`google_scc_notification_config` returns a 400 for invalid argument

lognarly commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform Version: 1.5.4 Step #0 - "terraform init": Pulling image: hashicorp/terraform:1.5.4

Google Provider version: 4.77.0 (also tested with same result on 4.79.0) Step #0 - "terraform init": - Installing hashicorp/google v4.77.0...

Affected Resource(s)

google_scc_notification_config

Terraform Configuration Files

resource "google_scc_notification_config" "public_dataset" {
  count        = var.compliance_settings["public_dataset"] == true ? 1 : 0
  config_id    = "bigquery-public-dataset"
  organization = var.google_org_number
  description  = "A dataset is configured to be open to public access."
  pubsub_topic = data.google_pubsub_topic.main.id

  streaming_config {
    filter = "category=\"PUBLIC_DATASET\" AND state=\"ACTIVE\" AND NOT mute=\"MUTED\""
  }
}

var.google_org_number is a string of my GCP org, and the pubsub is being read via a data object in a separate project.

Expected Behavior

A google_scc_notification_config resource is created.

Actual Behavior

Receiving a 400 error during apply, plan runs fine:

Step #2 - "terraform apply": Error: Error creating NotificationConfig: googleapi: Error 400: Request contains an invalid argument.

Additional Testing

I was able to use the exact same configuration via gcloud CLI, although it gave a weird warning back:

> gcloud scc notifications create bigquery-public-dataset \
>   --organization=<ORG NUMBER>\
>   --description="A dataset is configured to be open to public access." \
>   --pubsub-topic="projects/<PROJECT>/topics/<TOPIC>" \
>   --filter="category=\"PUBLIC_DATASET\" AND state=\"ACTIVE\" AND NOT mute=\"MUTED\""
Created.
WARNING: The following filter keys were not present in any resource : category, mute, state

b/308248058

edwardmedia commented 1 year ago

@lognarly can you share the debug log for the terraform apply?

lognarly commented 1 year ago

@lognarly can you share the debug log for the terraform apply?

This is the debug log that throws the error. We are running this through Cloud Build so the error logging is less than ideal, but this is the best I can really do:

"Step #2 - "terraform apply": 2023-09-07T13:50:22.310Z [DEBUG] provider.terraform-provider-google_v4.77.0_x5:     "message": "Request contains an invalid argument.","

"Step #2 - "terraform apply": 2023-09-07T13:50:22.310Z [DEBUG] provider.terraform-provider-google_v4.77.0_x5:     "status": "INVALID_ARGUMENT""

"Step #2 - "terraform apply": 2023-09-07T13:50:22.311Z [ERROR] provider.terraform-provider-google_v4.77.0_x5: Response contains error diagnostic: @caller=github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/diag/diagnostics.go:55 tf_proto_version=5.3 tf_req_id=3b14b40d-d673-9045-4d9a-aedbb2b3b327 tf_resource_type=google_scc_notification_config tf_provider_addr=registry.terraform.io/hashicorp/google tf_rpc=ApplyResourceChange @module=sdk.proto diagnostic_detail= diagnostic_severity=ERROR diagnostic_summary="Error creating NotificationConfig: googleapi: Error 400: Request contains an invalid argument." timestamp=2023-09-07T13:50:22.308Z"

Step #2 - "terraform apply": 2023-09-07T13:50:22.312Z [ERROR] vertex "module.compliance[0].google_scc_notification_config.public_dataset[0]" error: Error creating NotificationConfig: googleapi: Error 400: Request contains an invalid argument.

"Step #2 - "terraform apply": Error: Error creating NotificationConfig: googleapi: Error 400: Request contains an invalid argument."

lognarly commented 12 months ago

Are there any updates on this issue? Or possibly any additional steps I can take to help figure this out?

lognarly commented 12 months ago

Looks like for some reason this is only happening in a specific GCP organization (same code works in another org). Are there some specific organization policies that could be causing a 400 with the poor error message?

shuyama1 commented 12 months ago

Thanks for the input. I'm taking a look now

lognarly commented 11 months ago

This turned out to be related to permissions on the service account deploying the configuration. Would be nice if a useful error message was spit back rather than a generic 400

hashicorp / terraform-provider-google