Creation of google_logging_project_bucket_config fails when project used to run Terraform SA does not have billing enabled

[traittinen]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.0.5 on linux_amd64

• provider registry.terraform.io/hashicorp/google v4.15.0
• provider registry.terraform.io/hashicorp/google-beta v4.15.0
• provider registry.terraform.io/hashicorp/null v3.1.0
• provider registry.terraform.io/hashicorp/random v3.1.0
• provider registry.terraform.io/hashicorp/template v2.2.0

Affected Resource(s)

• google_logging_project_bucket_config

Terraform Configuration Files

Resource configuration:

resource "google_logging_project_bucket_config" "fw_log_bucket" {
    count = var.export_fw_logs_to_clb ? 1 : 0

  project        = var.project_id
  location       = var.fw_log_clb_location
  retention_days = var.fw_log_clb_retention
  bucket_id      = var.fw_log_clb_name
}

Debug Output

  # module.network-baseline.module.fw_logs.google_logging_project_bucket_config.fw_log_bucket[0] will be created
  + resource "google_logging_project_bucket_config" "fw_log_bucket" {
      + bucket_id       = "xxxxx-fw-logs"
      + description     = (known after apply)
      + id              = (known after apply)
      + lifecycle_state = (known after apply)
      + location        = "global"
      + name            = (known after apply)
      + project         = "xxxxx-network-log"
      + retention_days  = 90
    }

│ Error: Error creating Bucket: googleapi: Error 403: This API method requires billing to be enabled. Please enable billing on project #1016471542722 by visiting https://console.developers.google.com/billing/enable?project=1016471542722 then retry. If you enabled billing for this project recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.Help",
│     "links": [
│       {
│         "description": "Google developers console billing",
│         "url": "https://console.developers.google.com/billing/enable?project=1016471542711"
│       }
│     ]
│   },
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/1016471542711",
│       "service": "logging.googleapis.com"
│     },
│     "reason": "BILLING_DISABLED"
│   }
│ ]
│ 
│   with module.network-baseline.module.fw_logs.google_logging_project_bucket_config.fw_log_bucket[0],
│   on .terraform/modules/network-baseline/modules/org_fw_logs/log_sink_clb.tf line 19, in resource "google_logging_project_bucket_config" "fw_log_bucket":
│   19: resource "google_logging_project_bucket_config" "fw_log_bucket" {
│ 

Error: Apply operation failed

$ terraform state show 'module.network-baseline.module.fw_logs.google_logging_project_bucket_config.fw_log_bucket[0]'
# module.network-baseline.module.fw_logs.google_logging_project_bucket_config.fw_log_bucket[0]: (tainted)
resource "google_logging_project_bucket_config" "fw_log_bucket" {
    bucket_id      = "xxxxx-fw-logs"
    id             = "projects/xxxxx-network-log/locations/global/buckets/xxxxx-fw-logs"
    location       = "global"
    project        = "xxxxx-network-log"
    retention_days = 90
}

• Creation of "google_logging_project_bucket_config" fails when project used to run Terraform service account does not have billing enabled
• Terraform resource is added to state even though creation fails and has to be removed manually with "terraform state rm"

Project 1016471542711 is the project hosting the service account that is used to run Terraform and different from "xxxxx-network-log" that should host the log bucket.

Panic Output

Expected Behavior

• If apply fails, google_logging_project_bucket_config resource should not be added in state
• Log bucket creation should work even though billing is not enabled on the project that is used to host Terraform service account

Actual Behavior

• Apply operations fails and failed resource is added to state

Steps to Reproduce

1. Use service account on a project that has not billing enabled to run Terraform
2. Use different project ID in google_logging_project_bucket_config with billing enabled
3. terraform apply

Important Factoids

References

• 0000

b/300742899

[ScottSuarez]

Is it possible to get logs for this?

You can set TF_LOG=DEBUG and TF_LOG_PATH=./your-file.log