Search code examples
google-cloud-platformgoogle-deployment-manager

How to resolve ResourceErrorCode: 400 when deploying a firewall resource with Google Cloud Deployment Manager

I am trying to deploy a single firewall resource with Google Cloud Deployment Manager. I want the firewall to block just my own ip address from accessing my App Engine app that is already deployed at https://cloudfunctiongateway.uc.r.appspot.com/. However, I am getting an error:

  location: /deployments/firewall-deployment2/resources/app-firewall
  message: '{"ResourceType":"compute.v1.firewall","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"Request
    contains an invalid argument.","status":"INVALID_ARGUMENT","statusMessage":"Bad
    Request","requestPath":"https://compute.googleapis.com/compute/v1/projects/cloudfunctiongateway/global/firewalls","httpMethod":"POST"}}'

Here is my config file in firewall.yaml:

resources:
- type: compute.v1.firewall
  name: app-firewall
  properties:
    network: https://cloudfunctiongateway.uc.r.appspot.com/
    denied:
      - IPProtocol: 33.27.10.123 # a fake ip address, I use my real one
    sourceRanges: [ 0.0.0.0/0 ]

And I am running this command in the same directory:

gcloud deployment-manager deployments create firewall-deployment --config firewall.yaml

I have even tried to deploy with just this in my config file:

resources:
- type: compute.v1.firewall
  name: app-firewall

But still get the same error message. Any way to fix this? Note I want to be able to do this with Deployment Manager. I already know I can manually setup a firewall from the App Engine Dashboard.

Solution

  • What you actually need is to create a firewall rule for App Engine application which is a different thing from the GCP Firewall - those are two different things.

    So - in order to do this try running this:

    resources:
- name: dmapprule1
  type: gcp-types/appengine-v1:apps.firewall.ingressRules
  properties:
    appsId: 00c61b117c74f1a3bbcb4900df618a4c4ae211790ade0822a63cb492d671f318776a5a
    priority: 1000
    action: "DENY"
    source_range: "0.0.0.0/0"

    and run it with gcloud deployment-manager deployments create firewall-deployment --config firewall.yaml

    UPDATE

    To see a full list of supported types use gcloud beta deployment-manager types list (beta version list is much more comprehensive).