Binary Authorization resources get applied in wrong project

[lacunoc]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.8.4
on darwin_arm64

• provider registry.terraform.io/cyrilgdn/postgresql v1.21.0
• provider registry.terraform.io/datadog/datadog v3.40.0
• provider registry.terraform.io/gitlabhq/gitlab v17.1.0
• provider registry.terraform.io/hashicorp/archive v2.4.0
• provider registry.terraform.io/hashicorp/consul v2.20.0
• provider registry.terraform.io/hashicorp/google v5.37.0
• provider registry.terraform.io/hashicorp/google-beta v5.37.0
• provider registry.terraform.io/hashicorp/http v3.4.3
• provider registry.terraform.io/hashicorp/random v3.6.2
• provider registry.terraform.io/hashicorp/tls v4.0.5

Affected Resource(s)

google_binary_authorization_policy
google_container_analysis_note
google_binary_authorization_attestor

Terraform Configuration

resource "google_binary_authorization_policy" "policy" {
  default_admission_rule {
    evaluation_mode         = "REQUIRE_ATTESTATION"
    enforcement_mode        = "DRYRUN_AUDIT_LOG_ONLY"
    require_attestations_by = [for attestor in google_binary_authorization_attestor.attestor : attestor.name]
  }

  global_policy_evaluation_mode = "ENABLE"
}

resource "google_container_analysis_note" "note" {
  for_each = local.binaryauth_attestors
  name     = each.value
  attestation_authority {
    hint {
      human_readable_name = "${each.value} Container Analysis Note"
    }
  }
}

resource "google_binary_authorization_attestor" "attestor" {
  for_each = local.binaryauth_attestors
  name     = each.value
  attestation_authority_note {
    note_reference = google_container_analysis_note.note[each.value].name
    public_keys {
      id = data.consul_key_prefix.self.subkeys["kms/kms-binaryauth/${each.value}/id"]
      pkix_public_key {
        public_key_pem      = data.consul_key_prefix.self.subkeys["kms/kms-binaryauth/${each.value}/public_key.pem"]
        signature_algorithm = data.consul_key_prefix.self.subkeys["kms/kms-binaryauth/${each.value}/public_key.algorithm"]
      }
    }
  }
}

Debug Output

No response

Expected Behavior

Terraform resources should get applied in the project with id 9876, for which the google provider was configured.

Actual Behavior

While the plan looks correct, the apply fails, as the project, where terraform tries to apply the resources, is not the correct one with id 9876 but 1234.

# Output got slightly changed to redact sensitive data

google_container_analysis_note.note["A"]: Creating...
google_container_analysis_note.note["B"]: Creating...
google_container_analysis_note.note["C"]: Creating...
╷
│ Error: Error creating Note: googleapi: Error 403: Container Analysis API has not been used in project 1234 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/containeranalysis.googleapis.com/overview?project=1234 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.Help",
│     "links": [
│       {
│         "description": "Google developers console API activation",
│         "url": "https://console.developers.google.com/apis/api/containeranalysis.googleapis.com/overview?project=1234[93](https://gitlab.com/some_link_to_the_job)"
│       }
│     ]
│   },
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/[94](https://gitlab.com/some_link_to_the_job,
│       "service": "containeranalysis.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]
│ 
│   with google_container_analysis_note.note["A"],
│   on gke.tf line 229, in resource "google_container_analysis_note" "note":
│  229: resource "google_container_analysis_note" "note" {
│ 
╵
╷
│ Error: Error creating Note: googleapi: Error 403: Container Analysis API has not been used in project 1234 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/containeranalysis.googleapis.com/overview?project=1234 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.Help",
│     "links": [
│       {
│         "description": "Google developers console API activation",
│         "url": "https://console.developers.google.com/apis/api/containeranalysis.googleapis.com/overview?project=1234[101](https://gitlab.com/some_link_to_the_job"
│       }
│     ]
│   },
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/1234",
│       "service": "containeranalysis.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]
│ 
│   with google_container_analysis_note.note["B"],
│   on gke.tf line 229, in resource "google_container_analysis_note" "note":
│  229: resource "google_container_analysis_note" "note" {
│ 
╵
╷
│ Error: Error creating Note: googleapi: Error 403: Container Analysis API has not been used in project 1234 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/containeranalysis.googleapis.com/overview?project=1234 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.Help",
│     "links": [
│       {
│         "description": "Google developers console API activation",
│         "url": "https://console.developers.google.com/apis/api/containeranalysis.googleapis.com/overview?project=1234"
│       }
│     ]
│   },
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/1234",
│       "service": "containeranalysis.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]
│ 
│   with google_container_analysis_note.note["C"],
│   on gke.tf line 229, in resource "google_container_analysis_note" "note":
│  229: resource "google_container_analysis_note" "note" {
│ 
╵

Also creating the above mentioned resources manually via the UI and adding import blocks to the terraform code leads to the same error:

import {
  for_each = local.binaryauth_attestors
  id       = "projects/${var.gcp_project_id}/notes/${each.value}"
  to       = google_container_analysis_note.note[each.value]
}

import {
  for_each = local.binaryauth_attestors
  id       = "projects/${var.gcp_project_id}/attestors/${each.value}"
  to       = google_binary_authorization_attestor.attestor[each.value]
}

import {
  id = "projects/${var.gcp_project_id}"
  to = google_binary_authorization_policy.policy
}

Steps to reproduce

1. terraform apply

Important Factoids

The used service account in the terraform pipeline is located in project 1234 (our control project) but its rights got inherited into project 9876 (our application project).

References

No response

b/352822945
b/352823299