Module org_policy_v2 does not work as expected for constraint cloudfunctions.allowedIngressSetting
sunilrdsouza opened this issue · 2 comments
TL;DR
Trying to create a policy using terraform-google-modules/org-policy/google//modules/org_policy_v2 but it fails.
I have tried to apply for both "organization" and "folder" similar error
### Error while applying on Organization
module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0]: Creating... ╷ │ Error: Error creating Policy: googleapi: Error 404: Requested entity was not found. │ │ with module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0], odules\org_policy_v2\list_constraints.tf line 20, in resource "google_org_policy_policy" "organization_policy": │ 20: resource "google_org_policy_policy" "organization_policy" { │ ╵
__
### Error while applying on Folder
module.org_cloudfunction_allowedingress.google_org_policy_policy.folder_policy[0]: Creating... ╷ │ Error: Error creating Policy: googleapi: Error 404: Requested entity was not found. │ │ with module.org_cloudfunction_allowedingress.google_org_policy_policy.folder_policy[0], │ on .terraform\modules\org_cloudfunction_allowedingress\modules\org_policy_v2\list_constraints.tf line 56, in resource "google_org_policy_policy" "folder_policy": │ 56: resource "google_org_policy_policy" "folder_policy" { │ ╵ Releasing state lock. This may take a few moments...
Expected behavior
Expectations:
Policy for Allowed ingress settings (Cloud Functions)
Effective policy for organization "xxxxxxxxx"
This is the result of merging policies in the resource hierarchy and evaluating conditions. The policy does not have a condition set because it is a computed policy across multiple resources.
Allowed: ALLOW_INTERNAL_AND_GCLB
Custom policy
The rules below have been configured for the currently-selected resource's custom policy.
Policy enforcement: Replace parent
Rule 1
Allowed : is:ALLOW_INTERNAL_AND_GCLB
Condition -
Observed behavior
$ terraform.exe apply
Acquiring state lock. This may take a few moments...
data.google_client_config.current: Reading...
data.google_client_config.current: Read complete after 1s [id=projects//regions//zones/]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
- create
Terraform will perform the following actions:
module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0] will be created
- resource "google_org_policy_policy" "organization_policy" {
-
id = (known after apply)
-
name = "organizations/69664836181/policies/cloudfunctions.allowedIngressSetting"
-
parent = "organizations/69664836181"
-
spec {
-
etag = (known after apply)
-
update_time = (known after apply)
-
rules {
- values {
- allowed_values = [
- "is:ALLOW_INTERNAL_AND_GCLB",
]
}
}
}
}
- "is:ALLOW_INTERNAL_AND_GCLB",
- allowed_values = [
- values {
-
-
Plan: 1 to add, 0 to change, 0 to destroy.
Changes to Outputs:
- project = "project-rocky"
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0]: Creating...
╷
│ Error: Error creating Policy: googleapi: Error 404: Requested entity was not found.
│
│ with module.org_cloudfunction_allowedingress.google_org_policy_policy.organization_policy[0],
Terraform Configuration
module "org_cloudfunction_allowedingress" {
providers = {
google = google.overridden_billing_project
}
source = "terraform-google-modules/org-policy/google//modules/org_policy_v2"
version = "~> 5.2.0"
policy_root = "organization"
policy_root_id = "11111111111"
constraint = "cloudfunctions.allowedIngressSetting"
policy_type = "list" # either of list or boolean
exclude_folders = []
exclude_projects = []
rules = [
# Rule 1
{
enforcement = true
allow = [ "is:ALLOW_INTERNAL_AND_GCLB" ]
deny = []
conditions = []
},
]
}
Terraform Version
$ terraform.exe version
Terraform v1.3.9
on windows_386
+ provider registry.terraform.io/hashicorp/google v4.53.1
+ provider registry.terraform.io/hashicorp/google-beta v4.48.0
Additional information
No response
Hi @sunilrdsouza,
i think your constraint id is just missing the s
. Could you try
constraint = "cloudfunctions.allowedIngressSettings"
instead of
constraint = "cloudfunctions.allowedIngressSetting"
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days