'compute.googleapis.com' not configured via Terraform/Google Provider while using 'google_project_services'

ameyaptk commented 5 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

0.12.0

Affected Resource(s)

provider.google: version = "~> 2.7"

Terraform Configuration Files

Here is the snippet from main.tf which creates a resource project and enables API services on the project.

main.tf

module "project_01" {
  source = "../../../modules/project/service-projects"

  project_name = "test"
  folder_id    = data.terraform_remote_state.folders.outputs.folder_shared_id
  host_proj_id = data.terraform_remote_state.host_projects.outputs.project_network_id
  services     = ["compute.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbilling.googleapis.com", "bigquery-json.googleapis.com"]
}

module is defined as:

# Enable services defined by user
resource "google_project_services" "project_services" {
  project = "${google_project.project.project_id}"
  services = "${var.services}"
}

The plan created is-

 # module.project_01.google_project_services.project_services will be created
  + resource "google_project_services" "project_services" {
      + disable_on_destroy = true
      + id                 = (known after apply)
      + project            = (known after apply)
      + services           = [
          + "bigquery-json.googleapis.com",
          + "cloudbilling.googleapis.com",
          + "cloudresourcemanager.googleapis.com",
          + "compute.googleapis.com",
        ]
    }

No errors are seen while applying.

Expected Behavior

We expect the 4 APIs above to be enabled on the project.

Actual Behavior

Only 3 (all except compute.googleapis.com) are enabled.

Important Factoids

Funny thing is if i run plan again right after the apply above, it shows the following. Note the '+' next to compute.googleapis.com. Which means it was never applied?

  # module.project_01.google_project_services.project_services will be updated in-place
  ~ resource "google_project_services" "project_services" {
        disable_on_destroy = true
        id                 = "proj-******"
        project            = "proj-******"
      ~ services           = [
            "bigquery-json.googleapis.com",
            "cloudbilling.googleapis.com",
            "cloudresourcemanager.googleapis.com",
          + "compute.googleapis.com",
        ]
    }

Chupaka commented 5 years ago

A debug log?..

ameyaptk commented 5 years ago

The log enumerates the init, plan and apply processes. svc-proj.log

Also, one thing of note is that while using google_project_services, the resource google_compute_shared_vpc_service_project is not executed. This resource is used to attach a service-project to a host-project.

main.tf -

# Attach service project to host project
resource "google_compute_shared_vpc_service_project" "new_service_project" {
  host_project = "${var.host_proj_id}"
  service_project = "${google_project.project.project_id}"
}

Planned, but not executed

  + resource "google_compute_shared_vpc_service_project" "new_service_project" {
      + host_project    = "proj-1b3843f3"
      + id              = (known after apply)
      + service_project = "proj-3996e442"
    }

rileykarson commented 5 years ago

Per the docs (https://www.terraform.io/docs/providers/google/r/google_project_services.html):

Note: This resource attempts to be the authoritative source on all enabled APIs, which often leads to conflicts when certain actions enable other APIs. If you do not need to ensure that exclusively a particular set of APIs are enabled, you should most likely use the google_project_service resource, one resource per API.

This tends to happen when a dependency isn't being enabled in the google_project_services resource. I believe that the oslogin.googleapis.com API is that dependency. Can you confirm whether the following list is stable if you apply it again?

      ~ services           = [
            "bigquery-json.googleapis.com",
            "cloudbilling.googleapis.com",
            "cloudresourcemanager.googleapis.com",
          + "compute.googleapis.com",
        ]

We'd expect to see the dependencies for compute.googleapis.com enabled in the next apply after this.

If you're only interested in enabling individual services and not managing them authoritatively, try using google_project_service instead.

ameyaptk commented 5 years ago

Per the docs (https://www.terraform.io/docs/providers/google/r/google_project_services.html):

Note: This resource attempts to be the authoritative source on all enabled APIs, which often leads to conflicts when certain actions enable other APIs. If you do not need to ensure that exclusively a particular set of APIs are enabled, you should most likely use the google_project_service resource, one resource per API.

This tends to happen when a dependency isn't being enabled in the google_project_services resource. I believe that the oslogin.googleapis.com API is that dependency. Can you confirm whether the following list is stable if you apply it again?
      ~ services           = [
            "bigquery-json.googleapis.com",
            "cloudbilling.googleapis.com",
            "cloudresourcemanager.googleapis.com",
          + "compute.googleapis.com",
        ]
We'd expect to see the dependencies for compute.googleapis.com enabled in the next apply after this.

If you're only interested in enabling individual services and not managing them authoritatively, try using google_project_service instead.

I was unable to re-run the plan as I got an error with google_compute_shared_vpc_service_project resource saying that project/proj-3996e442 did not exist. I fail to understand how google_project_services should affect google_compute_shared_vpc_service_project

rileykarson commented 5 years ago

I'm not sure! Can you isolate the resources and try again?

RoGryza commented 5 years ago

I had the same problem, following @rileykarson hint that it was due to dependencies being disabled I just added all the services that terraform plan indicated would be disabled to the services list and now it works.

rileykarson commented 5 years ago

I'm going to close this out as stale & based on @RoGryza's success. If this reoccurs, please file a new issue or bump this one.

ghost commented 4 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!

hashicorp / terraform-provider-google