Dry run difficulties with service perimeters and dynamic projects

[DanHyland]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform version 0.12.31

Google provider version 3.90.1

Affected Resource(s)

google_access_context_manager_service_perimeter

google_access_context_manager_service_perimeter_resource (indirectly)

Terraform Configuration Files

resource "google_access_context_manager_service_perimeter" "perimeter" {
  parent = "accessPolicies/${local.access_policy_id}"
  name   = "accessPolicies/${local.access_policy_id}/servicePerimeters/${local.perimeter_name}"
  title  = local.perimeter_name

  spec {
    restricted_services = [
      for service in [
        "bigquery",
      ] :
      format("%s.googleapis.com", service)
    ]
    access_levels = [
      "accessPolicies/${local.access_policy_id}/accessLevels/cloudfunctions"
    ]
    resources = [
      "projects/123456789012",
      "projects/234567890123",
      "projects/345678901234",
    ]
  }

  use_explicit_dry_run_spec = true

  status {
    restricted_services = [
      for service in [
        "bigquery",
      ] :
      format("%s.googleapis.com", service)
    ]
    access_levels = [
      "accessPolicies/${local.access_policy_id}/accessLevels/cloudfunctions"
    ]
  }
  lifecycle {
    ignore_changes = [status[0].resources]
  }
}

Expected Behavior

Spec block (Dry run) should act similar to the status block in that we should be able to ignore resources (projects) as they can be managed outside of access_context_manager_service_perimeter resources with access_context_manager_service_perimeter_resource as noted in official documentation:

Note:
If this resource is used alongside a google_access_context_manager_service_perimeter resource, the service perimeter resource must have a lifecycle block with ignore_changes = [status[0].resources] so they don't fight over which resources should be in the policy.

Given the above, we should be able to ignore_changes = [status[0].resources, spec[0].resources]

Actual Behavior

If a project is created outside google_access_context_manager_service_perimeter.perimeter and not added in this spec block, it will bomb out the apply and you will be unable to apply a dry run configuration. For example, we have hundreds of projects managed dynamically with google_access_context_manager_service_perimeter_resource per project.

google_access_context_manager_service_perimeter.perimeter: Modifying... [id=accessPolicies/123456789012/servicePerimeters/perimeter]                       
Error: Error updating ServicePerimeter "accessPolicies/123456789012/servicePerimeters/perimeter": googleapi: Error 400: Project 'projects/123456789012' is in Service Perimeter Bridge(s) 'bridge', but no regular Service Perimeter. Each project in a Service Perimeter Bridge must be in a regular Service Perimeter.

Steps to Reproduce

1. Setup dry run configuration for a service perimeter which does not include all projects in that perimeter
2. Attempt a terraform apply

References

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter_resource

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/access_context_manager_service_perimeter

• #0000

b/301066068

[Charlesleonius]

Hi @DanHyland or anyone else interested in this issue. As far as I can tell adding the spec to the lifecycle ignore block does prevent conflicts between resources managed outside the perimeter for dry-run. Currently access_context_manager_service_perimeter_resource does not support dry-run resources however we are planning to add a dry-run version to address #11780. Would that solve your issue?

[Charlesleonius]

@edwardmedia Can we close this out. Should be addressed by GoogleCloudPlatform/magic-modules#10145

[Charlesleonius]

@rileykarson @melinath Can we close this out?

[melinath]

closing as addressed by GoogleCloudPlatform/magic-modules#10145 - thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.