search

terraform-google-modules / terraform-google-org-policy

Manages Google Cloud organization policies
https://registry.terraform.io/modules/terraform-google-modules/org-policy/google
Apache License 2.0
80 stars 80 forks source link

Module org_policy_v2 does not work as expected #94

Closed sheep64 closed 1 year ago

sheep64 commented 1 year ago

TL;DR

Hello,

I have tried to create policies using org_policy_v2 module. But it doesn't seem to work that well, I get strange error messages there. When i do terraform apply i get the following error:

│ Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds.

│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/764086051850",
│       "service": "orgpolicy.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]

I clicked on the Link, checked the article and used this command as described: gcloud auth application-default set-quota-project my_new_project. Still the same issue. Tested on other machines as well.

Expected behavior

That we can apply the terraform changes

Observed behavior

didnt work

Terraform Configuration

module "gcp_org_policy" {
  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
  version          = "~> 5.2.0"

  policy_root      = "organization"    
  policy_root_id   = 1234567890       
  constraint       = "gcp.resourceLocations"    
  policy_type      = "list"            
  exclude_folders  = []
  exclude_projects = []

  rules = [
    {
      enforcement = null
      allow       = ["in:eu-locations"]
      deny        = []
      conditions  = []
    }
  ]
}

Terraform Version

Terraform v1.4.4

Additional information

No response

kunzese commented 1 year ago

Hi @sheep64,

I just had a look at the provider code and the libraries that it uses and i think (aka needs verification from someone who actually works on that) that, despite the error message, the project set via gcloud auth application-default set-quota-project my_new_project is not taken into account. Could you do me a favor and try the following?

provider "google" {
  alias                 = "overridden_billing_project"
  user_project_override = true
  billing_project       = "my_new_project"
}

module "gcp_org_policy" {
  providers = {
    google = google.overridden_billing_project
  }
  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
  version          = "~> 5.2.0"

  policy_root      = "organization"    
  policy_root_id   = 1234567890       
  constraint       = "gcp.resourceLocations"    
  policy_type      = "list"            
  exclude_folders  = []
  exclude_projects = []

  rules = [
    {
      enforcement = null
      allow       = ["in:eu-locations"]
      deny        = []
      conditions  = []
    }
  ]
}
sheep64 commented 1 year ago

Seems to work, just tested it. Thank you!

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days