google_compute_security_policy layer_7_ddos_defense_config forcing rule_visibility even though it's optional

[paololazzari]

Terraform Version

Terraform v1.7.2
on darwin_arm64

• provider registry.terraform.io/hashicorp/google v5.25.0

Affected Resource(s)

google_compute_security_policy

Terraform Configuration

resource "google_compute_security_policy" "policy" {
  name        = var.policy_name
  description = var.policy_description
  type        = "CLOUD_ARMOR"
  project     = var.project

  adaptive_protection_config {
    layer_7_ddos_defense_config {
      enable = true
    }
  }
}

Expected Behavior

terraform plan should not update the resource as there are no changes

Actual Behavior

I have imported an existing security policy. When I run terraform plan, I can see that terraform wants to add a rule_visibility field even though it's optional according to the documentation:

$ terraform plan
...
      ~ adaptive_protection_config {
          ~ layer_7_ddos_defense_config {
              + rule_visibility = "STANDARD"
                # (1 unchanged attribute hidden)
            }
        }
...
Plan: 0 to add, 1 to change, 0 to destroy.

[ggtisc]

Hi @paololazzari!

This ticket was replicated successfully with the provided configuration, versions and specifications, but after importing the resource and executing the terraform plan the terminal message was:

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

If you are importing a resource in your terraform files I suggest you to follow the next steps:

1. In your terraform configuration 'main.tf' write only this:
   resource "google_compute_security_policy" "policy" {}

2. If the value of var.policy_name is my-policy in your terminal run terraform import google_compute_security_policy.policy my-policy

3. Finally check your terraform.tfstate file and copy the imported values to your resource resource "google_compute_security_policy" "policy" {}. If you have everything as you shared then you will not find differences. But if you change something then the terraform plan will detect it.

If you continue having problems after this share your terraform.tfstatefile and the value of your var.policy_name

[paololazzari]

@ggtisc can you confirm that when you attempted to reproduce this the resource did not have the rule_visibility field defined?

[ggtisc]

As was mentioned in the above steps the unique initial code (step 1) was resource "google_compute_security_policy" "policy" {}

[paololazzari]

Finally check your terraform.tfstate file and copy the imported values to your resource resource "google_compute_security_policy" "policy" {}. If you have everything as you shared then you will not find differences.

You misunderstood what this ticket is about. Of course if I copy the imported values to the resource no differences will be found. The problem here is that having imported an identical object, terraform still wants to apply a change when it shouldn't.

[ggtisc]

Yes, and as it was explained in the 1st message with a correct import of the resource the message in terminal was:

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.