Open mkurimeti opened 4 months ago
Hi @mkurimeti!
Could you be clearer with what are you looking to delete?
Are you looking to delete the entire project, or change the project on the resource
argument of the google_access_context_manager_service_perimeter_resource
resource?
After create the resources with your configuration which is the same as this terraform registry example nothing out of the ordinary occurred after terraform apply
and terraform delete
, and looking in VPC Service Controls
on Google Cloud Console
everything was fine with the next message on the screen:
No VPC Service Perimeters found in current scope
The Google provider version used for this example was 5.36.0 with the Terraform version 1.9.1
Hi @ggtisc,
I am trying to delete/modify the project here - (resource = "projects/987654321") but it is unable to remove the projects from the VPCSC perimeter.
In my use case I am modularised the terraform code and passing the resource as list(objects) and iterating projects_id's through the loop and when removing the project id's for the deleted project in the plan it is detecting the changes and in destroy stage also it is showing project removed but still it is showing in the console.
As you can see in the terraform registry alerts of this resource, several adjustments must be made to the project to make use of this service, not just changing the value of the resource, such as ensuring that the org_id
, billing project
match in the provider properties.
This tells us 2 things:
The first is that in addition to having to take care of the complete configuration, the resource is linked to the project configurations, which results in the second, which is a behavior typical of Terraform. With resources like this, whose configurations are linked directly to the project by changing this value in the linked argument (in this case the resource
argument of the google_access_context_manager_service_perimeter_resource
service) internally it can lead to a create-replace
(creating a new resource and deleting the existing one, but only at the terraform state level), or in an error message as in this scenario. But since it occurs only at the terraform state
level, it will not be deleted from Google Cloud
.
Therefore, the alternatives are to do a terraform delete
of the resource that you no longer need, then it will be deleted from the terraform state
and the project in Google Cloud
, or the other alternative is to clean the involved resources manually from the terraform state
and create a new one with a terraform apply
in a different project with its own configurations on this same project in everything that involves it (resource
, service
and provider
properties).
Hi @ggtisc ,
All my configuration are wrt alerts in the resource, and all the projects were tagged to the same billing project and under one org. And I am not using any User ADCs , I am using a ServiceAccount with all privileges.
By default for the other resources when we configure the lifecycle it will just ignore the manual changes and the resources which we configured through terraform we can add and delete the resources. But here it is unable to delete the resource which is configured through the terraform in the below attribute when I configured the lifecycle.
resource = "projects/987654321"
This resource dons't support this kind of delete?
The tfvars looks like a terraform file where you are storing some variables as normal. But it isn't clear why you are mentioning that. In the shared example you aren't sharing any code that use this file.
After some tries the result with the shared code was the same in creation and deletion, successful without errors.
Community Note
Terraform Version & Provider Version(s)
Terraform latest on GitLab CI/CD
Affected Resource(s)
resource "google_access_context_manager_service_perimeter_resource" "service-perimeter-resource" { perimeter_name = google_access_context_manager_service_perimeter.service-perimeter-resource.name resource = "projects/987654321" }
resource "google_access_context_manager_service_perimeter" "service-perimeter-resource" { parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}" name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/restrict_all" title = "restrict_all" status { restricted_services = ["storage.googleapis.com"] }
lifecycle { ignore_changes = [status[0].resources] } }
resource "google_access_context_manager_access_policy" "access-policy" { parent = "organizations/123456789" title = "my policy" }
While updating and deleting the values form the tfvars for this argument resource = "projects/987654321"
It is able to add new projects but it is unable to delete the projects from the VPCSC perimeter, when removing the projects form tfvars.
Terraform Configuration
Running the terraform pipeline on GitLab CI/CD and for the runner using the terraform latest image from the docker registry.
Debug Output
Unable to delete the project while removing from the tfvars. In the plan output it is showing need to delete and after apply as well it is showing deletion successful. But it is not removing the project from VPCSC Perimeter while I am verifying from the GCP Cloud console.
Expected Behavior
It need to remove the project from the VPCSC perimeter, even lifecycle is configured on the status block. when we are deleting the project from tfvars.
Actual Behavior
Unable to delete the project while removing from the tfvars.
Steps to reproduce
terraform apply
Important Factoids
No response
References
No response