google_compute_security_policy very slow

[fawaf]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.5.7 on linux_amd64

• provider registry.terraform.io/hashicorp/google v5.34.0
• provider registry.terraform.io/hashicorp/http v3.4.3

Affected Resource(s)

google_compute_security_policy

Terraform Configuration

resource "google_compute_security_policy" "blah" {
  name        = "blahh-policy"
  description = "Security policy for"
  project     = 123456

  lifecycle {
    ignore_changes = [
      rule,
    ]
  }
}

Debug Output

https://gist.github.com/fawaf/c9fdfaa2a3a53cca043f1a036b3971b5

Expected Behavior

run to completion

Actual Behavior

hangs on pulling all rules

Steps to reproduce

1. terraform apply

Important Factoids

this tf is run on an existing security policy that contains 2000 rules

References

No response

b/348530015

[ggtisc]

Hi @fawaf!

After some tries creating this simple resource the result was the same, successfully without errors and it never takes more than one min to be created, I suggest you to check external factors like your OS, RAM, Processor, Capacity of your server, available memory and other involved applications. Also if you are running a terraform apply and this involves more than this resource you could try to execute this resource alone.

[fawaf]

oh, forgot to mention that the security policy itself contains 2000 rules already. basically, running tf on an and existing security policy causes this issue.

[fawaf]

updated ticket description to reflect that.

[ggtisc]

Well this is definitively the issue, you could decouple your policy in different rules if you want to have a faster creation or wait until it finishes.

[fawaf]

it succeeded a few times before, but then just started hanging after a few usages. we also are running into a quota issue in that project. i'll report back once we get that solved.

[ggtisc]

Yes, this is because you are overcharging the policy. For this reason it is a good practice to decouple your resources as much as possible when you work in cloud engineering. With this you ensure to have a clear code, it is easier to give maintenance, reuse your code (in this case if you need to reuse some policy rules) and avoid overcharge API calls.

In the end you could do that, but this increases the timeout.