search

terraform-google-modules / terraform-google-project-factory

Creates an opinionated Google Cloud project by using Shared VPC, IAM, and Google Cloud APIs
https://registry.terraform.io/modules/terraform-google-modules/project-factory/google
Apache License 2.0
826 stars 535 forks source link

VPC Service Control Service Account #690

Closed masterleros closed 2 years ago

masterleros commented 2 years ago

TL;DR

When the project is destroyed, if it was created with the default Service Account and attached to a VPC-SC Service Perimeter + the perimeter uses this default Service Account in an ingress or egress rule, the destroy execution fails in a dead lock. The reason for this is that the default Service Account (google_service_account.default_service_account) is destroyed before the project is detached from perimeter, so when the resource google_access_context_manager_service_perimeter_resource.service_perimeter_attachment is destroyed it actually submits the whole perimeter configuration in the API call, which still contains the "already" destroyed Service Account failing to destroy the attachment, sample output:

Error: Error when reading or editing ServicePerimeterResource: googleapi: Error 400: The email address 'sa-my-test@.iam.gserviceaccount.com' is invalid or non-existent.

Expected behavior

Resources should be destroyed in the correct sequence: 1st detach project from perimeter 2nd destroy the default Service Account

Observed behavior

It is not possible to destroy all resources, placing the execution in a dead lock

Terraform Configuration

#--------- 1st definition to create the project and attach to perimeter
module "my_project" {
  source                             = "terraform-google-modules/project-factory/google"
  org_id                             = null
  folder_id                          = var._folder_id
  name                               = "my-test"
  random_project_id                  = true
  activate_apis                      = ["cloudbilling.googleapis.com"]
  billing_account                    = var.billing_account
  create_project_sa                  = true
  project_sa_name                    = "sa-my-test"
  vpc_service_control_attach_enabled = true
  vpc_service_control_perimeter_name = var.perimeter_name
}

#--------- 2nd definition to update the perimeter ingress policies (using the project's default SA)
module "regular_service_perimeter" {
  source              = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter"
  policy              = var.access_policy_id
  perimeter_name      = var.perimeter_name
  description         = "Test Perimeter"
  restricted_services = ["storage.googleapis.com"]
  ingress_policies = [
    {
      from = { identities = ["serviceAccount:${var.default_project_sa}"] }
      to   = { resources = ["*"], operations = { "*" = [] } }
    }
  ]
}

Terraform Version

v1.1.3

Additional information

No response

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

bharathkkb commented 2 years ago

fixed by https://github.com/terraform-google-modules/terraform-google-project-factory/pull/691