search

terraform-google-modules / terraform-google-vpc-service-controls

Handles opinionated VPC Service Controls and Access Context Manager configuration and deployments
https://registry.terraform.io/modules/terraform-google-modules/vpc-service-controls/google
Apache License 2.0
59 stars 67 forks source link

For Each for the ressource makes problems on not existent project_numbers #76

Closed aweberlopes closed 2 years ago

aweberlopes commented 2 years ago

TL;DR

If you deploy a Project in the same code where using this module and the project number is not created yet i getting the error i should use --target.

Expected behavior

tf plan accept that the project is not exists and create depends on length only the needed count of ressource

Observed behavior

Error: Invalid for_each argument

  on ../terraform-google-vpc-service-controls/modules/regular_service_perimeter/main.tf line 188, in resource "google_access_context_manager_service_perimeter_resource" "service_perimeter_resource":
 188:   for_each       = toset(formatlist("projects/%s", var.resources))

The "for_each" value depends on resource attributes that cannot be determined
until apply, so Terraform cannot predict how many instances will be created.
To work around this, use the -target argument to first apply only the
resources that the for_each depends on.

Terraform Configuration

module "org_policy" {
  source      = "terraform-google-modules/vpc-service-controls/google"
  parent_id   =
  policy_name = "test"

}

module "test-vpc-perimeter" {
  source         = "../terraform-google-vpc-service-controls/modules/regular_service_perimeter"
  policy         = module.org_policy.policy_id
  perimeter_name = "test_perimeter"
  description    = "test 123"
  resources      = [module.project2.project_number,module.project.project_number]

}

module "project" {
  source            = "terraform-google-modules/project-factory/google"
  name              = "Test Project AWEB"
  project_id        = "test-project-aweb"
  random_project_id = true
  org_id            = null
  billing_account   = ""
  folder_id         = ""
}

module "project2" {
  source            = "terraform-google-modules/project-factory/google"
  name              = "Test Project AWEB"
  project_id        = "test-project-aweb"
  random_project_id = true
  org_id            = null
  billing_account   = ""
  folder_id         = ""
}

Terraform Version

Terraform v0.13.7
+ provider registry.terraform.io/hashicorp/google v4.6.0
+ provider registry.terraform.io/hashicorp/google-beta v4.6.0
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/hashicorp/time v0.7.2

Your version of Terraform is out of date! The latest version
is 1.1.3. You can update by downloading from https://www.terraform.io/downloads.html

Additional information

I tried to solve it via count but the problem will be then if somebody change the order or remove entry in the middle of the list that triggers recreation of ressources normaly we not wanna touch.

morgante commented 2 years ago

My planned workaround is going to be to provide an optional resource_keys variable, which can be used to provide deterministic keys in such scenarios.

aweberlopes commented 2 years ago

@morgante How is the progress here. The Provider > 4.0 missing constrains makes this module as a showstoper.

morgante commented 2 years ago

Sorry for the delay. #81 should fix this and I hope to get it out by early next week.