Closed jasonbisson closed 3 years ago
The only thing I can think of is the org terraform account is a billing admin and user roles
Hi @jasonbisson - What exactly is the issue you're seeing? Is the validate run failing? The error in the title seems to be a combination of glog over-logging and a "duplicate asset" warning (which is non-blocking).
@melinath Thanks for the quick response. I had to bypass validator to complete the deployment, but I realize I didn't give the end of error log which has a clear error message about the policies missing.
//serviceusage.googleapis.com/projects/prj-cloudbuild-b/services/pubsub.googleapis.com: duplicate asset
Step #1 - "tf plan validate all": Error: validating: FCV: initializing gcv validator: failed to read files in /workspace/policy-library/policies: error visiting path /workspace/policy-library/policies: lstat /workspace/policy-library/policies: no such file or directory
Step #1 - "tf plan validate all": Usage:
Step #1 - "tf plan validate all": terraform-validator validate
Ah, gotcha! Looking up a little in the logs, I also see the lines:
Step #1 - "tf plan validate all": Cloning into '/workspace/policy-library'...
[...]
Step #1 - "tf plan validate all": warning: You appear to have cloned an empty repository.
Step #1 - "tf plan validate all": Project [prj-cloudbuild-] repository [gcp-policies] was cloned to [/workspace/policy-library].
It seems like this might be an issue with cloning the repository rather than with terraform-validator.
@bharathkkb
Hi Bharath It looks like source of the problem is gcp-policies is empty. Can you help me determine where the failure to populate the repo occurred? Assuming the bootstrap...
Hi @jasonbisson Could you check if step 3 was completed and if the repo has the policies?
@melinath is this the expected behavior with an empty policy dir? Would it make sense to have a more descriptive error if no policies are found, happy to submit a PR.
@melinath is this the expected behavior with an empty policy dir? Would it make sense to have a more descriptive error if no policies are found, happy to submit a PR.
It looks like this error is coming from config-validator core during the call to NewValidator
I agree with config-validator that this is probably an error case. But yeah, this error message isn't super clear. If you'd like to submit a PR to catch the error case and give a better error message, that would be great!
@bharathkkb You nailed it. Missed that manual task. I'll update the repo and we can close it out on my side.
Cool :-) I'll go ahead and close this issue.
Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": ------------------------------------------------------------------------ Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": This plan was saved to: /workspace/tmp_plan/envs-shared.tfplan Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": To perform exactly these actions, run the following command to apply: Step #1 - "tf plan validate all": terraform apply "/workspace/tmp_plan/envs-shared.tfplan" Step #1 - "tf plan validate all": Step #1 - "tf plan validate all": * TERRAFORM VALIDATE ** Step #1 - "tf plan validate all": At environment: envs/shared Step #1 - "tf plan validate all": Using policy from: /workspace/policy-library Step #1 - "tf plan validate all": *** Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [org-terraform@prj-seed-.iam.gserviceaccount.com]. Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [org-terraform@prj-seed-.iam.gserviceaccount.com]. Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [org-terraform@prj-seed-.iam.gserviceaccount.com]. Step #1 - "tf plan validate all": Cloning into '/workspace/policy-library'... Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [org-terraform@prj-seed-.iam.gserviceaccount.com]. Step #1 - "tf plan validate all": warning: You appear to have cloned an empty repository. Step #1 - "tf plan validate all": Project [prj-cloudbuild-] repository [gcp-policies] was cloned to [/workspace/policy-library]. Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.899692 493 planned_assets.go:57] converting resource: asset type cloudbilling.googleapis.com/ProjectBillingInfo: asset name //cloudbilling.googleapis.com/projects/prj-cloudbuild-/billingInfo: duplicate asset Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.899768 493 planned_assets.go:57] converting resource: asset type serviceusage.googleapis.com/Service: asset name //serviceusage.googleapis.com/projects/prj-cloudbuild-/services/billingbudgets.googleapis.com: duplicate asset Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.899819 493 planned_assets.go:57] converting resource: asset type serviceusage.googleapis.com/Service: asset name //serviceusage.googleapis.com/projects/prj-cloudbuild-/services/compute.googleapis.com: duplicate asset Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.899852 493 planned_assets.go:57] converting resource: asset type serviceusage.googleapis.com/Service: asset name //serviceusage.googleapis.com/projects/prj-cloudbuild-/services/iamcredentials.googleapis.com: duplicate asset Step #1 - "tf plan validate all": ERROR: logging before flag.Parse: W0224 01:10:40.900098 493 planned_assets.go:57] converting resource: asset type cloudbilling.googleapis.com/ProjectBillingInfo: asset name //cloudbilling.googleapis.com/projects/prj-cloudbuild-/billingInfo: duplicate asset