Is it possible to prevent acqureing GCP resources created without using config connector?

[shin04]

Describe your question

Hi, I want to prevent acquiring existing resources.

Normally, if a GCP resource already exists with the same name, config connector acquires the resource information and place it under management. But in my project, there are GCP resources that are not managed by config connector, and I want to avoid rewriting resources by using the same name. Does this happen? And can I prevent this?

I'm sorry if this is in the documentation.

[diviner524]

@shin04 Could you clarify on below?

I want to avoid rewriting resources by using the same name.

Are you trying to create a different GCP resource than the existing one, even you are using the same name? If so you can try specifying the resourceID field with a different name, so a separate new GCP resource will be created.

https://cloud.google.com/config-connector/docs/how-to/managing-resources-with-resource-ids

Are you trying to acquire the same GCP resource but want to avoid any updates to this existing resource? If so you need to make sure the spec (your resource YAML) does not contain different values compared with the actual resource. Usually when acquiring you can try providing just the required fields and making sure the values are consistent with existing resource, this should avoid possible updates because there won't be detected diffs.

[shin04]

@diviner524 Thank you for reply.

Sorry for my lack of explanation. Ideally, a GCP resource cannot be created if a resource with the same name already exists on Google Cloud. We want to prevent accidents caused by existing resources on google cloud being unexpectedly placed under the management of config connector. For example, when we try to create an ArtifactRegistryRepository named foo using config connector and there is a repository with the same name on google cloud, we would be happy if an error like "already exists" is returned. Even if a resource with the same name exists, if the immutable settings are different, the resource will not be created correctly, which is not perfect.

[diviner524]

@shin04 I see. We don't have the exact same feature today as Config Connector is designed to acquire GCP resources if exist.

Have you considered creating your own custom IAM role and assigning it to your corresponding GCP service account that Config Connector impersonated as?

For example you can create a role which only allows artifactregistry.repositories.create but disallows artifactregistry.repositories.update, this might prevent Config Connector from acquiring and updating an existing GCP resource. But the downside is your Config Connector controller will not be able to reconcile and correct any drift for other resources, because that requires update permission.

https://cloud.google.com/iam/docs/understanding-roles#artifact-registry-roles

[BenCoughlan15]

Hey, we're in the same position as @shin04 , i.e. we import existing resources that were originally created in terraform.

Because they were created a long time ago, it isn't possible to make the naming conventions match the k8's resource naming convention.

So we import pubsub topic ben_ten_1988, to do this, we need to use the resourceid field.

Later, a developer copies the config, changes the name, but forgets to change the resourceid, thus, the item is now managed in two places.

is there a way to avoid conflicts based on the spec.resourceid field?

[diviner524]

@BenCoughlan15 You can try the feature below:

https://cloud.google.com/config-connector/docs/concepts/managing-conflicts