource "opentelekomcloud_fw_rule_v2" "fw_rule" {
  count                     = "${var.ecs_count}"   
  name                      = "${var.environment}-${var.project}-rule-0${count.index + 1}"
  description               = "SSH connection"
  action                    = "allow"
  protocol                  = "tcp"
  destination_ip_address    = "10.0.10.5${count.index + 1}"
  destination_port          = "22"
  enabled                   = "true"
}

resource "opentelekomcloud_fw_policy_v2" "ingress_policy" {
  name          = "fw-policy"
  rules         = formatlist("%s", opentelekomcloud_fw_rule_v2.fw_rule[*].id)
  depends_on    = [ opentelekomcloud_fw_rule_v2.fw_rule ]
}

resource "opentelekomcloud_fw_firewall_group_v2" "firewall_group_1" {
  name              = "my-firewall-group"
  ports             = formatlist("%s", opentelekomcloud_networking_port_v2.interfaces[*].id)
  ingress_policy_id = opentelekomcloud_fw_policy_v2.ingress_policy.id
}

lego963 · 2022-01-10T08:47:09Z

lego963
Jan 10, 2022

@d0schuma
Hi,
You can create a firewall group for a network, not for a custom port. So, you need to specify network's system port where device_owner=network:router_interface_distributed.
We will update doc. Thanks :)

Can you try this fw config?

resource "opentelekomcloud_fw_rule_v2" "fw_rule" {
  count                  = var.ecs_count
  name                   = "${var.environment}-${var.project}-rule-0${count.index + 1}"
  description            = "SSH connection"
  action                 = "allow"
  protocol               = "tcp"
  destination_ip_address = "10.0.10.5${count.index + 1}"
  destination_port       = "22"
  enabled                = "true"
}

resource "opentelekomcloud_fw_policy_v2" "ingress_policy" {
  name  = "fw-policy"
  rules = formatlist("%s", opentelekomcloud_fw_rule_v2.fw_rule[*].id)
}

data "opentelekomcloud_networking_port_v2" "fw_port" {
  network_id   = opentelekomcloud_networking_network_v2.network.id
  device_owner = "network:router_interface_distributed"

  depends_on = [
    opentelekomcloud_networking_router_interface_v2.router_interface
  ]
}

resource "opentelekomcloud_fw_firewall_group_v2" "firewall_group_1" {
  name              = "my-firewall-group"
  ports             = [data.opentelekomcloud_networking_port_v2.fw_port.id]
  ingress_policy_id = opentelekomcloud_fw_policy_v2.ingress_policy.id
}

1 reply

d0schuma Jan 10, 2022
Author

@lego963
thanks, that works :)

rramge · 2022-06-23T06:58:59Z

rramge
Jun 23, 2022

I had the same problem and now I have a follow-up question concerning the data source "opentelekomcloud_networking_port_v2".

Question: Can you giv e me a working example how filtering fixed_ips would look like in practice? The documentation only states it supports an argument "fixed_ip" with the description "(Optional) The port IP address filter.", but I can not find an info on how such a filter needs to be defined. Simply passing the corresponding IP does not work for me.

I have the following port resource with three fixed_ip blocks (output of terraform state show):

# module.testnetwork.opentelekomcloud_networking_port_v2.this:
resource "opentelekomcloud_networking_port_v2" "this" {
    admin_state_up        = true
    all_fixed_ips         = [
        "172.23.35.3",
        "172.23.34.3",
        "172.23.33.3",
    ]
    id                    = "d9be961b-47c1-45bb-93ac-a4d0d0f5a31e"
    mac_address           = "fa:16:3e:b1:d0:cf"
    network_id            = "82054e51-e941-4ad2-9055-bbb72c2600d3"
    port_security_enabled = true
    region                = "eu-de"
    security_group_ids    = [
        "c48df6cc-6ed1-45ee-8676-5e04dca38acc",
    ]
    tenant_id             = "c7b5384e487149d696b7cfc420589afe"

    fixed_ip {
        ip_address = "172.23.34.3"
        subnet_id  = "282765ba-c0f2-4c4e-aa43-306f06fca068"
    }
    fixed_ip {
        ip_address = "172.23.35.3"
        subnet_id  = "1dbc594b-80af-4a78-8d7d-86bc26d287ef"
    }
    fixed_ip {
        ip_address = "172.23.33.3"
        subnet_id  = "54ef48fa-80fb-452e-8e55-01c10365b5ec"
    }
}

And the datasource from your example above:

data "opentelekomcloud_networking_port_v2" "fw_port" {
  network_id   = opentelekomcloud_networking_network_v2.network.id
  device_owner = "network:router_interface_distributed"

  depends_on = [
    opentelekomcloud_networking_router_interface_v2.router_interface
  ]
}

This will lead to a datasource error message that it found three ports. Well, congrats Sherlock, I would have expected the data source to return a map here, but okay, I can live with this. Because the documentation states it supports filtering for fixed_ips.

Let's create a for_each loop which iterates over the fixed_ip blocks:

data "opentelekomcloud_networking_port_v2" "this" {
  depends_on = [ opentelekomcloud_networking_router_interface_v2.this ]
  for_each = var.network_port_fixed_ip != null ? var.network_port_fixed_ip : {}
  
  network_id = opentelekomcloud_networking_network_v2.this.id
  device_owner = "network:router_interface_distributed"
  #fixed_ip = each.value["ip_address"]
}

But I have no luck here. I tried several things, even AWS-style filter{} blocks and other things, and even when I hardcode the IP "10.0.10.51" in your otherwise working example, I always get the error "Error: no opentelekomcloud_networking_port_v2 found".

So, can you give me an example how to use the fixed_ip argument correctly?

Thanks,

Ralf

2 replies

vladimirvshivkov Jun 27, 2022
Maintainer

created an issue, will check

rramge Jun 27, 2022

There's been a rather susprising API change on Friday afternoon and basically everything went FUBAR. I can't create a port with more than 1 fixed_ip now (although it still worked when I tried via the web console), destroying subnets leads into "internal server error" and requires up to six retries until a "terraform destroy" runs through, I get error messages that subnets are in use by VMs and LBs even though none are deployed, and so on... everything related to network ports behaves quite irrationally in my tenancy at the moment.

Long story short, not sure if you can find out anything useful at the moment. I am still trying to find workarounds.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Problem to associate a Firewall to a VPC Subnet #1590

{{title}}

Replies: 2 comments 3 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Problem to associate a Firewall to a VPC Subnet #1590

d0schuma Jan 6, 2022

Replies: 2 comments · 3 replies

lego963 Jan 10, 2022

d0schuma Jan 10, 2022 Author

rramge Jun 23, 2022

vladimirvshivkov Jun 27, 2022 Maintainer

rramge Jun 27, 2022

d0schuma
Jan 6, 2022

Replies: 2 comments 3 replies

lego963
Jan 10, 2022

d0schuma Jan 10, 2022
Author

rramge
Jun 23, 2022

vladimirvshivkov Jun 27, 2022
Maintainer