hashicorp / terraform-provider-google

Terraform Provider for Google Cloud Platform
https://registry.terraform.io/providers/hashicorp/google/latest/docs
Mozilla Public License 2.0
2.36k stars 1.75k forks source link

"google_access_context_manager_service_perimeter" this resource is unable to delete project while configuring lifecycle. #18626

Open mkurimeti opened 4 months ago

mkurimeti commented 4 months ago

Community Note

Terraform Version & Provider Version(s)

Terraform latest on GitLab CI/CD

Affected Resource(s)

resource "google_access_context_manager_service_perimeter_resource" "service-perimeter-resource" { perimeter_name = google_access_context_manager_service_perimeter.service-perimeter-resource.name resource = "projects/987654321" }

resource "google_access_context_manager_service_perimeter" "service-perimeter-resource" { parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}" name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/restrict_all" title = "restrict_all" status { restricted_services = ["storage.googleapis.com"] }

lifecycle { ignore_changes = [status[0].resources] } }

resource "google_access_context_manager_access_policy" "access-policy" { parent = "organizations/123456789" title = "my policy" }

While updating and deleting the values form the tfvars for this argument resource = "projects/987654321"

It is able to add new projects but it is unable to delete the projects from the VPCSC perimeter, when removing the projects form tfvars.

Terraform Configuration

Running the terraform pipeline on GitLab CI/CD and for the runner using the terraform latest image from the docker registry.

Debug Output

Unable to delete the project while removing from the tfvars. In the plan output it is showing need to delete and after apply as well it is showing deletion successful. But it is not removing the project from VPCSC Perimeter while I am verifying from the GCP Cloud console.

Expected Behavior

It need to remove the project from the VPCSC perimeter, even lifecycle is configured on the status block. when we are deleting the project from tfvars.

Actual Behavior

Unable to delete the project while removing from the tfvars.

Steps to reproduce

  1. terraform apply

Important Factoids

No response

References

No response

ggtisc commented 4 months ago

Hi @mkurimeti!

Could you be clearer with what are you looking to delete? Are you looking to delete the entire project, or change the project on the resource argument of the google_access_context_manager_service_perimeter_resourceresource?

After create the resources with your configuration which is the same as this terraform registry example nothing out of the ordinary occurred after terraform apply and terraform delete, and looking in VPC Service Controls on Google Cloud Console everything was fine with the next message on the screen:

No VPC Service Perimeters found in current scope

The Google provider version used for this example was 5.36.0 with the Terraform version 1.9.1

mkurimeti commented 4 months ago

Hi @ggtisc,

I am trying to delete/modify the project here - (resource = "projects/987654321") but it is unable to remove the projects from the VPCSC perimeter.

In my use case I am modularised the terraform code and passing the resource as list(objects) and iterating projects_id's through the loop and when removing the project id's for the deleted project in the plan it is detecting the changes and in destroy stage also it is showing project removed but still it is showing in the console.

ggtisc commented 4 months ago

As you can see in the terraform registry alerts of this resource, several adjustments must be made to the project to make use of this service, not just changing the value of the resource, such as ensuring that the org_id, billing project match in the provider properties.

This tells us 2 things:

The first is that in addition to having to take care of the complete configuration, the resource is linked to the project configurations, which results in the second, which is a behavior typical of Terraform. With resources like this, whose configurations are linked directly to the project by changing this value in the linked argument (in this case the resource argument of the google_access_context_manager_service_perimeter_resource service) internally it can lead to a create-replace (creating a new resource and deleting the existing one, but only at the terraform state level), or in an error message as in this scenario. But since it occurs only at the terraform state level, it will not be deleted from Google Cloud.

Therefore, the alternatives are to do a terraform delete of the resource that you no longer need, then it will be deleted from the terraform state and the project in Google Cloud, or the other alternative is to clean the involved resources manually from the terraform state and create a new one with a terraform apply in a different project with its own configurations on this same project in everything that involves it (resource, service and provider properties).

mkurimeti commented 4 months ago

Hi @ggtisc ,

All my configuration are wrt alerts in the resource, and all the projects were tagged to the same billing project and under one org. And I am not using any User ADCs , I am using a ServiceAccount with all privileges.

By default for the other resources when we configure the lifecycle it will just ignore the manual changes and the resources which we configured through terraform we can add and delete the resources. But here it is unable to delete the resource which is configured through the terraform in the below attribute when I configured the lifecycle.

resource = "projects/987654321"

This resource dons't support this kind of delete?

ggtisc commented 4 months ago

The tfvars looks like a terraform file where you are storing some variables as normal. But it isn't clear why you are mentioning that. In the shared example you aren't sharing any code that use this file.

After some tries the result with the shared code was the same in creation and deletion, successful without errors.