google_folder_organization_policy shows changes in terraform plan with few subnets

[balaji2711996]

We are using google_folder_organization_policy resource with constraints for shared vpc. We are allowing a list of subnets through data block. The data block has list of subnets which needs to allowed from this constraint. Though one of the subnet is present in the data block (list), the plan shows that the subnet to be removed from the policy allow list.

resource "google_folder_organization_policy" "shared_vpc_subnets" {
  for_each = {
    for k, v in local.projects : k => v if lookup(v, "enable_org_network_policy", true)
  }
  folder     = module.resource_hierarchy[each.key].parent_folder_id
  constraint = "compute.restrictSharedVpcSubnetworks"

  list_policy {
    inherit_from_parent = true
    allow {
      values = concat(
        [
          for subnet in flatten([
            data.terraform_remote_state.vpc_innov.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_eng.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_qa.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_prod.outputs.env_vpc_subnets
          ]) : subnet if length(regexall(format("tt-sub-%s.*", each.key), subnet)) > 0
        ],
        [
          for subnet in flatten([
            data.terraform_remote_state.vpc_innov.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_eng.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_qa.outputs.env_vpc_subnets, data.terraform_remote_state.vpc_prod.outputs.env_vpc_subnets
            ]) : subnet if anytrue([
            for additional_subnet in lookup(
              each.value, "additional_allowed_vpc_subnets", []
            ) : length(regexall(additional_subnet, subnet)) > 0
          ])
        ]
      )
    }
  }

plan : - >

google_folder_organization_policy.shared_vpc_subnets["dataanalytics"] will be updated in-place
~ resource "google_folder_organization_policy" "shared_vpc_subnets" {
id = "folders/projectID/compute.restrictSharedVpcSubnetworks"
# (5 unchanged attributes hidden)
~ list_policy {
# (1 unchanged attribute hidden)
~ allow {
~ values = [
- "projects/ProjectA/regions/us-east4/subnetworks/SubnetA",
# (12 unchanged elements hidden)
]
# (1 unchanged attribute hidden)
}
}
}

google_folder_organization_policy.shared_vpc_subnets["dataservices"] will be updated in-place
~ resource "google_folder_organization_policy" "shared_vpc_subnets" {
id = "folders/283009904173/constraints/compute.restrictSharedVpcSubnetworks"
# (5 unchanged attributes hidden)
~ list_policy {
# (1 unchanged attribute hidden)
~ allow {
~ values = [
- "projects/ProjectA/regions/us-east4/subnetworks/subnetA",
- "projects/projectB/regions/us-east4/subnetworks/subnetB",
- "projects/projectC/regions/us-east4/subnetworks/subnetC",
# (8 unchanged elements hidden)
]
# (1 unchanged attribute hidden)
}
}
# (1 unchanged block hidden)
}

[edwardmedia]

@balaji2711996 it is hard for me to repro with guessing the values for the variables. Can you provide the hardcoded config that can demo the issue?

[balaji2711996]

Can you please let us know what are all variables required values as some can be company specific and cannot be shared

[edwardmedia]

@balaji2711996 you should redact any secrets in the config. I want the config that I can repro the issue

[balaji2711996]

{ "mode": "managed", "type": "google_folder_organization_policy", "name": "shared_vpc_subnets", "provider": "provider[\"registry.terraform.io/hashicorp/google\"]", "instances": [ { "index_key": "dataanalytics", "schema_version": 0, "attributes": { "boolean_policy": [], "constraint": "constraints/compute.restrictSharedVpcSubnetworks", "etag": "CIO8o40GEKDsuEY=", "folder": "folders/795966318827", "id": "folders/795966318827/compute.restrictSharedVpcSubnetworks", "list_policy": [ { "allow": [ { "all": false, "values": [ "projects/tt-pr-infraservices-eng/regions/us-east4/subnetworks/tt-sub-dataanalytics-eng-composernodes", "projects/tt-pr-infraservices-eng/regions/us-east4/subnetworks/tt-sub-dataanalytics-eng-compute", "projects/tt-pr-infraservices-eng/regions/us-east4/subnetworks/tt-sub-dataanalytics-eng-loadbalancers", "projects/tt-pr-infraservices-innov/regions/us-east4/subnetworks/tt-sub-dataanalytics-innov-composernodes", "projects/tt-pr-infraservices-innov/regions/us-east4/subnetworks/tt-sub-dataanalytics-innov-compute", "projects/tt-pr-infraservices-innov/regions/us-east4/subnetworks/tt-sub-dataanalytics-innov-loadbalancers", "projects/tt-pr-infraservices-prod/regions/us-east4/subnetworks/tt-sub-dataanalytics-prod-composernodes", "projects/tt-pr-infraservices-prod/regions/us-east4/subnetworks/tt-sub-dataanalytics-prod-compute", "projects/tt-pr-infraservices-prod/regions/us-east4/subnetworks/tt-sub-dataanalytics-prod-loadbalancers", "projects/tt-pr-infraservices-qa/regions/us-east4/subnetworks/tt-sub-dataanalytics-qa-composernodes", "projects/tt-pr-infraservices-qa/regions/us-east4/subnetworks/tt-sub-dataanalytics-qa-compute", "projects/tt-pr-infraservices-qa/regions/us-east4/subnetworks/tt-sub-dataanalytics-qa-loadbalancers" ] } ], "deny": [], "inherit_from_parent": true, "suggested_value": "" } ], "restore_policy": [], "timeouts": null, "update_time": "2021-12-02T14:53:55.147732Z", "version": 0 },

[edwardmedia]

@balaji2711996 the output does not help much for me to understand the problem.

Do you have a config like below to share so I can directly apply and see the issue? Please make sure hardcode all variables, and detail the steps.

resource "google_folder_organization_policy" "services_policy" {
  folder     = "folders/123456789"
  constraint = "serviceuser.services"

  list_policy {
    allow {
      all = true
    }
  }
}

[edwardmedia]

@balaji2711996 is this still an issue?

[edwardmedia]

@balaji2711996 closing this assuming it is no longer an issue

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.