Closed watsonjm closed 9 months ago
@watsonjm would you be able to hardcoded the resources and repro the issue? Please share the config and debug if you can
@edwardmedia good news, no bug here! I did a lot of work on this yesterday to troubleshoot this and get good logs for you and it turns out the VPC perimeter was blocking the IAMPolicy.TestIamPermissions
method on the pubsub API and I assume that is why I was getting the 403 for unauthorized or not existing. I was still wondering why it wasn't showing in my Terraform plan (it runs in a pipeline only so no easy console access to just check) so I went over what I did last week and I'm pretty sure I glossed right over it when listing pubsub topics with gcloud cli. Thanks for your time!
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Terraform v1.6.5 on darwin_arm64
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Terraform should attempt to update
google_pubsub_topic.notifications
,google_scc_notification_config.medium_plus_findings
, andgoogle_access_context_manager_service_perimeter.enforced
, given the id ofgoogle_pubsub_topic.notifications
has changed.Actual Behavior
Terraform is not attempting to update
google_pubsub_topic.notifications
during a targeted apply togoogle_access_context_manager_service_perimeter.enforced
.I'm running
terraform apply -var-file=./config/tfvars.tfvars -target google_access_context_manager_service_perimeter.enforced -input=false -auto-approve
to apply the perimeter before the rest of my resources. The perimeter depends on a service account fromgoogle_scc_notification_config
, which depends ongoogle_pubsub_topic
. The value ofgoogle_pubsub_topic.notifications.id
has changed for this run. Myterraform apply
wants to changegoogle_access_context_manager_service_perimeter.enforced
, andgoogle_scc_notification_config.medium_plus_findings
, but NOTgoogle_pubsub_topic.notifications
, which it should due to it being a dependency. This causes the update ofgoogle_scc_notification_config.medium_plus_findings
to fail, since the topic it wants to assign doesn't exist yet.Steps to Reproduce
Apply the resources above, update the name of
google_pubsub_topic.notifications
, and then target aterraform apply
togoogle_access_context_manager_service_perimeter.enforced
.Important Factoids
References
Note
I am working around this by hard coding the value of the service account rather than pulling it from the resource, but it seems important for the GPC provider to respect resource dependencies.