google_folder_organization_policy shows changes in terraform plan with few subnets

[balaji2711996]

We are using google_folder_organization_policy resource with constraints for shared vpc. We are allowing a list of subnets through data block. The data block has list of subnets which needs to allowed from this constraint. Though one of the subnet is present in the data block (list), the plan shows that the subnet to be removed from the policy allow list.

resource "google_folder_organization_policy" "shared_vpc_subnets" {
  for_each = {
    for k, v in local.projects : k => v if lookup(v, "enable_org_network_policy", true)
  }
  folder     = module.resource_hierarchy[each.key].parent_folder_id
  constraint = "compute.restrictSharedVpcSubnetworks"

  list_policy {
    inherit_from_parent = true
    allow {
      values = concat(
        [
          for subnet in flatten([
            data.terraform_remote_state.vpc_innov.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_eng.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_qa.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_prod.outputs.env_vpc_subnets
          ]) : subnet if length(regexall(format("tt-sub-%s.*", each.key), subnet)) > 0
        ],
        [
          for subnet in flatten([
            data.terraform_remote_state.vpc_innov.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_eng.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_qa.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_prod.outputs.env_vpc_subnets
            ]) : subnet if anytrue([
            for additional_subnet in lookup(
              each.value, "additional_allowed_vpc_subnets", []
            ) : length(regexall(additional_subnet, subnet)) > 0
          ])
        ]
      )
    }
  }

plan : - >

google_folder_organization_policy.shared_vpc_subnets["dataanalytics"] will be updated in-place

~ resource "google_folder_organization_policy" "shared_vpc_subnets" { id = "folders/projectID/compute.restrictSharedVpcSubnetworks"

(5 unchanged attributes hidden)

  ~ list_policy {
        # (1 unchanged attribute hidden)
      ~ allow {
          ~ values = [
              - "projects/ProjectA/regions/us-east4/subnetworks/SubnetA",
                # (12 unchanged elements hidden)
            ]
            # (1 unchanged attribute hidden)
        }
    }
}

google_folder_organization_policy.shared_vpc_subnets["dataservices"] will be updated in-place

~ resource "google_folder_organization_policy" "shared_vpc_subnets" { id = "folders/283009904173/constraints/compute.restrictSharedVpcSubnetworks"

(5 unchanged attributes hidden)

  ~ list_policy {
        # (1 unchanged attribute hidden)
      ~ allow {
          ~ values = [
              - "projects/ProjectA/regions/us-east4/subnetworks/subnetA",
              - "projects/projectB/regions/us-east4/subnetworks/subnetB",
              - "projects/projectC/regions/us-east4/subnetworks/subnetC",
                # (8 unchanged elements hidden)
            ]
            # (1 unchanged attribute hidden)
        }
    }
    # (1 unchanged block hidden)
}

[edwardmedia]

@balaji2711996 are you able to hard-code the resource and repro the issue? Please share the hard-coded config

[balaji2711996]

for eg, data.terraform_remote_state.vpc_qa.outputs.env_vpc_subnets list has below subnets. And correspondingly for all other data blocks as well

env_vpc_subnets = [ "projects/projectA/regions/us-east4/subnetworks/tt-sub-cicd-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-core-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-core-qa-loadbalancers", "projects/projectA/regions/us-east4/subnetworks/tt-sub-dataanalytics-qa-composernodes", "projects/projectA/regions/us-east4/subnetworks/tt-sub-dataanalytics-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-dataanalytics-qa-loadbalancers", "projects/projectA/regions/us-east4/subnetworks/tt-sub-dataservices-qa-composernodes", "projects/projectA/regions/us-east4/subnetworks/tt-sub-dataservices-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-inboundconverter-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-inboundconverter-qa-dataflow", "projects/projectA/regions/us-east4/subnetworks/tt-sub-infraservices-qa-infra", "projects/projectA/regions/us-east4/subnetworks/tt-sub-infraservices-qa-lb-proxy", "projects/projectA/regions/us-east4/subnetworks/tt-sub-infraservices-qa-vpc-serverless", "projects/projectA/regions/us-east4/subnetworks/tt-sub-integrationcenter-qa-composernodes", "projects/projectA/regions/us-east4/subnetworks/tt-sub-integrationcenter-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-integrationcenter-qa-loadbalancers", "projects/projectA/regions/us-east4/subnetworks/tt-sub-leadservices-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-leadservices-qa-loadbalancers", "projects/projectA/regions/us-east4/subnetworks/tt-sub-messagingservices-qa-composernodes", "projects/projectA/regions/us-east4/subnetworks/tt-sub-messagingservices-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-messagingservices-qa-loadbalancers", "projects/projectA/regions/us-east4/subnetworks/tt-sub-namecenter-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-priorityengine-qa-composernodes", "projects/projectA/regions/us-east4/subnetworks/tt-sub-priorityengine-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-priorityengine-qa-loadbalancers", "projects/projectA/regions/us-east4/subnetworks/tt-sub-productinnovation-qa-composernodes", "projects/projectA/regions/us-east4/subnetworks/tt-sub-productinnovation-qa-compute", "projects/projectA/regions/us-east4/subnetworks/tt-sub-productinnovation-qa-loadbalancers", ]

[edwardmedia]

@balaji2711996 this doesn't work for me. Can you replace all variables and dynamic code in the config and provide the detail steps so I can repro?

[edwardmedia]

@balaji2711996 closing this assuming this is no longer an issue

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.