Current copy from `master` branch does not work out of the box

[choonchernlim]

PROBLEM

The default forseti_version defined in [FORSETI_ROOT]/variables.tf is v2.24.0.

As a result, this error is thrown on server VM startup:-

INFO startup-script: sqlalchemy.exc.OperationalError: (pymysql.err.OperationalError)
(1045, "Access denied for user 'root'@'cloudsqlproxy~10.128.0.12' (using password: NO)") 
(Background on this error at: http://sqlalche.me/e/e3q8)

PROPOSED SOLUTION

I believe the default forseti_version should be pinned to v2.25.0.

Since user root is no longer used, this will allow SQL_DB_USER and SQL_DB_PASSWORD to be picked up from https://github.com/forseti-security/terraform-google-forseti/blob/master/modules/server/templates/scripts/forseti-server/forseti_env.sh.tpl#L4-L5 and pass to https://github.com/forseti-security/forseti-security/blob/v2.25.0/install/gcp/upgrade_tools/db_migrator.py#L35-L38

[gkowalski-google]

Hi @choonchernlim, we are working on the v2.25.0 release. Until then, the Forseti Terraform module 5.1.2 should continue to be used. The recent changes that have been merged into the Terraform master branch cannot be used until this release. Does that answer your question?

[choonchernlim]

Is Forseti Security v2.25.0 still under development?

I tried pinning forseti_version to that version and that seems to be working without problem, but I don't know the implication of doing so.

If Forseti Security v2.25.0 is not quite ready for primetime, I will communicate up to my leadership and stick with Forseti Terraform v5.1.2. I was initially hoping to leverage @xingao267's google provider 3.x upgrade, which is now in master (and I have a copy from him too) but not in v5.1.2... I just want to make sure my codebase does not diverge too much from CFT, is possible.

[gkowalski-google]

Yes, sorry for that issue between v2.25.0 and master. We began working on the v2.25.0 release last year, but ran into some issues which are mostly resolved. We are still working to ensure the GKE examples work with recent provider/module versions, and doing a little more testing around the new Org Policy and Access Policy resources. We typically create the tag during the release testing phase, and then will create the GitHub release and communicate once testing is completed.

[choonchernlim]

@gkowalski-google No worries, and thank you for the progress updates. Given the complexity of this module, I reckon it's a lot of work to keep the ducks in a row. Meanwhile, if I find other "low hanging fruit" problems, I'll continue to open the issues. At the same time, if you need help to fix them, I don't mind contributing as well.