Module org_policy_v2 does not work as expected for constraint cloudfunctions.allowedIngressSetting

[sunilrdsouza]

TL;DR

Trying to create a policy using terraform-google-modules/org-policy/google//modules/org_policy_v2 but it fails. I have tried to apply for both "organization" and "folder" similar error

### Error while applying on Organization module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0]: Creating... ╷ │ Error: Error creating Policy: googleapi: Error 404: Requested entity was not found. │ │ with module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0], odules\org_policy_v2\list_constraints.tf line 20, in resource "google_org_policy_policy" "organization_policy": │ 20: resource "google_org_policy_policy" "organization_policy" { │ ╵ __

### Error while applying on Folder module.org_cloudfunction_allowedingress.google_org_policy_policy.folder_policy[0]: Creating... ╷ │ Error: Error creating Policy: googleapi: Error 404: Requested entity was not found. │ │ with module.org_cloudfunction_allowedingress.google_org_policy_policy.folder_policy[0], │ on .terraform\modules\org_cloudfunction_allowedingress\modules\org_policy_v2\list_constraints.tf line 56, in resource "google_org_policy_policy" "folder_policy": │ 56: resource "google_org_policy_policy" "folder_policy" { │ ╵ Releasing state lock. This may take a few moments...

Expected behavior

Expectations:

Policy for Allowed ingress settings (Cloud Functions) Effective policy for organization "xxxxxxxxx" This is the result of merging policies in the resource hierarchy and evaluating conditions. The policy does not have a condition set because it is a computed policy across multiple resources.

Allowed: ALLOW_INTERNAL_AND_GCLB

Custom policy The rules below have been configured for the currently-selected resource's custom policy. Policy enforcement: Replace parent Rule 1 Allowed : is:ALLOW_INTERNAL_AND_GCLB Condition -

Observed behavior

$ terraform.exe apply Acquiring state lock. This may take a few moments... data.google_client_config.current: Reading... data.google_client_config.current: Read complete after 1s [id=projects//regions//zones/]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

• create

Terraform will perform the following actions:

module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0] will be created

• resource "google_org_policy_policy" "organization_policy" {

  • id = (known after apply)

  • name = "organizations/69664836181/policies/cloudfunctions.allowedIngressSetting"

  • parent = "organizations/69664836181"

  • spec {

    • etag = (known after apply)

    • update_time = (known after apply)

    • rules {

      • values {
        • allowed_values = [
          • "is:ALLOW_INTERNAL_AND_GCLB", ] } } } }

Plan: 1 to add, 0 to change, 0 to destroy.

Changes to Outputs:

• project = "project-rocky"

Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.

Enter a value: yes module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0]: Creating... ╷ │ Error: Error creating Policy: googleapi: Error 404: Requested entity was not found. │ │ with module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0],

Terraform Configuration

module "org_cloudfunction_allowedingress" {
   providers = {
    google = google.overridden_billing_project
  }

  source           = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
  version         = "~> 5.2.0"

  policy_root      =  "organization"
  policy_root_id   =  "11111111111"
  constraint       = "cloudfunctions.allowedIngressSetting"
  policy_type      = "list"            # either of list or boolean
  exclude_folders  = []
  exclude_projects = []

   rules = [
    # Rule 1
    {
      enforcement = true
      allow       = [ "is:ALLOW_INTERNAL_AND_GCLB" ]
      deny        = []
      conditions  = []
    },
   ]
}

Terraform Version

$ terraform.exe version
Terraform v1.3.9
on windows_386
+ provider registry.terraform.io/hashicorp/google v4.53.1
+ provider registry.terraform.io/hashicorp/google-beta v4.48.0

Additional information

No response

[kunzese]

Hi @sunilrdsouza,

i think your constraint id is just missing the s. Could you try

constraint = "cloudfunctions.allowedIngressSettings"

instead of

constraint = "cloudfunctions.allowedIngressSetting"

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days