terraform-google-modules/terraform-google-bastion-host

bastion server can't modify host network in another project

intotecho opened this issue · 1 comments

intotecho commented

TL;DR

I am in a service project, creating a google-bastion-host. The Shared VPC network is in a host project, managed by another terraform stage.

I get error "Cross project referencing is not allowed for this resource". The bastion host is created except for the firewall rules in the plan below.

Expected behavior

Remaining plan to be applied

# module.gis_project.module.gis-bastion-vm.module.iap_tunneling.google_compute_firewall.allow_from_iap_to_instances[0] will be created
  + resource "google_compute_firewall" "allow_from_iap_to_instances" {
      + creation_timestamp      = (known after apply)
      + destination_ranges      = (known after apply)
      + direction               = (known after apply)
      + enable_logging          = (known after apply)
      + id                      = (known after apply)
      + name                    = "allow-ssh-from-iap-to-tunnel"
      + network                 = "https://www.googleapis.com/compute/v1/projects/network-prj/global/networks/my-nw-uat"
      + priority                = 1000
      + project                 = "service-prj"
      + self_link               = (known after apply)
      + source_ranges           = [
          + "35.235.240.0/20",
        ]
      + target_service_accounts = [
          + "bastion-uat@service-prj.iam.gserviceaccount.com",
        ]

      + allow {
          + ports    = [
              + "22",
            ]
          + protocol = "tcp"
        }
    }

Observed behavior

│ Error: Error creating Firewall: googleapi: Error 400: Invalid value for field 'resource.network': 'projects/my-network-prj/global/networks/my-nw-uat'. Cross project referencing is not allowed for this resource., invalid
│
│   with module.my_project.module.my-bastion-vm.module.iap_tunneling.google_compute_firewall.allow_from_iap_to_instances[0],
│   on .terraform\modules\my_project.gis-bastion-vm\modules\iap-tunneling\main.tf line 17, in resource "google_compute_firewall" "allow_from_iap_to_instances":
│   17: resource "google_compute_firewall" "allow_from_iap_to_instances" {

Terraform Configuration

module "gis-bastion-vm" {
  source               = "terraform-google-modules/bastion-host/google"
  project              = local.project_id
  zone                 = local.zone
  name                 = "bastion-${local.environment}"
  machine_type         = "e2-micro"
  network              = local.host_network_selflink
  subnet               = local.subnet_selflink
  service_account_name = "bastion-${local.environment}"
  service_account_roles_supplemental = [
    "roles/iam.serviceAccountUser"
  ]
  scopes = [
    "cloud-platform"
  ]
}


### Terraform Version

```sh
Terraform v1.2.3
on windows_amd64
+ provider registry.terraform.io/hashicorp/google v4.20.0
+ provider registry.terraform.io/hashicorp/google-beta v4.20.0
+ provider registry.terraform.io/hashicorp/local v2.2.3
+ provider registry.terraform.io/hashicorp/random v3.3.2
+ provider registry.terraform.io/hashicorp/template v2.2.0

Additional information

No response

github-actions commented

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days