search

canada-ca / accelerators_accelerateurs-gcp

[GCP] Tools and templates to accelerate GC service delivery. Outils et modèles pour accélérer la prestation de services du GC.
MIT License
10 stars 8 forks source link

Verify terraform version post v1.3.4 - getting terraform plan/apply impersonate errors #55

Open fmichaelobrien opened 1 year ago

obriensystems commented 1 year ago

Validating last run from a couple months ago on last repo PR merge on guardrails.gcp.zone

Welcome to Cloud Shell! Type "help" to get started.
To set your Cloud Platform project in this session use “gcloud config set project [PROJECT_ID]”
admin_@cloudshell:~$ gcloud config set project gr-bootstrap-ggz
Updated property [core/project].
admin_@cloudshell:~ (gr-bootstrap-ggz)$ ls
cloudshell_open  README-cloudshell.txt
admin_@cloudshell:~ (gr-bootstrap-ggz)$ cd cloudshell_open/
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ cd accelerators_accelerateurs-gcp/
deployment-templates/ .git/                 guardrail-details/
admin_@cloudshell:~/cloudshell_open (gr-bootstrap-ggz)$ cd accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails/
admin_@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (gr-bootstrap-ggz)$ ls
backend.tf  bucket.tf  iam.tf  log_sinks.tf  org-policy.tf  projects.tf  provider.tf  README.md  variables.tf  variables.tfvar  variables.tfvar.example
admin_@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (gr-bootstrap-ggz)$ terraform plan -var-file variables.tfvar
random_string.suffix: Refreshing state... [id=isb1]
module.administration.module.project-factory.random_id.random_project_id_suffix: Refreshing state... [id=i_0]
data.google_service_account_access_token.default: Reading...
data.google_service_account_access_token.default: Read complete after 0s [id=projects/-/serviceAccounts/tfadmin-ggz@ggz-seed-project.iam.gserviceaccount.com]
google_organization_iam_audit_config.org_config[0]: Refreshing state... [id=743091813895/audit_config/allServices]
google_organization_iam_member.ssc-billing: Refreshing state... [id=743091813895/roles/billing.viewer/group:ssc_broker_users@guardrails.gcp.zone]
module.administration.module.project-factory.google_project.main: Refreshing state... [id=projects/guardrails-8bfd]
google_organization_iam_member.asset_inventory_viewer: Refreshing state... [id=743091813895/roles/cloudasset.viewer/group:ssc_broker_users@guardrails.gcp.zone]
module.org-policy.google_organization_policy.org_policy_list_allow_values[0]: Refreshing state... [id=743091813895/constraints/gcp.resourceLocations]
google_organization_iam_member.billing_viewer: Refreshing state... [id=743091813895/roles/billing.viewer/group:billing_data_users@guardrails.gcp.zone]
module.administration.module.project-factory.google_service_account.default_service_account[0]: Refreshing state... [id=projects/guardrails-8bfd/serviceAccounts/project-service-account@guardrails-8bfd.iam.gserviceaccount.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Refreshing state... [id=guardrails-8bfd/bigquery.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Refreshing state... [id=guardrails-8bfd/billingbudgets.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Refreshing state... [id=guardrails-8bfd/logging.googleapis.com]
module.administration.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Refreshing state... [id=guardrails-8bfd/cloudasset.googleapis.com]
module.administration.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Refreshing state... [id=projects/guardrails-8bfd]
module.administration.module.budget.data.google_project.project[0]: Reading...
google_project_iam_member.audit_log_bq_user: Refreshing state... [id=guardrails-8bfd/roles/bigquery.user/group:audit_data_users@guardrails.gcp.zone]
module.bigquery_destination.google_project_service.enable_destination_api: Refreshing state... [id=guardrails-8bfd/bigquery.googleapis.com]
google_project_iam_member.billing_bq_user: Refreshing state... [id=guardrails-8bfd/roles/bigquery.user/group:billing_data_users@guardrails.gcp.zone]
google_project_iam_member.audit_log_bq_data_viewer: Refreshing state... [id=guardrails-8bfd/roles/bigquery.dataViewer/group:audit_data_users@guardrails.gcp.zone]
module.storage_destination.google_project_service.enable_destination_api: Refreshing state... [id=guardrails-8bfd/storage-component.googleapis.com]
google_project_iam_member.billing_bq_viewer: Refreshing state... [id=guardrails-8bfd/roles/bigquery.dataViewer/group:billing_data_users@guardrails.gcp.zone]
module.pubsub_destination.google_project_service.enable_destination_api: Refreshing state... [id=guardrails-8bfd/pubsub.googleapis.com]
google_bigquery_dataset.billing_dataset: Refreshing state... [id=projects/guardrails-8bfd/datasets/billing_data]
google_storage_bucket.guardrails-bucket: Refreshing state... [id=ggz-guardrails-assets]
module.administration.module.budget.data.google_project.project[0]: Read complete after 0s [id=projects/guardrails-8bfd]
module.pubsub_destination.google_pubsub_topic.topic: Refreshing state... [id=projects/guardrails-8bfd/topics/tp-org-logs-isb1]
module.storage_destination.google_storage_bucket.bucket: Refreshing state... [id=bkt-guardrails-8bfd-org-logs-isb1]
module.bigquery_destination.google_bigquery_dataset.dataset: Refreshing state... [id=projects/guardrails-8bfd/datasets/audit_logs]
module.log_export_to_storage.google_logging_organization_sink.sink[0]: Refreshing state... [id=organizations/743091813895/sinks/org_log_sink]
module.pubsub_destination.google_service_account.pubsub_subscriber[0]: Refreshing state... [id=projects/guardrails-8bfd/serviceAccounts/tp-org-logs-isb1-subscriber@guardrails-8bfd.iam.gserviceaccount.com]
module.log_export_to_pubsub.google_logging_organization_sink.sink[0]: Refreshing state... [id=organizations/743091813895/sinks/sk-c-logging-pub]
module.pubsub_destination.google_pubsub_subscription.pubsub_subscription[0]: Refreshing state... [id=projects/guardrails-8bfd/subscriptions/tp-org-logs-isb1-subscription]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_viewer_role[0]: Refreshing state... [id=projects/guardrails-8bfd/topics/tp-org-logs-isb1/roles/pubsub.viewer/serviceAccount:tp-org-logs-isb1-subscriber@guardrails-8bfd.iam.gserviceaccount.com]
module.pubsub_destination.google_pubsub_topic_iam_member.pubsub_sink_member: Refreshing state... [id=projects/guardrails-8bfd/topics/tp-org-logs-isb1/roles/pubsub.publisher/serviceAccount:o743091813895-086501@gcp-sa-logging.iam.gserviceaccount.com]
module.storage_destination.google_storage_bucket_iam_member.storage_sink_member: Refreshing state... [id=b/bkt-guardrails-8bfd-org-logs-isb1/roles/storage.objectCreator/serviceAccount:o743091813895-073944@gcp-sa-logging.iam.gserviceaccount.com]
module.log_export_to_biqquery.google_logging_organization_sink.sink[0]: Refreshing state... [id=organizations/743091813895/sinks/log_sink-bq]
module.pubsub_destination.google_pubsub_subscription_iam_member.pubsub_subscriber_role[0]: Refreshing state... [id=projects/guardrails-8bfd/subscriptions/tp-org-logs-isb1-subscription/roles/pubsub.subscriber/serviceAccount:tp-org-logs-isb1-subscriber@guardrails-8bfd.iam.gserviceaccount.com]
module.bigquery_destination.google_project_iam_member.bigquery_sink_member: Refreshing state... [id=guardrails-8bfd/roles/bigquery.dataEditor/serviceAccount:o743091813895-912373@gcp-sa-logging.iam.gserviceaccount.com]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

  # module.bigquery_destination.google_bigquery_dataset.dataset has changed
  ~ resource "google_bigquery_dataset" "dataset" {
        id                              = "projects/guardrails-8bfd/datasets/audit_logs"
      + labels                          = {}
        # (11 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # module.pubsub_destination.google_pubsub_subscription.pubsub_subscription[0] has changed
  ~ resource "google_pubsub_subscription" "pubsub_subscription" {
        id                         = "projects/guardrails-8bfd/subscriptions/tp-org-logs-isb1-subscription"
      + labels                     = {}
        name                       = "tp-org-logs-isb1-subscription"
        # (7 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.pubsub_destination.google_pubsub_topic.topic has changed
  ~ resource "google_pubsub_topic" "topic" {
        id      = "projects/guardrails-8bfd/topics/tp-org-logs-isb1"
      + labels  = {}
        name    = "tp-org-logs-isb1"
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

  # module.storage_destination.google_storage_bucket.bucket has changed
  ~ resource "google_storage_bucket" "bucket" {
        id                          = "bkt-guardrails-8bfd-org-logs-isb1"
      + labels                      = {}
        name                        = "bkt-guardrails-8bfd-org-logs-isb1"
        # (10 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to
undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.org-policy.google_organization_policy.org_policy_list_allow_values[0] will be updated in-place
  ~ resource "google_organization_policy" "org_policy_list_allow_values" {
        id          = "743091813895/constraints/gcp.resourceLocations"
        # (5 unchanged attributes hidden)

      ~ list_policy {
            # (1 unchanged attribute hidden)

          ~ allow {
              ~ values = [
                  - "in:northamerica-northeast1-locations",
                  - "in:northamerica-northeast2-locations",
                  + "northamerica-northeast1",
                  + "northamerica-northeast2",
                ]
                # (1 unchanged attribute hidden)
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
admin_@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (gr-bootstrap-ggz)$

admin_@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (gr-bootstrap-ggz)$ terraform -version
Terraform v1.3.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.90.1
+ provider registry.terraform.io/hashicorp/google-beta v3.90.1
+ provider registry.terraform.io/hashicorp/null v3.1.1
+ provider registry.terraform.io/hashicorp/random v3.4.3

terraform init

admin_@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (gr-bootstrap-ggz)$ terraform init
Initializing modules...

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/google from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of hashicorp/google-beta from the dependency lock file
- Reusing previous version of hashicorp/null from the dependency lock file
- Using previously-installed hashicorp/google v3.90.1
- Using previously-installed hashicorp/random v3.4.3
- Using previously-installed hashicorp/google-beta v3.90.1
- Using previously-installed hashicorp/null v3.1.1

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

rerun OK

Plan: 0 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
admin_@cloudshell:~/cloudshell_open/accelerators_accelerateurs-gcp/deployment-templates/Terraform/guardrails/1-guardrails (gr-bootstrap-ggz)$ terraform plan -var-file variables.tfvar

Will try a clean org and install using a 2nd super admin - I suspect it may be the use of a 2nd user - not the original super admin that created the org - the 3rd party case (as all 6 permissions are ok)

The only difference was owner

Screen Shot 2022-11-16 at 15 11 07 Screen Shot 2022-11-16 at 15 11 49