terraform-google-modules/cloud-foundation-training

03-networking IAM binding delay cause the initial network creation failure

gangchen03 opened this issue · 4 comments

gangchen03 commented

TO reproduce:
Start a clean run for Lab 03 (cleaned up Lab 02):
https://github.com/terraform-google-modules/cloud-foundation-training/tree/master/03-Networking

terraform apply plan.out

Failed with message:

Error: Error creating Network: googleapi: Error 403: Required 'compute.networks.create' permission for 'projects/xxx-xxx/global/networks/lab03-vpc', forbidden

  on .terraform/modules/network/modules/vpc/main.tf line 20, in resource "google_compute_network" "network":
  20: resource "google_compute_network" "network" {

After wait for couple of minutes, re-run the terraform apply successfully created the network.
I suspect that the first error is due to the IAM binding delay given IAM and Networking configuration are under the same module.

Please clarify.

bharathkkb commented

I was able to reproduce and it looks like asserting dependency like

module "project_iam_bindings" {
source   = "terraform-google-modules/iam/google//modules/projects_iam"
  projects = [var.project_id]
...
}
module "network" {
  source       = "terraform-google-modules/network/google"
  version = "~> 2.5.0"
  project_id   = module.project_iam_bindings.projects[0]
...
}

does not seem to work. I believe this is because we output values from helper and helper is just local data manipulations. Hence TF is able to resolve without waiting for any IAM computed values. Apart from tf13 module depends_on, I believe we can have the output depend on etag to prevent this? @morgante any thoughts?

bharathkkb commented

Actually just using ADC instead of SA key would temporarily fix this as ADC will have necessary permissions from here. This would also help with another issue where the SA permissions are destroyed with each destroy at the end of each lab.

morgante commented

@bharathkkb Seems like a simple fix on the module. Just add depends_on = [google_project_iam_binding. project_iam_authoritative, google_project_iam_member. project_iam_additive] to the outputs and the problem should be solved (no need for Terraform 0.13). Am I missing something?

bharathkkb commented

cool yeah that was my thinking with adding output depend on, I will do a PR.