search

GoogleCloudPlatform / terraform-example-foundation-app

https://registry.terraform.io/modules/GoogleCloudPlatform/terraform-example-foundation-app/google
Apache License 2.0
33 stars 36 forks source link

terraform-validation violations in 4-projects #35

Closed daniel-cit closed 3 years ago

daniel-cit commented 3 years ago

Expected Behavior

Cloud build execution of step 4-projects has no terraform-validator violations

Actual Behavior

Cloud build execution of step 4-projects has terraform-validator violations

Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/anthos.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/anthos.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/binaryauthorization.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/binaryauthorization.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/containerscanning.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/containerscanning.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/gkeconnect.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/gkeconnect.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/gkehub.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/gkehub.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/iap.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/iap.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/meshca.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/meshca.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/meshconfig.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/meshconfig.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/meshtelemetry.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/meshtelemetry.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/multiclusteringress.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/multiclusteringress.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/privateca.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/privateca.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/sqladmin.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/sqladmin.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/stackdriver.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/stackdriver.googleapis.com violates a service constraint
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Constraint GCPServiceUsageConstraintV1.allow_basic_set_of_apis on resource //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/storage.googleapis.com: //serviceusage.googleapis.com/projects/prj-b-cicd-4eb5/services/storage.googleapis.com violates a service constraint

Steps to Reproduce the Problem

  1. Follow the steps in [4-projects](Cloud build execution of step 4-projects has no terraform-validator violations) fixing issues https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/issues/34 and https://github.com/GoogleCloudPlatform/terraform-example-foundation-app/issues/33

Specifications

Extra Info

the APIs need to be added to the list of [allowed APIs]() in the terraform-exemple-foundation repo

    services:
    - "accesscontextmanager.googleapis.com"
    - "admin.googleapis.com"
    - "appengine.googleapis.com"
    - "artifactregistry.googleapis.com"
    ...

https://github.com/terraform-google-modules/terraform-example-foundation/blob/e30fe8cbd267b9f2e5dad9bc8fdb4360880b1cd4/policy-library/policies/constraints/serviceusage_allow_basic_apis.yaml#L30

daniel-cit commented 3 years ago

APIs to be added:

    - "anthos.googleapis.com"
    - "binaryauthorization.googleapis.com"
    - "containerscanning.googleapis.com"
    - "gkeconnect.googleapis.com"
    - "gkehub.googleapis.com"
    - "iap.googleapis.com"
    - "meshca.googleapis.com"
    - "meshconfig.googleapis.com"
    - "meshtelemetry.googleapis.com"
    - "multiclusteringress.googleapis.com"
    - "privateca.googleapis.com"
    - "sqladmin.googleapis.com"
    - "stackdriver.googleapis.com"
    - "storage.googleapis.com"