GoogleCloudPlatform/cloud-foundation-fabric

Problem with peered_domains in PSA config

apichick opened this issue · 1 comments

apichick commented

There is a problem with the peered domains for PSA in this line

cloud-foundation-fabric/modules/net-vpc/psa.tf

Line 28 in a95e681

_psa_peered_domains = flatten([

dns_suffix attribute in google_service_networking_peered_dns_domain requires the dns suffix to end with a ".". If we pass the trailing "." when setting the peered_domains in the psa_configs variable then the name for the DNS peering results in a string ending in "-" which is not a valid name making terraform fail with the following error.

  # module.shared_vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-backend-myorg-com-"] will be created
  + resource "google_service_networking_peered_dns_domain" "name" {
      + dns_suffix = "backend.myorg.com."
      + id         = (known after apply)
      + name       = "servicenetworking-googleapis-com-backend-myorg-com-"
      + network    = "vpc"
      + parent     = (known after apply)
      + project    = "g-prj-cd-sb-af-h-03"
      + service    = "servicenetworking.googleapis.com"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.shared_vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-backend-myorg-com-"]: Creating...
module.shared_vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-backend-myorg-com-"]: Still creating... [10s elapsed]
╷
│ Error: Error waiting for Create Service Networking Peered DNS Domain: Error code 3, message: 
│ 
│   with module.shared_vpc.google_service_networking_peered_dns_domain.name["servicenetworking-googleapis-com-backend-myorg-com-"],
│   on .terraform/modules/shared_vpc/modules/net-vpc/psa.tf line 83, in resource "google_service_networking_peered_dns_domain" "name":
│   83: resource "google_service_networking_peered_dns_domain" "name" {

If we don't pass the "." the name of google_service_networking_peered_dns_domain is OK but the dns_suffix isn't, so it does not work either. We would need to either:

  • Agree on passing the "." in the to peered_domains attribute and add a trimsuffix to remove the training "-" for the peering name, or,
  • Agree on nont passing the "." in peered_domains and add the trailing "." to the DNS suffix.

Both options are valid. Let me know which one you prefer and I'll change it

juliocc commented

@apichick this was fixed with #2246, right?