search

terraform-google-modules / terraform-google-bastion-host

Generates a bastion host VM compatible with OS Login and IAP Tunneling that can be used to access internal VMs
https://registry.terraform.io/modules/terraform-google-modules/bastion-host/google
Apache License 2.0
128 stars 92 forks source link

Constant change of bastion's nic0 subnetwork_project value #100

Closed wapson closed 2 years ago

wapson commented 2 years ago

TL;DR

During every terraform plan or terraform apply there is change request regarding subnetwork_project of bastion network_interface. Bastion uses network and subnetwork from Shared VPC in another project (bastion is placed within service project).

Expected behavior

No diff and change requests of nic0 subnetwork_project parameter value.

Observed behavior

During every terraform plan or terraform apply there is change request regarding subnetwork_project of bastion network_interface. Bastion uses network and subnetwork from Shared VPC in another project (bastion is placed withing service project).

That's the result of every terraform command which includes plan. After such an apply if I would retry terraform plan I will get exactly same diff (apply was successful).

   # module.iap_bastion.google_compute_instance_from_template.bastion_vm[0] will be updated in-place
  ~ resource "google_compute_instance_from_template" "bastion_vm" {
        id                       = "projects/example-project/zones/europe-west3-a/instances/bastion-vm"
        name                     = "bastion-vm"
        tags                     = [
            "gke-bastion",
        ]
        # (22 unchanged attributes hidden)

      ~ network_interface {
            name               = "nic0"
          ~ subnetwork_project = "example-sharedsvc" -> "example-project"
            # (5 unchanged attributes hidden)
        }

        # (4 unchanged blocks hidden)
    }

Terraform Configuration

module "iap_bastion" {
  source  = "terraform-google-modules/bastion-host/google"
  version = "4.1.0"

  project              = module.project.project_id
  zone                 = "${var.region}-a"
  image_family         = "ubuntu-2004-lts"
  image                = "ubuntu-2004-focal-v20210415"
  image_project        = "ubuntu-os-cloud"
  network              = data.google_compute_network.shared-vpc-network.self_link
  subnet               = data.google_compute_subnetwork.shared-vpc-subnetwork-bastion.self_link
  create_firewall_rule = false
  tags                 = ["gke-bastion"]

  members = [
    "group:example-group@<organization_domain>",
  ]

  service_account_roles = [
    "roles/logging.logWriter",
    "roles/monitoring.metricWriter",
    "roles/monitoring.viewer",
    "roles/compute.osLogin",
    "roles/container.developer",
  ]

  startup_script = var.bastion_startup_script

  depends_on = [
    module.project,
  ]
}

### Terraform Version

```sh
v1.0.5

Additional information

No response

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

wapson commented 2 years ago

Found out the reason of this behaviour. In setup like that host_project parameter has to set (at same value as project parameter) to omit this issue