shared_vpc_subnets doesnt limit the subnets which are shared with a service project

[kol-ratner]

TL;DR

i have a shared-vpc-host project which hosts 1 vpc per env: dev, stg prd.

all of the subnets from the host project are getting shared with all service projects.

I only want dev subnets shared with dev service projects, so on and so forth.

Expected behavior

for the platform_dev project i would expect that only the dev subnets get shared with it.

Observed behavior

instead I see that all subnets in the vpc host project are getting shared with the vpc service project. this happens for all of the service projects. please look carefully at the subnet names and you will observe those with prd & stg in the name rather than just dev in the name:

Terraform Configuration

module "platform_dev" {
  source  = "terraform-google-modules/project-factory/google"
  version = "~> 14.2"

  name              = "platform-dev"
  random_project_id = true
  org_id            = var.org_id
  folder_id         = module.platform_engineering_folder.id

  billing_account = var.billing_account
  activate_apis   = local.standard_services

  svpc_host_project_id = module.shared_vpc_host.project_id
  shared_vpc_subnets   = module.shared_vpc_dev.subnets_ids

  # bucket for tf state
  bucket_name    = "${module.platform_dev.project_name}-terraform-state-store"
  bucket_project = module.platform_dev.project_id
  bucket_pap     = "enforced"

  depends_on = [
    module.shared_vpc_host,
    module.shared_vpc_dev
  ]
}

module "shared_vpc_dev" {
  source  = "terraform-google-modules/network/google"
  version = "~> 8.0.0"

  project_id   = module.shared_vpc_host.project_id
  network_name = local.networking.shared_vpc_dev_name

  subnets = [
    {
      subnet_name               = "${local.networking.shared_vpc_dev_name}-euw4"
      subnet_ip                 = local.networking.cidr_blocks.shared_vpc_dev_euw4_cidr
      subnet_region             = "europe-west4"
      purpose                   = "PRIVATE"
      stack_type                = "IPV4_ONLY"
      subnet_private_access     = true
      subnet_flow_logs          = true
      subnet_flow_logs_sampling = "0.5"
      subnet_flow_logs_metadata = "INCLUDE_ALL_METADATA"
      subnet_flow_logs_interval = "INTERVAL_10_MIN"
    },
  ]

  secondary_ranges = {
    "${local.networking.shared_vpc_dev_name}-euw4" = [
      {
        range_name    = "${local.networking.shared_vpc_dev_name}-euw4-gke-pods"
        ip_cidr_range = local.networking.cidr_blocks.shared_vpc_dev_euw4_gke_pods_cidr
      },
      {
        range_name    = "${local.networking.shared_vpc_dev_name}-euw4-gke-svc"
        ip_cidr_range = local.networking.cidr_blocks.shared_vpc_dev_euw4_gke_svc_cidr
      }
    ]
  }

  firewall_rules = [
    # this ssh rule is required for ssh access to bastion hosts
    {
      name      = "shared-vpc-dev-allow-ssh"
      direction = "INGRESS"
      priority  = 10000

      log_config = {
        metadata = "INCLUDE_ALL_METADATA"
      }

      allow = [{
        protocol = "tcp"
        ports    = ["22"]
        }
      ]

      ranges = [
        "35.235.240.0/20",
      ]
    }
  ]
}

Terraform Version

Kols-MBP:gcp-org-mgmt kolratner$ terraform version
Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v5.5.0
+ provider registry.terraform.io/hashicorp/google-beta v5.5.0
+ provider registry.terraform.io/hashicorp/kubernetes v2.23.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.5.1
+ provider registry.terraform.io/hashicorp/time v0.9.1

Your version of Terraform is out of date! The latest version
is 1.6.5. You can update by downloading from https://www.terraform.io/downloads.html

Additional information

No response

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days