Error disabling Shared VPC Host - Destroy

[pfilourenco]

Hi

I'm trying to disable/destroy google_compute_shared_vpc_host_project but looks like is giving error:

"Error: Error disabling Shared VPC Host "my_project": googleapi: Error 400: Cannot disable project as a shared VPC host because it has active service projects., badRequest"

Before this I successfully destroyed google_compute_shared_vpc_service_project.

Any idea?

Terraform Version

Terraform v0.12.24

• provider.google v3.18.0

Affected Resource(s)

• google_compute_shared_vpc_host_project

Terraform Configuration Files

# Enable shared VPC hosting in the host project.
resource "google_compute_shared_vpc_host_project" "host_project" {
  project    = var.gcp_host-project-id
}

# Enable shared VPC in the service projects
resource "google_compute_shared_vpc_service_project" "service_project_1" {
  host_project    = google_compute_shared_vpc_host_project.host_project.project
  service_project = var.gcp_service-project-id-1

  depends_on = [google_compute_shared_vpc_host_project.host_project]
}

• 0000

[venkykuberan]

I can't repro the issue, trying multiple times. Do you see similar plan output ?, verify right project ids are shown in plan output.

# google_compute_shared_vpc_host_project.host will be destroyed
  - resource "google_compute_shared_vpc_host_project" "host" {
      - id      = "test-project1-274319" -> null
      - project = "test-project1-274319" -> null
    }

  # google_compute_shared_vpc_service_project.service1 will be destroyed
  - resource "google_compute_shared_vpc_service_project" "service1" {
      - host_project    = "test-project1-274319" -> null
      - id              = "test-project1-274319/zinc-authority-275122" -> null
      - service_project = "zinc-authority-275122" -> null
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

google_compute_shared_vpc_service_project.service1: Destroying... [id=test-project1-274319/zinc-authority-275122]
google_compute_shared_vpc_service_project.service1: Still destroying... [id=test-project1-274319/zinc-authority-275122, 10s elapsed]
google_compute_shared_vpc_service_project.service1: Destruction complete after 14s
google_compute_shared_vpc_host_project.host: Destroying... [id=test-project1-274319]
google_compute_shared_vpc_host_project.host: Still destroying... [id=test-project1-274319, 10s elapsed]
google_compute_shared_vpc_host_project.host: Destruction complete after 11s

Destroy complete! Resources: 2 destroyed.

[pfilourenco]

---

Hello, this is what I have. I also have more resources on this terraform.

 # google_compute_shared_vpc_host_project.host_project will be destroyed
  - resource "google_compute_shared_vpc_host_project" "host_project" {
      - id      = "XXX-network-projectXXX-d-1765" -> null
      - project = "XXX-network-projectXXX-d-1765" -> null
    }

  # google_compute_shared_vpc_service_project.service_project_1 will be destroyed
  - resource "google_compute_shared_vpc_service_project" "service_project_1" {
      - host_project    = "XXX-network-projectXXX-d-1765" -> null
      - id              = "XXX-network-projectXXX-d-1765/ddc-YYY" -> null
      - service_project = "ddc-YYY" -> null
    }

Plan: 0 to add, 0 to change, 28 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

google_compute_shared_vpc_service_project.service_project_1: Destroying... [id=XXX-network-projectXXX-d-1765/ddc-YYY]
google_compute_shared_vpc_service_project.service_project_1: Destruction complete after 2s
google_compute_shared_vpc_host_project.host_project: Destroying... [id=XXX-network-projectXXX-d-1765]

Error: Error disabling Shared VPC Host "XXX-network-projectXXX-d-1765": googleapi: Error 400: Cannot disable project as a shared VPC host because it has active service projects., badRequest

---

When I try again :

google_compute_shared_vpc_host_project.host_project: Refreshing state... [id=XXX-network-projectXXX-d-1765]
data.google_compute_zones.available: Refreshing state...

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # google_compute_shared_vpc_host_project.host_project will be destroyed
  - resource "google_compute_shared_vpc_host_project" "host_project" {
      - id      = "XXX-network-projectXXX-d-1765" -> null
      - project = "XXX-network-projectXXX-d-1765" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

google_compute_shared_vpc_host_project.host_project: Destroying... [id=XXX-network-projectXXX-d-1765]

Error: Error disabling Shared VPC Host "XXX-network-projectXXX-d-1765": googleapi: Error 400: Cannot disable project as a shared VPC host because it has active service projects., badRequest

[MikiLoz92]

I'm also having this issue. Terraform says it has completed destroying a service project:

module.github_runners.google_compute_shared_vpc_service_project.service: Destruction complete after 2s

But then I still see it on the GCP dashboard: When I try to disable the shared VPC host from terraform it's failing in the same fashion as @pfilourenco.

If I try to disable the service project from GCP, it complains that I have resources that depend on it and can't disable it. So, to my understanding, it seems like terraform is ignoring the negative response received by the GCP API when disabling the service project and considering it a success instead.

[pfilourenco]

Hi,

@venkykuberan @MikiLoz92

Yes, on GCP GUI I can see the service project still attached:

I can detach without problems, via GUI:

Then, on Terraform I can destroy successfully.

data.google_compute_zones.available: Refreshing state...
google_compute_shared_vpc_host_project.host_project: Refreshing state... [id=XXX-network-XXX-d-1765]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # google_compute_shared_vpc_host_project.host_project will be destroyed
  - resource "google_compute_shared_vpc_host_project" "host_project" {
      - id      = "XXX-network-XXX-d-1765" -> null
      - project = "XXX-network-XXX-d-1765" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

google_compute_shared_vpc_host_project.host_project: Destroying... [id=XXX-network-XXX-d-1765]
google_compute_shared_vpc_host_project.host_project: Still destroying... [id=XXX-network-XXX-d-1765, 10s elapsed]
google_compute_shared_vpc_host_project.host_project: Destruction complete after 12s

Destroy complete! Resources: 1 destroyed.

Looks like Terraform is not detaching the service project.

BR, Pedro Lourenço

[pdemagny]

Hi, i appear to be suffering from the same issue too.

Terraform v0.12.24 / provider.google v3.20.0

I have lots of resources coming from several modules. But i think the same logic applies.
I have a host project, with a service project attached to it.

The two projects and the attachment comes from this module:

# Generate the random part ot project's id
resource "random_id" "random_project_id" {
  keepers = {
    project_id = var.general["name"]
  }
  byte_length = 3
}

# Create a regular project
resource "google_project" "gcp_project" {
  name                = var.general["name"]
  project_id          = "${var.general["name"]}-${random_id.random_project_id.hex}"
  org_id              = var.settings["org_id"]
  billing_account     = var.settings["billing_account"]
  auto_create_network = lookup(var.settings, "auto_create_network", true)
  labels              = var.labels
}

# Enable API Services on this project
resource "google_project_service" "enable_api_services" {
  for_each = toset(var.api_services)
  project            = google_project.gcp_project.project_id
  service            = each.key
  disable_on_destroy = false
}

# Enable host project feature for the project, if it's a shared vpc host project
resource "google_compute_shared_vpc_host_project" "shared_vpc_host_project" {
  count      = var.settings["shared_vpc_project_type"] == "host" ? 1 : 0
  depends_on = [google_project_service.enable_api_services]
  project = google_project.gcp_project.project_id
}

# Get project's default service account
data "google_compute_default_service_account" "default_sa" {
  project = google_project_service.enable_api_services["compute.googleapis.com"].project
}

# Allow service accounts to use vpc networking at project level, if project is a service project
resource "google_project_iam_binding" "network_users_project_binding" {
  count      = var.settings["shared_vpc_project_type"] == "service" ? 1 : 0
  depends_on = [google_project_service.enable_api_services]
  project = var.settings["shared_vpc_host_project_id"]
  role    = "roles/compute.networkUser"
  members = [
    local.s_account_fmt,
    local.api_s_account_fmt,
    local.gke_s_account_fmt,
  ]
}

# Allow service accounts to use vpc networking at cluster level, if project is a service project
resource "google_project_iam_binding" "gke_host_agent_project_binding" {
  count      = var.settings["shared_vpc_project_type"] == "service" ? 1 : 0
  depends_on = [google_project_service.enable_api_services]
  project = var.settings["shared_vpc_host_project_id"]
  role    = "roles/container.hostServiceAgentUser"
  members = [
    local.s_account_fmt,
    local.api_s_account_fmt,
    local.gke_s_account_fmt,
  ]
}

# Link service project to host project
resource "google_compute_shared_vpc_service_project" "service_project_attachment" {
  count = var.settings["shared_vpc_project_type"] == "service" ? 1 : 0
  host_project    = var.settings["shared_vpc_host_project_id"]
  service_project = google_project.gcp_project.project_id
}

When i destroy everything, Terraform says that the attachments & the service project are destroyed:

module.service_project1.google_compute_shared_vpc_service_project.service_project_attachment[0]: Destroying... [id=tf-dev-host1-9ccb2c/tf-dev-service1-911c79]
module.service_project1.google_compute_shared_vpc_service_project.service_project_attachment[0]: Destruction complete after 1s
module.service_project1.google_project.gcp_project: Destroying... [id=projects/tf-dev-service1-911c79]
module.service_project1.google_project.gcp_project: Destruction complete after 4s
module.host_project1.google_compute_shared_vpc_host_project.shared_vpc_host_project[0]: Destroying... [id=tf-dev-host1-9ccb2c]

Error: Error disabling Shared VPC Host "tf-dev-host1-9ccb2c": googleapi: Error 400: Cannot disable project as a shared VPC host because it has active service projects., badRequest

Yet it isn't true, Terraform didn't remove the attachment between these two project, which i can confirm both in the GCP Dashboard as other have already said, and with the gcloud cli:

❯ gcloud compute shared-vpc associated-projects list tf-dev-host1-9ccb2c                                        
RESOURCE_ID             RESOURCE_TYPE
tf-dev-service1-911c79  PROJECT

If i manually remove the attachment like this:

❯ gcloud compute shared-vpc associated-projects remove tf-dev-service1-911c79 --host-project tf-dev-host1-9ccb2c
Updated [https://www.googleapis.com/compute/v1/projects/tf-dev-host1-9ccb2c].

Only then i can destroy the host project normally using Terraform ...

[ogarza]

I have the exact same problem on v 0.12.24.

Host project with shared vpc. Two service projects attached.

resource "google_compute_shared_vpc_service_project" "archive_shared_vpc_attachment" {

    host_project = var.host_vpc_project
    service_project = google_project.archive.project_id

    depends_on = [google_project_service.archive_project_services]
}

is what I am using in the service projects modules

When I run terraform destroy I get an error message saying that there are still service projects active

If I run terraform destroy again it works and deletes everything.

Really annoying that I have not figured out how to work around this yet.

Edit - If I set parallelism to 1 on destroy it works correctly

[venkykuberan]

@pfilourenco sorry for the delay in responding. We see 2 issues being mentioned here

1) Not able to destroy/disable host project 2) Although terraform/provider confirms the deletion of the service project, Console still shows the project.

Can you please attach the debug logs to understand what's going on ?

[pdemagny]

Hello everyone,

I've been trying out different solutions to workaround this problem. And to me at least, it looks like there no bug but only dependencies issues.

I have a main configuration composed of several modules, and the problem goes away when i set a dummy links between my shared_vpc module (the one with the google_compute_shared_vpc_service_project attachment resource) and other modules, like this (look for the wait_modules keys):

module "shared_vpc" {
  source = "../terraform-modules/gcp_shared_vpc"

  general = {
    region = local.workspace.region
  }

  settings = {
    host_project    = module.host_project1.shared_vpc_host_project_id
    service_project = module.service_project1.project_id
    service_accounts = [
      module.service_project1.s_account_fmt,
      module.service_project1.api_s_account_fmt,
      module.service_project1.gke_s_account_fmt,
    ]
  }
}

...

module "bastion_host" {
  source = "../terraform-modules/gcp_compute_instance"

  providers = {
    google      = google
    google-beta = google-beta
  }

  general = {
    project_id   = module.service_project1.project_id
    name         = "${local.workspace.prefix}-bastion1-vm"
    region       = local.workspace.region
    zone         = local.workspace.zone
    wait_modules = [module.shared_vpc.service_project_attachment_id, module.vpc_net1_router.name]
  }

  settings = {
    # removed for clarity
  }
}

module "gke_cluster1" {
  source = "../terraform-modules/gcp_gke_cluster"

  providers = {
    google      = google
    google-beta = google-beta
  }

  general = {
    project      = module.service_project1.project_id
    name         = "${local.workspace.prefix}-gke-cluster1"
    location     = local.workspace.gke_cluster1_location
    wait_modules = [module.shared_vpc.service_project_attachment_id, module.shared_vpc.gke_host_agent_etag, module.vpc_net1_router.name]
  }

  settings = {
    # removed for clarity
  }
}

...

It's like an artificial depends_on for modules that will hopefully be obsolete when Terraform 0.13 comes out ! I hope it will help others to solve this.

[paulspiegel]

I don't there's a module dependency issue in my case. I removed a single module reference that was defining one google_compute_shared_vpc_service_project and two google_compute_subnetwork_iam_member resources.

The apply looked successful:

module.sharedvpc_access_cloud.google_compute_subnetwork_iam_member.network_user["maintainer_to_nonprod_east"]: Destroying... [id=***]
module.sharedvpc_access_cloud.google_compute_shared_vpc_service_project.project: Destroying... [id=***]
module.sharedvpc_access_cloud.google_compute_shared_vpc_service_project.project: Destruction complete after 2s
module.sharedvpc_access_cloud.google_compute_subnetwork_iam_member.network_user["maintainer_to_nonprod_central"]: Destroying... [id=***]

However both the service project still exists and the network.user membership is also still assigned. This is Terraform 0.12.24 / Google provider 3.29.0

[aceresia]

I'm still experiencing this issue. Any progress?

[ScottSuarez]

Are any users still encountering this issue? If so do you have recent examples you can share. It has been a long time since this issue has been filed and we may close this issue as stale. If it it is still occurring we can notify the appropriate team.

[rahulracker7539]

am getting below error while removing service project from the host project through terraform. I have already deleted all the dependencies which were using host prject nw but still getting below error while applying.

Error: Error disabling Shared VPC Resource "service project": Error waiting for Disabling Shared VPC Resource: The resource 'projects//global/networkInstances/' is still linked to shared VPC host 'projects/'.