Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"google_access_context_manager_service_perimeter" this resource is unable to delete project while configuring lifecycle. #18626

Open
mkurimeti opened this issue Jul 2, 2024 · 5 comments
Open

"google_access_context_manager_service_perimeter" this resource is unable to delete project while configuring lifecycle. #18626

mkurimeti opened this issue Jul 2, 2024 · 5 comments
Assignees
@ggtisc
Labels
bug forward/review In review; remove label to forward service/accesscontextmanager waiting-response

Comments

@mkurimeti
Copy link

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform latest
on GitLab CI/CD

  • provider registry.terraform.io/hashicorp/google 5.36.0

Affected Resource(s)

resource "google_access_context_manager_service_perimeter_resource" "service-perimeter-resource" {
perimeter_name = google_access_context_manager_service_perimeter.service-perimeter-resource.name
resource = "projects/987654321"
}

resource "google_access_context_manager_service_perimeter" "service-perimeter-resource" {
parent = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}"
name = "accessPolicies/${google_access_context_manager_access_policy.access-policy.name}/servicePerimeters/restrict_all"
title = "restrict_all"
status {
restricted_services = ["storage.googleapis.com"]
}

lifecycle {
ignore_changes = [status[0].resources]
}
}

resource "google_access_context_manager_access_policy" "access-policy" {
parent = "organizations/123456789"
title = "my policy"
}

While updating and deleting the values form the tfvars for this argument
resource = "projects/987654321"

It is able to add new projects but it is unable to delete the projects from the VPCSC perimeter, when removing the projects form tfvars.

Terraform Configuration

Running the terraform pipeline on GitLab CI/CD and for the runner using the terraform latest image from the docker registry.

Debug Output

Unable to delete the project while removing from the tfvars. In the plan output it is showing need to delete and after apply as well it is showing deletion successful. But it is not removing the project from VPCSC Perimeter while I am verifying from the GCP Cloud console.

Expected Behavior

It need to remove the project from the VPCSC perimeter, even lifecycle is configured on the status block. when we are deleting the project from tfvars.

Actual Behavior

Unable to delete the project while removing from the tfvars.

Steps to reproduce

  1. terraform apply

Important Factoids

No response

References

No response
@mkurimeti mkurimeti added the bug label Jul 2, 2024
@github-actions github-actions bot added forward/review In review; remove label to forward service/accesscontextmanager labels Jul 2, 2024
@ggtisc ggtisc self-assigned this Jul 3, 2024
@ggtisc
Copy link
Collaborator

ggtisc commented Jul 3, 2024

Hi @mkurimeti!

Could you be clearer with what are you looking to delete?
Are you looking to delete the entire project, or change the project on the resource argument of the google_access_context_manager_service_perimeter_resource resource?

After create the resources with your configuration which is the same as this terraform registry example nothing out of the ordinary occurred after terraform apply and terraform delete, and looking in VPC Service Controls on Google Cloud Console everything was fine with the next message on the screen:

No VPC Service Perimeters found in current scope

The Google provider version used for this example was 5.36.0 with the Terraform version 1.9.1

@mkurimeti
Copy link
Author

Hi @ggtisc,

I am trying to delete/modify the project here - (resource = "projects/987654321") but it is unable to remove the projects from the VPCSC perimeter.

In my use case I am modularised the terraform code and passing the resource as list(objects) and iterating projects_id's through the loop and when removing the project id's for the deleted project in the plan it is detecting the changes and in destroy stage also it is showing project removed but still it is showing in the console.

@ggtisc
Copy link
Collaborator

ggtisc commented Jul 4, 2024

As you can see in the terraform registry alerts of this resource, several adjustments must be made to the project to make use of this service, not just changing the value of the resource, such as ensuring that the org_id, billing project match in the provider properties.

This tells us 2 things:

The first is that in addition to having to take care of the complete configuration, the resource is linked to the project configurations, which results in the second, which is a behavior typical of Terraform. With resources like this, whose configurations are linked directly to the project by changing this value in the linked argument (in this case the resource argument of the google_access_context_manager_service_perimeter_resource service) internally it can lead to a create-replace (creating a new resource and deleting the existing one, but only at the terraform state level), or in an error message as in this scenario. But since it occurs only at the terraform state level, it will not be deleted from Google Cloud.

Therefore, the alternatives are to do a terraform delete of the resource that you no longer need, then it will be deleted from the terraform state and the project in Google Cloud, or the other alternative is to clean the involved resources manually from the terraform state and create a new one with a terraform apply in a different project with its own configurations on this same project in everything that involves it (resource, service and provider properties).

@mkurimeti
Copy link
Author

Hi @ggtisc ,

All my configuration are wrt alerts in the resource, and all the projects were tagged to the same billing project and under one org. And I am not using any User ADCs , I am using a ServiceAccount with all privileges.

By default for the other resources when we configure the lifecycle it will just ignore the manual changes and the resources which we configured through terraform we can add and delete the resources. But here it is unable to delete the resource which is configured through the terraform in the below attribute when I configured the lifecycle.

resource = "projects/987654321"

This resource dons't support this kind of delete?

@ggtisc
Copy link
Collaborator

ggtisc commented Jul 6, 2024

The tfvars looks like a terraform file where you are storing some variables as normal. But it isn't clear why you are mentioning that. In the shared example you aren't sharing any code that use this file.

After some tries the result with the shared code was the same in creation and deletion, successful without errors.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ggtisc ggtisc

Labels
bug forward/review In review; remove label to forward service/accesscontextmanager waiting-response
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mkurimeti @ggtisc