Google beta incorrectly replaces project for policy attestor.

[steakunderscore]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

Terraform v0.11.7 plugin.terraform-provider-google-beta_v2.7.0_x4

Affected Resource(s)

google_binary_authorization_policy.policy

Terraform Configuration Files

resource "google_binary_authorization_policy" "policy" {
  project = "the-kube-project"
  provider = "google-beta"

  admission_whitelist_patterns {
    name_pattern = "gcr.io/google_containers/*"
    name_pattern = "gcr.io/google-containers/*"
    name_pattern = "gcr.io/stackdriver-agents/*"
    name_pattern = "k8s.gcr.io/*"
  }

  default_admission_rule {
    evaluation_mode         = "ALWAYS_DENY"
    enforcement_mode        = "DRYRUN_AUDIT_LOG_ONLY"
  }

  cluster_admission_rules {
    cluster                 = "${var.gke_availability_zone}.${var.cluster_name}"
    evaluation_mode         = "REQUIRE_ATTESTATION"
    enforcement_mode        = "DRYRUN_AUDIT_LOG_ONLY"
    require_attestations_by = [
      "projects/the-attestations-project/attestors/the-build-attestor",
    ]
  }
}

Debug Output

Terraform will perform the following actions:

  + google_binary_authorization_policy.policy
      id:                                                                    <computed>
      admission_whitelist_patterns.#:                                        "1"
      admission_whitelist_patterns.0.name_pattern:                           "k8s.gcr.io/*"
      cluster_admission_rules.#:                                             "1"
      cluster_admission_rules.3919992327.cluster:                            "europe-west2-b.kube"
      cluster_admission_rules.3919992327.enforcement_mode:                   "DRYRUN_AUDIT_LOG_ONLY"
      cluster_admission_rules.3919992327.evaluation_mode:                    "REQUIRE_ATTESTATION"
      cluster_admission_rules.3919992327.require_attestations_by.#:          "1"
      cluster_admission_rules.3919992327.require_attestations_by.2808596407: "projects/the-attestations-project/attestors/the-build-attestor"
      default_admission_rule.#:                                              "1"
      default_admission_rule.0.enforcement_mode:                             "DRYRUN_AUDIT_LOG_ONLY"
      default_admission_rule.0.evaluation_mode:                              "ALWAYS_DENY"
      project:                                                               "the-kube-project"

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_binary_authorization_policy.policy: Creating...
  admission_whitelist_patterns.#:                                        "" => "1"
  admission_whitelist_patterns.0.name_pattern:                           "" => "k8s.gcr.io/*"
  cluster_admission_rules.#:                                             "" => "1"
  cluster_admission_rules.3919992327.cluster:                            "" => "europe-west2-b.kube"
  cluster_admission_rules.3919992327.enforcement_mode:                   "" => "DRYRUN_AUDIT_LOG_ONLY"
  cluster_admission_rules.3919992327.evaluation_mode:                    "" => "REQUIRE_ATTESTATION"
  cluster_admission_rules.3919992327.require_attestations_by.#:          "" => "1"
  cluster_admission_rules.3919992327.require_attestations_by.2808596407: "" => "projects/the-attestations-project/attestors/the-build-attestor"
  default_admission_rule.#:                                              "" => "1"
  default_admission_rule.0.enforcement_mode:                             "" => "DRYRUN_AUDIT_LOG_ONLY"
  default_admission_rule.0.evaluation_mode:                              "" => "ALWAYS_DENY"
  project:                                                               "" => "the-kube-project"

Error: Error applying plan:

1 error(s) occurred:

* google_binary_authorization_policy.policy: 1 error(s) occurred:

* google_binary_authorization_policy.policy: Error creating Policy: googleapi: Error 404: Resource projects/the-kube-project/attestors/the-build-attestor does not exist.

Expected Behaviour

I'm running Kubenetes on GCP using Binary Authorisation with the multi-project setup. I expect to be able to write policies to the project using TF where the attestor and attestations are in a different project to the cluster.

The cluster is running on the-kube-project. Where the attestors and attestations are in the the-attestations-project. It looks like TF is reading the config correctly:

cluster_admission_rules.3919992327.require_attestations_by.2808596407: "projects/the-attestations-project/attestors/the-build-attestor"

But when it goes to apply the config, it seems to looking in the wrong project for the attestor:

1 error(s) occurred:

* google_binary_authorization_policy.policy: 1 error(s) occurred:

* google_binary_authorization_policy.policy: Error creating Policy: googleapi: Error 404: Resource projects/the-kube-project/attestors/the-build-attestor does not exist.

The error message is technically correct, the referenced attestor doesn't exist. But I should not be replacing the project, so it is looking in the wrong project for the attestor.

Steps to Reproduce

Using above config

1. terraform apply

References

• https://www.terraform.io/docs/providers/google/r/binary_authorization_policy.html
• https://cloud.google.com/binary-authorization/docs/multi-project-setup-cli

[rileykarson]

Hey @steakunderscore! Are you able to attach debug logs?

[rileykarson]

https://github.com/hashicorp/terraform/issues/21498 appears to be the cause. I'll work around this in the provider in the meantime.

[steakunderscore]

Thanks for looking into this @rileykarson. It looks like you have been able to reproduce this, do you still want the debug logs?

[rileykarson]

Yeah, they shouldn't be necessary.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!