Closed obriensystems closed 6 months ago
Triage older system for tf version
root_@cloudshell:~/cloudshell_open/pbmm-on-gcp-onboarding (cnpe-cnd-cndev-sbx)$ git diff
diff --git a/modules/cloudbuild/templates/cloudbuild-push-request.yaml b/modules/cloudbuild/templates/cloudbuild-push-request.yaml
index 3495bbe..acc0fbf 100644
--- a/modules/cloudbuild/templates/cloudbuild-push-request.yaml
+++ b/modules/cloudbuild/templates/cloudbuild-push-request.yaml
@@ -14,6 +14,19 @@ steps:
echo "*************************************************"
terraform init || exit 1
+- id: 'tf version'
results
https://console.cloud.google.com/cloud-build/builds;region=global/1ec94347-7cae-41f6-8d22-0d57878f2a08;step=1?project=cnpe-cnd-cndev-sbx&supportedpurview=project
Terraform v1.0.10 on linux_amd64
Your version of Terraform is out of date! The latest version is 1.3.7. You can update by downloading from https://www.terraform.io/downloads.html
Fix is only required for bootstrap (which runs outside the CB container directly on the gcloud shell (which runs 1.3.7), for all other common/non-prod/prod we can continue to use terraform 1.0.10 and experimental optional attributes
working
Reran clean install - the TF check on 1.3.7 needs all experiments sections commented to initially run in the shell after that we can revert
Changes not staged for commit:
(use "git add
Untracked files:
Plan: 98 to add, 0 to change, 0 to destroy.
Changes to Outputs:
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Saved the plan to: launchpad.2023-01-31.1501.plan
To perform exactly these actions, run the following command to apply: terraform apply "launchpad.2023-01-31.1501.plan" Please confirm that you have reviewed the plan and wish to apply it. Type 'yes' to proceed
delete existing org level services like
delete vpc sc
add IAM role https://cloud.google.com/access-context-manager/docs/manage-access-policy#delete
get ID from asset inventory under identity.AccessPolicy
Display name
[tspevsc_tlsacm_vsc](https://console.cloud.google.com/#)
Resource type
identity.accesscontextmanager.googleapis.com/AccessPolicy
Name
[//accesscontextmanager.googleapis.com/accessPolicies/1021375921638](https://console.cloud.google.com/#)
Organization
[organizations/131880894992](https://console.cloud.google.com/#)
Parent asset type
[cloudresourcemanager.googleapis.com/Organization](https://console.cloud.google.com/#)
Parent full resource name
[//cloudresourcemanager.googleapis.com/organizations/131880894992](https://console.cloud.google.com/#)
enable role, delete vpc sc
root_@cloudshell:~ (lz-tls)$ gcloud access-context-manager policies delete accessPolicies/1021375921638
You are about to delete policy [1021375921638]
Do you want to continue (Y/n)? y
API [accesscontextmanager.googleapis.com] not enabled on project [308673020059]. Would you like to enable and retry (this will take a few minutes)? (y/N)? y
Enabling service [accesscontextmanager.googleapis.com] on project [308673020059]...
Operation "operations/acat.p2-308673020059-bb01eee4-4f53-469f-987f-5179f0c8f6c6" finished successfully.
Deleted policy [1021375921638].
common ok
rerunning non-prod (2_folders is up now) prod ok
prod - need to rename project - as deleted 30 day project still up after billing quota error earlier
Step #4 - "tf apply": │ Error: error creating project tzpe-tlz-tlzprod-host2 (TzPe-tlz-tlzprod-host2): googleapi: Error 409: Requested entity already exists, alreadyExists. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission
Step #4 - "tf apply": │
Step #4 - "tf apply": │ with module.net-host-prj.module.project.google_project.project,
Step #4 - "tf apply": │ on ../../modules/project/main.tf line 19, in resource "google_project" "project":
Step #4 - "tf apply": │ 19: resource "google_project" "project" {
fix
prod_host_net = {
user_defined_string = "tlzprod" # Must be globally unique. Used to create project name
additional_user_defined_string = "host3"#"host2"
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git status
On branch main
Changes not staged for commit:
(use "git add <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
modified: environments/prod/prod-network.auto.tfvars
no changes added to commit (use "git add" and/or "git commit -a")
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git add environments/
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git commit -m "new proj name for prod"
[main 6da67af] new proj name for prod
1 file changed, 1 insertion(+), 1 deletion(-)
root_@cloudshell:~/lz-tls/_lz2/pbmm-on-gcp-onboarding (lz-tls)$ git push csr main
prod ok
Dont' use above until I update the dockerfile to Terraform 1.3.7 - above workaround breaks some IAM
peering hardcoded for now in deployment terraform.landing.systems : csr2
20240406: Closing issue during retrofit/rebase of this TEF V1 based/modified repo to TEF V4 standards This issue may participate in the LZ refactor after rebase Query on all issues related to the older V1 version via the tag https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/labels/2024-pre-tef-v4
20231014: see 1.0 specific issue that needs a 1.5 upgrade as a first step https://github.com/hashicorp/terraform-provider-google/issues/16217 and https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/264
We will need to look at upgrading from 1.0 to 1.5.7 or the new 1.6.0 https://releases.hashicorp.com/terraform/1.6.0/ as a first step in the https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding codebase
20230724: Some private forks of this repo are working around the 1.3.7 issue by downgrading the client. While this is an ok fix and allows the initial bootstrap.sh to proceed - it does not fix the underlying issue that the code is only 1.0.10 compliant. The full fix is to upgrade the tf files to terraform 1.5.x This is in progress.
As part of working out perimeter/peering work in #220 Reproduction:
run any of the bootstrap, common, nprod, prod builds and you will fail on a currently built TF container. An older one from July 2022 will still work Getting last working terraform version - currently default to 1.0.10 in https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/modules/cloudbuild/cloudbuild_builder/Dockerfile#L20
see Fix https://github.com/hashicorp/terraform/issues/31692 and https://github.com/hashicorp/terraform/issues/31355 first
In prep of the Terraform 1.4.0 release - on 5 Jan 2023 TF 1.3.7 introduced the breaking change on experimental use of optional(). This only breaks our bootstrap step in the PBMM LZ V1 LZ and the GR. The fix is to remove the experimental declaration for bootstrap so we can run in gcloud/shell again. For the gitops cloud build jobs - I'll keep these hardcoded to TF 1.0.10 for now until I refactor the defaults - so CB jobs are unaffected.
Fix is only required for bootstrap (which runs outside the CB container directly on the gcloud shell (which runs 1.3.7), for all other common/non-prod/prod we can continue to use terraform 1.0.10 and experimental optional attributes
Fix terraform version in the GitOps docker container
ARG TERRAFORM_VERSION=1.0.10
all terraform.tf
on new install to terraform.landing.systems
on existing install on cloudnuage.dev (last update was Nov 2023