[Bug]: Providers wants and fails to update firewall hcloud_server firewall_ids which are managed by labels

[hegerdes]

What happened?

I have a module which creates hetzner cloud vms. Users can pass labels, image, vm type and more.

If firewall rules are applied via label, but also via ids, Terraform wants to update and and remove the firewall ids set via label.

Error: firewall with ID 1335223 has been applied via label selector. (firewall_managed_by_label_selector)
  with module.node_groups["worker-node-amd64"].hcloud_server.this["0"],
  on .terraform\modules\node_groups\main.tf line 60, in resource "hcloud_server" "this":
  60: resource "hcloud_server" "this" {

What did you expect to happen?

The hcloud providers ignores all firewall ids that are managed by a label and only manages the firewall ids directly set via a list applied to the server property.

Please provide a minimal working example

module "node_groups" {
  source  = "hegerdes/hetzner-node-pool/hcloud"
  version = "0.1.2"

  name                 = "example"
  size                 = 1
  image                = "debian-12"
  location             = "fsn1"
  tags                 = {example=true}

}

resource "hcloud_firewall" "dynamic" {
  name = "example"
  apply_to {
    label_selector = "example"
  }

  rule {
    direction = "in"
    protocol  = "tcp"
    port      = "80-85"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }
}

[hegerdes]

I found a workaround for now:
Settling the firewall_ids in the hcloud server to null instead of an empty list will stop the provider from comparing the deployed state to the desired state.

But even with that fix it is not possible to set some firewalls via label (like a common one) and some via ids

[apricote]

Hey @hegerdes,

this is not easily possible with the current API, because the list of applied firewalls on the server does not specify if its directly attached or because of a label selector.

There are two alternatives:

• If you never want to update the firewalls directly on the server, you can use the argument ignore_remote_firewall_ids (or lifecycle ignore_changes = [firewall_ids]) to ignore any changes to the firewall list
• You can switch to using a central hcloud_firewall_attachment resource to add the firewall to all servers by ID. This takes a while to apply after the server is created, so you might want to combine it with the first suggestion to apply the firewall immediately in hcloud_server and then continue to manage it through hcloud_firewall_attachment after the server is started.

[hegerdes]

Thanks for the fast reply.
I kind of expected that this might not work but hoped it might since the error message included firewall_managed_by_label_selector. So I hoped that this info might be within the API response.

It is not a critical error but I still find the use case valid that that one firewall rule is applied to all servers via a label (like owner) with a default block-all rule. Users than can add additional rules as needed to theirs server by directly applying them.

If you agree with that I would be happy if you consider this use-case in future interations of the TF plugin or your API.

For now I default to null as value for the hcloud_firewall_attachment prob so terraform will not look at that value even if firewalls are applied via labels. I will add a note to my module that currently firewall rules can either be applied via labels or via the hcloud_firewall_attachment prob, but not both.

[github-actions]

This issue has been marked as stale because it has not had recent activity. The bot will close the issue if no further action occurs.