Running into "Invalid count argument" Errors with Version 10.3.2 and Terraform 0.13.6

[elatovg]

Creating a host project with a shared VPC and then creating a service project attaching to the shared VPC produces errors. I created a sample git repository for reproducing the issue. Here is a simple way to reproduce the issue:

$ git clone https://github.com/elatovg/cft-bug-repro.git
$ cd cft-bug-repro
# generate terraform.tfvars
$ cat terraform.tfvars
org_id          = "111111111"
billing_account = "ABCDE-ABCDE-ABCDE"
environment     = "env"
$ terraform init
$ terraform plan

And then you will see the following error:

Error: Invalid count argument

  on .terraform/modules/svc_project.svc_project/modules/core_project_factory/main.tf line 106, in resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment":
 106:   count           = var.enable_shared_vpc_service_project ? 1 : 0

The "count" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the count depends on.

Please let me know if I am using the module in an incorrect way.

[elatovg]

tried both suggestions from https://github.com/terraform-google-modules/terraform-google-project-factory/issues/538#issuecomment-761111833, but they didn't help out.

[morgante]

The problem you're encountering is that the service project is dependent on your host project ID, which is a computed attribute.

Cases like this are what this submodule are for, please try switching to that: https://github.com/elatovg/cft-bug-repro/pull/1

[elatovg]

After switching to that submodule, I definitely get further... thanks for the help. But my terraform apply fails with the following error:

Error: googleapi: Error 400: Invalid resource usage: ''projects/cft-env-shared-base-5ddb' is not a shared VPC host project.'., invalidResourceUsage

  on .terraform/modules/svc_project.svc_project/modules/core_project_factory/main.tf line 103, in resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment":
 103: resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment" {

Doing another terraform apply right after the failure, succeeds. And same thing happens during a terraform destroy, initially it fails with the following error:

Error: Error disabling Shared VPC Host "cft-env-shared-base-5ddb": googleapi: Error 400: Cannot disable project as a shared VPC host because it has active service projects., badRequest

But then running another terraform destroy right after the failure succeeds as well.

[morgante]

You need to be careful with your sequencing: https://github.com/elatovg/cft-bug-repro/pull/2

It's really important that you build your dependency tree properly in Terraform. In this case, you were not making the service project dependent on the shared VPC actually being created.

Please try this example to understand the outputs which must be fed into the service project: https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/examples/shared_vpc/main.tf