search

terraform-google-modules / terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google
Apache License 2.0
59 stars 67 forks source link

Terraform Regular Service Perimeter Failing due to Invalid Directional Policy #141

Open ankitsr92 opened 2 months ago

ankitsr92 commented 2 months ago

TL;DR

Terraform Plan shows 14 objects to create

13 objects for each project in the perimeter-: resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource" 1 resource "google_access_context_manager_service_perimeter" "regular_service_perimeter" use_explicit_dry_run_spec = false

Then regular service perimeter is getting created first and failing that the project is not in the list of projects under service perimeter.

Expected behavior

Able to create the perimeter

Observed behavior

No response

Terraform Configuration

module "<name>" {
  source         = "terraform-google-modules/vpc-service-controls/google//modules/regular_service_perimeter"
  version        = "5.2.1"
  policy         = var.org_policy_id
  perimeter_name = "<name>_${var.env}"

  restricted_services = var.restricted_services                         
  resources           = var.env == "dev" ? local.data_platform_ids : [] 
ingress_policies = var.env == "dev" ? [
    {
      "from" = { "sources" = { resources = [], access_levels = [module.<name>.name]
        },
        "identity_type" = "ANY_IDENTITY", 
        "identities"    = []
      }
      "to" = { "resources" = ["*"], 
        "operations" = { "*" = { "methods" = ["*"] } }
      }
    }
    ]
  egress_policies = var.env == "dev" ? [

    {
      "from" = { "identity_type" = "ANY_IDENTITY",
        "identities" = []
      }
      "to" = { "resources" = formatlist("projects/%s", var.projects),
        "operations" = { "*" = { "methods" = ["*"] }
        }
      }
    }
]

Terraform Version

1.3.0

Additional information

No response

ankitsr92 commented 2 months ago

│ Error: Error creating ServicePerimeter: googleapi: Error 400: Invalid Directional Policies set in Perimeter 'accessPolicies//servicePerimeters/': Error in IngressTo: 'projects/' is defined in IngressTo.resources, but it is not present in ServicePerimeterConfig.resources. Only resources protected by this Service Perimeter can be put in IngressTo.resources. │ │ with module..google_access_context_manager_service_perimeter.regular_service_perimeter, │ on .terraform/modules//modules/regular_service_perimeter/main.tf line 21, in resource "google_access_context_manager_service_perimeter" "regular_service_perimeter": │ 21: resource "google_access_context_manager_service_perimeter" "regular_service_perimeter" { │

github-actions[bot] commented 3 days ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days