From 73cd815bfb04007d8d0ae1aea0841bf0d56d9eb9 Mon Sep 17 00:00:00 2001 From: Aleksander Zaruczewski Date: Thu, 7 Mar 2024 19:04:52 +0200 Subject: [PATCH] chore(userconfig/converters): improve ip_filter safeguard --- CHANGELOG.md | 3 +++ .../sdkprovider/userconfig/converters/converters.go | 12 ++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ee643ae8e..de4b8cb3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,9 @@ nav_order: 1 - Add `external_aws_cloudwatch_logs`, `external_elasticsearch_logs_user_config`, `external_opensearch_logs_user_config`, `prometheus_user_config` service integration configs - Fix `aiven_kafka_schema` Protobuf normalization +- Add `AIVEN_ALLOW_IP_FILTER_PURGE` environment variable to allow purging of IP filters. This is a safety feature to + prevent accidental purging of IP filters, which can lead to loss of access to services. To enable purging, set the + environment variable to any value before running Terraform commands. ## [4.14.0] - 2024-02-20 diff --git a/internal/sdkprovider/userconfig/converters/converters.go b/internal/sdkprovider/userconfig/converters/converters.go index c32e1d36f..9bf5786c7 100644 --- a/internal/sdkprovider/userconfig/converters/converters.go +++ b/internal/sdkprovider/userconfig/converters/converters.go @@ -50,10 +50,14 @@ func Expand(kind string, s *schema.Schema, d *schema.ResourceData) (map[string]a renameAliases(dto) - if v, ok := dto["ip_filter"]; ok { - list, ok := v.([]any) - if ok && len(list) == 0 && os.Getenv("AIVEN_FORCE_IP_FILTER_PURGE") != "1" { - return nil, fmt.Errorf("ip_filter list will be purged. If this is not expected, then please create an issue on GitHub. Otherwise provide AIVEN_FORCE_IP_FILTER_PURGE=1") + // TODO: Move to a validation part of the schema. + if v, ok := dto["ip_filter"].([]any); ok && len(v) == 0 { + if _, ok := os.LookupEnv("AIVEN_ALLOW_IP_FILTER_PURGE"); ok { + return nil, fmt.Errorf( + "ip_filter list is empty, but AIVEN_ALLOW_IP_FILTER_PURGE is not set. Please set " + + "AIVEN_ALLOW_IP_FILTER_PURGE to confirm that you want to remove all IP filters, which is going " + + "to block all traffic to the service", + ) } } return dto, nil