Can't import existing project to project factory module

[noamisr]

TL;DR

I started using the submodule: "terraform-google-modules/project-factory/google//modules/svpc_service_project" for creating new gcp projects in my VPC network.

And when I try to import existing projects into the module's resources, the operation fails.

using the command:

terraform import module.gcp_service_project.module.project-factory.google_project.main existing_project_id

Expected behavior

Be able to import the base object of the google_project fundamental resource of the module.

Observed behavior

the command fails:

│ Error: Invalid for_each argument
│ 
│   on .terraform/modules/existing_service_project/modules/shared_vpc_access/main.tf line 77, in resource "google_project_iam_member" "service_shared_vpc_user":
│   77:   for_each = (length(var.shared_vpc_subnets) == 0) && var.enable_shared_vpc_service_project && var.grant_network_role ? toset(local.active_apis) : []
│     ├────────────────
│     │ local.active_apis will be known only after apply
│     │ var.enable_shared_vpc_service_project is true
│     │ var.grant_network_role is true
│     │ var.shared_vpc_subnets is empty list of string
│ 
│ The "for_each" set includes values derived from resource attributes that cannot be determined until apply, and so Terraform cannot determine the
│ full set of keys that will identify the instances of this resource.
│ 
│ When working with unknown values in for_each, it's better to use a map value where the keys are defined statically in your configuration and
│ where only the values contain apply-time results.
│ 
│ Alternatively, you could use the -target planning option to first apply only the resources that the for_each value depends on, and then apply a
│ second time to fully converge.
╵

╷
│ Error: Invalid count argument
│ 
│   on .terraform/modules/existing_service_project/modules/shared_vpc_access/main.tf line 88, in resource "google_project_iam_member" "composer_host_agent":
│   88:   count   = local.composer_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only the resources that the count depends on.
╵

╷
│ Error: Invalid count argument
│ 
│   on .terraform/modules/existing_service_project/modules/shared_vpc_access/main.tf line 99, in resource "google_project_iam_member" "gke_host_agent":
│   99:   count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only the resources that the count depends on.
╵

╷
│ Error: Invalid count argument
│ 
│   on .terraform/modules/existing_service_project/modules/shared_vpc_access/main.tf line 111, in resource "google_project_iam_member" "gke_security_admin":
│  111:   count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_services_security_admin_role ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be
│ created. To work around this, use the -target argument to first apply only the resources that the count depends on.
╵

Terraform Configuration

module "gcp_service_project" {
  source  = "terraform-google-modules/project-factory/google//modules/svpc_service_project"
  version = "~> 14.1"

  name              = <existing-project-id>
  random_project_id = false
  org_id            = var.gcp_organization_id
  billing_account   = var.gcp_billing_account_id
  shared_vpc        = local.host_project_id

  activate_apis = [
    "compute.googleapis.com",
    "container.googleapis.com",
    "dataproc.googleapis.com",
    "dataflow.googleapis.com",
    "dns.googleapis.com"
  ]

Terraform Version

Terraform v1.3.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v4.51.0
+ provider registry.terraform.io/hashicorp/google-beta v4.52.0
+ provider registry.terraform.io/hashicorp/null v3.2.1
+ provider registry.terraform.io/hashicorp/random v3.4.3
+ provider registry.terraform.io/hashicorp/tfe v0.41.0
+ provider registry.terraform.io/hashicorp/time v0.9.1

Additional information

No response

[gaspo53]

Same here

[robin-wittler]

+1

╷
│ Error: Invalid count argument
│
│   on <snip>/modules/shared_vpc_access/main.tf line 88, in resource "google_project_iam_member" "composer_host_agent":
│   88:   count   = local.composer_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply onlythe resources that
│ the count depends on.
╵

╷
│ Error: Invalid count argument
│
│   on <snip>/modules/shared_vpc_access/main.tf line 99, in resource "google_project_iam_member" "gke_host_agent":
│   99:   count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply onlythe resources that
│ the count depends on.
╵

╷
│ Error: Invalid count argument
│
│   on <snip>/modules/shared_vpc_access/main.tf line 111, in resource "google_project_iam_member" "gke_security_admin":
│  111:   count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_services_security_admin_role ? 1 : 0
│
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply onlythe resources that
│ the count depends on.
╵

[icy95]

Same here. What i did is just importing my project to a google_project resource like:

resource "google_project" "my_project" {
name = "My Project"
project_id = "your-project-id"
org_id = "1234567"
}

And move the state to module like:
terraform state mv google_project.my_project module.project-factory.module.project-factory.google_project.main

This worked for me, i hope it works for you too.

[nick4fake]

@icy95 thanks a lot. A small note: for this to work FIRSTLY import and move state, and add module only after that

[cread]

If you have a shared VPC in play you have to import that too before adding the module.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

[deyvidm18]

The error does not appear if, at the time of importing the project, the activate_apis array is empty, after the import the APIs to be activated are assigned and that's it