resources_dry_run documentation says (Dry-run) A list of GCP resources that are inside of the service perimeter. Currently only projects and VPC networks are allowed. If set, a dry-run policy will be set.
Even though VPC is allowed a condition to check and add prefix is missing. in the dynamic spec block every resource has projects appended.
As a work around I am adding below in place of resources = formatlist("projects/%s", var.resources_dry_run )
resources = [
for item in var.resources_dry_run : can(regex("global/networks", item)) ? format("//compute.googleapis.com/%s", item) : format("projects/%s", item)
]
We are getting below errors otherwise.
Error: Error updating ServicePerimeter "accessPolicies/xxx/servicePerimeters/xxx": googleapi: Error 400: Invalid Service Perimeter 'accessPolicies/xxx/servicePerimeters/xxx'. Invalid perimeter member: 'projects/projects/xxxx/global/networks/xxxx'. Must be of the form 'projects/[1-9][0-9]{0,18}' OR '//compute.googleapis.com/projects/[a-z][a-z0-9-]{4,28}[a-z0-9]/global/networks/a-z?'.
Expected behavior
The checks are added for regular resources. Only when in dry_run mode checks are missing for VPC.
Below is the code block which takes care of adding prefixes for projects and VPCs in enforced mode.
TL;DR
resources_dry_run documentation says
(Dry-run) A list of GCP resources that are inside of the service perimeter. Currently only projects and VPC networks are allowed. If set, a dry-run policy will be set.Even though VPC is allowed a condition to check and add prefix is missing. in the dynamic spec block every resource has projects appended.
dynamic "spec" { for_each = local.dry_run ? ["dry-run"] : [] content { restricted_services = var.restricted_services_dry_run resources = formatlist("projects/%s", var.resources_dry_run )
As a work around I am adding below in place of
resources = formatlist("projects/%s", var.resources_dry_run )resources = [ for item in var.resources_dry_run : can(regex("global/networks", item)) ? format("//compute.googleapis.com/%s", item) : format("projects/%s", item) ]
We are getting below errors otherwise.
Error: Error updating ServicePerimeter "accessPolicies/xxx/servicePerimeters/xxx": googleapi: Error 400: Invalid Service Perimeter 'accessPolicies/xxx/servicePerimeters/xxx'. Invalid perimeter member: 'projects/projects/xxxx/global/networks/xxxx'. Must be of the form 'projects/[1-9][0-9]{0,18}' OR '//compute.googleapis.com/projects/[a-z][a-z0-9-]{4,28}[a-z0-9]/global/networks/a-z?'.
Expected behavior
The checks are added for regular resources. Only when in dry_run mode checks are missing for VPC.
Below is the code block which takes care of adding prefixes for projects and VPCs in enforced mode.
resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource" { for_each = local.resources perimeter_name = google_access_context_manager_service_perimeter.regular_service_perimeter.name resource = can(regex("global/networks", each.value)) ? "//compute.googleapis.com/${each.value}" : "projects/${each.value}" }
Observed behavior
No response
Terraform Configuration
Terraform Version
Additional information
No response