ACL Header rule for loadbalancer frontend

[rchallie]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Hi ! I tried to create an ACL rule to deny access to an host using the Host header.
Like I didn't found the http_filter value for the header I created it manually on the Dashboard and I refreshed my terraform state to get it.
Here the part of my teraform state that I got:

{
  "action": [
    {
      "type": "deny"
    }
  ],
  "match": [
    {
      "http_filter": "http_header_match",
      # Missing something like: http_filter_header_name
      "http_filter_value": [
        "nice.domain"
      ],
      "invert": false,
      "ip_subnet": [
        "XX.XX.XXX.XX"
      ]
    }
  ],
  "name": "Deny access to Host by IP"
}

First thing, the header name Host doesn't appear.
Second, when I do a terraform plan, it want to destroy my ACL rule created manually.

I tried to recreate it using terraform configuration and got:

Error: expected acl.0.match.0.http_filter to be one of [acl_http_filter_none path_begin path_end regex], got http_header_match

New or Affected Resource(s)

• scaleway_lb_frontend -> acl

Can it be interresting to add the posibility to use the http_filter value http_header_match ?

[remyleone]

Hello, can you share a minimal snippet of code that reproduces the problem that you experience? Have you tried creating a frontend from scratch with the header matching rule you mention?

https://registry.terraform.io/providers/scaleway/scaleway/latest/docs/resources/lb_frontend#with-acls

[rchallie]

Hi, I didn't code anything for this because the http_filter for header (http_header_match) is not mentioned somewhere in the documentation, it only mention:
Possible values are: acl_http_filter_none, path_begin, path_end or regex.
So I create the resource on the dashboard and import it on my terraform state to know the filter name.
But here is the output of my terraform when I plan:

  # scaleway_lb_frontend.lb_frontends["frontend_https"] will be updated in-place
  ~ resource "scaleway_lb_frontend" "lb_frontends" {
        id             = "fr-par-1/xxxxx-xxx..."
        name           = "frontend_https"
        # (4 unchanged attributes hidden)

      - acl {
          - name = "Name" -> null

          - action {
              - type = "deny" -> null
            }

          - match {
              - http_filter       = "http_header_match" -> null
              - http_filter_value = [
                  - "my.domain.com",
                ] -> null
              - invert            = false -> null
              - ip_subnet         = [
                  - "XX.XX.XXX.XX",
                ] -> null
            }
        }
        # (1 unchanged block hidden)
    }

I was just suprised that neither the terraform state nor the output mention the header name (in my case Host) .
I will go back with a snippet of code.

[remyleone]

I'm working on adding support for this option. Once it is ready, I will notify you so that you can give feedback if you want it :)

[rchallie]

Nice job & thank you ! I will try it with joy