terraform-provider-google: Receiving inaccurate "conditionNotMet" error when attempting to deploy subnetwork with constraints/compute.requireVpcFlowLogs configured
Community Note
- Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request.
- Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
- If you are interested in working on this issue or have submitted a pull request, please leave a comment.
- If an issue is assigned to the
modular-magicianuser, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot, a community member has claimed the issue already.
Terraform Version
Terraform v1.1.7 on windows_amd64
- provider registry.terraform.io/hashicorp/google v4.13.0
- provider registry.terraform.io/hashicorp/google-beta v4.13.0
Affected Resource(s)
google_compute_subnetwork
Terraform Configuration Files
resource “google_compute_network” “network” { name = “test-vpc” auto_create_subnetworks = false routing_mode = “GLOBAL” project = “project_id” description = “test-vpc” delete_default_routes_on_create = true mtu = 0 }
resource “google_compute_subnetwork” “subnetwork” { name = “test-subnet-01” ip_cidr_range = “10.100.100.0/24” region = “us-central1” network = “test-vpc” project = “<project_id>” log_config { aggregation_interval = “INTERVAL_10_MIN” flow_sampling = “1.0” metadata = “INCLUDE_ALL_METADATA” } depends_on = [google_compute_network.network] }
Debug Output
https://gist.github.com/andrew-rxt/e1df0d8b4f0b3c71bf842442483ee29c
Panic Output
Expected Behavior
The subnet should have been created with VPC flow logs enabled with a sampling rate of 100%
Actual Behavior
Error: Error creating Subnetwork: googleapi: Error 412: Constraint constraints/compute.requireVpcFlowLogs violated for projects/baxgcp-sbx-gurusas-prj-2659. To allow the specified configuration for subnetwork projects/<project_id>/regions/us-central1/subnetworks/test-subnet-01, the org policy must be disabled. See https://cloud.google.com/vpc/docs/org-policy-flow-logs for more information., conditionNotMet
Steps to Reproduce
Enable constraints/compute.requireVpcFlowLogs
- Go to organization policies
- Edit the constraint
- Choose “Customize”
- Choose “Replace”
- Create custom rule
- Set to “Allow”
- Set policy value to “COMPREHENSIVE”
- Save the policy
- Apply the terraform code above
Important Factoids
No, nothing special
References
- #0000
- b/229896069
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 11
- Comments: 15 (5 by maintainers)
@mgarber-ops I do not have “production ready” Pull Request. I have a dirty fix in my fork (see https://github.com/DmZ/terraform-provider-google/commit/8689d8f1512ba75f4f8994cf0ff408dcc25b8ae1) - works for me, but see explanation below.
So the problem is that policy check verifies both parameters -
enableFlowLogsandfilter_expr.enableFlowLogsmust be present with valuetrueandfilter_exprMUST BE ABSENT (thus it will include ALL traffic by default).My dirty fix just removes
filter_exprfrom the API call if its value is default (not redefined by user). Current code for the resource has this parameter as mandatory field with default value and Terraform will update subnetwork on each run, because Google API will not returnfilter_expron refresh but code will add default value (this does not influence anything in my case, butterraform planwill always show that subnetwork will be updated).So the real fix should add
enableFlowLogsparameter and makefilter_expran optional one (without default value) - then everything should be good. (Also real fix should have updated tests, if any)