search

GoogleCloudPlatform / terraform-validator

Terraform Validator is not an officially supported Google product; it is a library for conversion of Terraform plan data to CAI Assets. If you have been using terraform-validator directly in the past, we recommend migrating to `gcloud beta terraform vet`.
https://cloud.google.com/docs/terraform/policy-validation
Apache License 2.0
438 stars 93 forks source link

FCV: initializing gcv validator: failed to read files in /workspace/policy-library/policies #188

Closed jasonbisson closed 3 years ago

jasonbisson commented 3 years ago

Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": ------------------------------------------------------------------------ Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": This plan was saved to: /workspace/tmp_plan/envs-shared.tfplan Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": To perform exactly these actions, run the following command to apply: Step #1 - "tf plan validate all": terraform apply "/workspace/tmp_plan/envs-shared.tfplan" Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": * TERRAFORM VALIDATE ** Step #1 - "tf plan validate all": At environment: envs/shared Step #1 - "tf plan validate all": Using policy from: /workspace/policy-library Step #1 - "tf plan validate all": *** Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [org-terraform@prj-seed-.iam.gserviceaccount.com]. Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [org-terraform@prj-seed-.iam.gserviceaccount.com]. Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [org-terraform@prj-seed-.iam.gserviceaccount.com]. Step #1 - "tf plan validate all": Cloning into '/workspace/policy-library'... Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [org-terraform@prj-seed-.iam.gserviceaccount.com]. Step #1 - "tf plan validate all": warning: You appear to have cloned an empty repository. Step #1 - "tf plan validate all": Project [prj-cloudbuild-] repository [gcp-policies] was cloned to [/workspace/policy-library]. Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.899692 493 planned_assets.go:57] converting resource: asset type cloudbilling.googleapis.com/ProjectBillingInfo: asset name //cloudbilling.googleapis.com/projects/prj-cloudbuild-/billingInfo: duplicate asset Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.899768 493 planned_assets.go:57] converting resource: asset type serviceusage.googleapis.com/Service: asset name //serviceusage.googleapis.com/projects/prj-cloudbuild-/services/billingbudgets.googleapis.com: duplicate asset Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.899819 493 planned_assets.go:57] converting resource: asset type serviceusage.googleapis.com/Service: asset name //serviceusage.googleapis.com/projects/prj-cloudbuild-/services/compute.googleapis.com: duplicate asset Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.899852 493 planned_assets.go:57] converting resource: asset type serviceusage.googleapis.com/Service: asset name //serviceusage.googleapis.com/projects/prj-cloudbuild-/services/iamcredentials.googleapis.com: duplicate asset Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.900098 493 planned_assets.go:57] converting resource: asset type cloudbilling.googleapis.com/ProjectBillingInfo: asset name //cloudbilling.googleapis.com/projects/prj-cloudbuild-/billingInfo: duplicate asset

jasonbisson commented 3 years ago

The only thing I can think of is the org terraform account is a billing admin and user roles

melinath commented 3 years ago

Hi @jasonbisson - What exactly is the issue you're seeing? Is the validate run failing? The error in the title seems to be a combination of glog over-logging and a "duplicate asset" warning (which is non-blocking).

jasonbisson commented 3 years ago

@melinath Thanks for the quick response. I had to bypass validator to complete the deployment, but I realize I didn't give the end of error log which has a clear error message about the policies missing.

//serviceusage.googleapis.com/projects/prj-cloudbuild-b/services/pubsub.googleapis.com: duplicate asset Step #1 - "tf plan validate all": Error: validating: FCV: initializing gcv validator: failed to read files in /workspace/policy-library/policies: error visiting path /workspace/policy-library/policies: lstat /workspace/policy-library/policies: no such file or directory Step #1 - "tf plan validate all": Usage: Step #1 - "tf plan validate all": terraform-validator validate [flags] Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": Flags: Step #1 - "tf plan validate all": --ancestry string Override the ancestry location of the project when validating resources Step #1 - "tf plan validate all": -h, --help help for validate Step #1 - "tf plan validate all": --offline Do not connect to GCP API Step #1 - "tf plan validate all": --output-json Print violations as JSON Step #1 - "tf plan validate all": --policy-path string Path to directory containing validation policies Step #1 - "tf plan validate all": --project string Provider project override (override the default project configuration assigned to the google terraform provider when validating resources) Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": Global Flags: Step #1 - "tf plan validate all": --verbose Log output to stderr Step #1 - "tf plan validate all":

melinath commented 3 years ago

Ah, gotcha! Looking up a little in the logs, I also see the lines:

Step #1 - "tf plan validate all": Cloning into '/workspace/policy-library'...
[...]
Step #1 - "tf plan validate all": warning: You appear to have cloned an empty repository.
Step #1 - "tf plan validate all": Project [prj-cloudbuild-] repository [gcp-policies] was cloned to [/workspace/policy-library].

It seems like this might be an issue with cloning the repository rather than with terraform-validator.

jasonbisson commented 3 years ago

@bharathkkb

Hi Bharath It looks like source of the problem is gcp-policies is empty. Can you help me determine where the failure to populate the repo occurred? Assuming the bootstrap...

bharathkkb commented 3 years ago

Hi @jasonbisson Could you check if step 3 was completed and if the repo has the policies?

@melinath is this the expected behavior with an empty policy dir? Would it make sense to have a more descriptive error if no policies are found, happy to submit a PR.

melinath commented 3 years ago

@melinath is this the expected behavior with an empty policy dir? Would it make sense to have a more descriptive error if no policies are found, happy to submit a PR.

It looks like this error is coming from config-validator core during the call to NewValidator

I agree with config-validator that this is probably an error case. But yeah, this error message isn't super clear. If you'd like to submit a PR to catch the error case and give a better error message, that would be great!

jasonbisson commented 3 years ago

@bharathkkb You nailed it. Missed that manual task. I'll update the repo and we can close it out on my side.

melinath commented 3 years ago

Cool :-) I'll go ahead and close this issue.