search

terraform-google-modules / terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
https://registry.terraform.io/modules/terraform-google-modules/project-factory/google
Apache License 2.0
826 stars 535 forks source link

Race condition with adding bindings to GKE robot on new project #386

Closed mattcary closed 4 years ago

mattcary commented 4 years ago

I've found a race condition when creating a new project using project-factory with the container.googleapis.com service, and adding role binding on the associated robot service account.

My case where it reproduces reliably is a little large, but the idea is the following:

module "project" {
  source                  = "terraform-google-modules/project-factory/google"
  version                 = "~> 7.0.0"
  random_project_id       = "false"
  name                    = format("mattcary-race-%s", random_id.suffix.hex)
  org_id                  = var.organization_id
  billing_account         = var.billing_account
  default_service_account = "keep"
  activate_apis           = ["compute.googleapis.com", "container.googleapis.com"]
}

resource "google_project_iam_member" "iam-binding" {
  project = module.project.project_id
  role    = "roles/container.developer"
  member  = "serviceAccount:service-${module.project.project_number}@container-engine-robot.iam.gserviceaccount.com"
}

If the above is done directly with google_project and google_project_service resources instead of the CFT module, then it also reproduces reliably.

Using the resources directly, I can put a depends_on in the iam-binding resource on the google-project_service resource to make it work reliably.

Is there a way to do that using the project-factory module? For bonus points, what if I am making the binding on the robot account using a module? eg terraform-google-modules/iam/google//modules/subnets_iam.

Thanks

morgante commented 4 years ago

We should be able to add a depends_on dependency here: https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/modules/core_project_factory/outputs.tf#L28

This should make the project_id output dependent on service activation and apply to any IAM resources (including via the IAM module).

mattcary commented 4 years ago

Thanks!

I've made a PR, is that what you had in mind?

https://github.com/terraform-google-modules/terraform-google-project-factory/pull/387

If so I'll see if I can add a test for this case. We can move discussion to the PR as well.