search

GoogleCloudPlatform / pbmm-on-gcp-onboarding

GCP Canadian Public Sector Landing Zone overlay on top of the TEF via CFT modules - a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
39 stars 55 forks source link

3-networks-hub-and-spoke - terraform re apply causes hierarchical firewall policy rule display name collision - either delete or rename attribute - not idempotent #380

Open obriensystems opened 2 months ago

obriensystems commented 2 months ago

After #379

This is why the clause is stated "only once" because it is not idem potent "You must manually plan and apply the shared environment (only once) since the development, non-production and production environments depend on it."

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/gh360-day0-deploy-example/3-networks-hub-and-spoke/README.md

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf#L21

  name   = "common-firewall-rules"
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ ./tf-wrapper.sh apply shared
*************** TERRAFORM APPLY *******************
      At environment: envs/shared 
***************************************************
module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy: Creating...
module.restricted_shared_vpc.module.access_level_members.google_access_context_manager_access_level.access_level: Creating...
module.restricted_shared_vpc.module.access_level_members.google_access_context_manager_access_level.access_level: Creation complete after 1s [id=accessPolicies/807865857747/accessLevels/alp_c_shared_restricted_members_67f1]
module.restricted_shared_vpc.module.regular_service_perimeter.google_access_context_manager_service_perimeter.regular_service_perimeter: Creating...
module.restricted_shared_vpc.module.regular_service_perimeter.google_access_context_manager_service_perimeter.regular_service_perimeter: Creation complete after 1s [id=accessPolicies/807865857747/servicePerimeters/sp_c_shared_restricted_default_perimeter_67f1]
module.restricted_shared_vpc.module.regular_service_perimeter.google_access_context_manager_service_perimeter_resource.service_perimeter_resource["127928059862"]: Creating...
module.restricted_shared_vpc.module.regular_service_perimeter.google_access_context_manager_service_perimeter_resource.service_perimeter_resource["127928059862"]: Creation complete after 1s [id=accessPolicies/807865857747/servicePerimeters/sp_c_shared_restricted_default_perimeter_67f1/projects/127928059862]

Error: Error creating OrganizationSecurityPolicy: googleapi: Error 400: Invalid value for field 'resource.displayName': 'common-firewall-rules-3q5s'. The display name is already used. Please choose another one, invalid

  with module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy,
  on ../../modules/hierarchical_firewall_policy/main.tf line 27, in resource "google_compute_organization_security_policy" "policy":
  27: resource "google_compute_organization_security_policy" "policy" {
obriensystems commented 2 months ago

see #381 Compute Organization Firewall Policy Admin required to view policies

just add owner

after enabling compute API on the bootstrap project

plan

Screenshot 2024-04-13 at 18 53 33
fmichaelobrien commented 2 months ago

Track https://github.com/terraform-google-modules/terraform-example-foundation/issues/1195