Terraform-provider-google: Deploy GKE with a shared VPC in other GCP project

Created on 24 May 2018  ·  5Comments  ·  Source: hashicorp/terraform-provider-google

Hi there,
I try to deploy a google_container_cluster with VPC shared in other GCP project. I can deploy manually using the network like this: “projects/“project with VPC shared"/global/networks/“VPC Shared network” in the console but with terraform I receive this error:
google_container_cluster.primary: googleapi: Error 400: must use a network belonging to project.

I think we need something for the option "useIpAliases": true in the block ip_allocation_policy, because in the rest json it is something like 

"ipAllocationPolicy": {
  "useIpAliases": true,
  "clusterSecondaryRangeName": "containers",
  "servicesSecondaryRangeName": "services"
}

Terraform Version

Terraform version: 0.11.7

Affected Resource(s)

Please list the resources as a list, for example:

  • google_container_cluster

Terraform Configuration Files

This is the block ip_allocation_policy that I'm using now

  ip_allocation_policy {
    cluster_secondary_range_name = "${var.cluster_secondary_name}"
    services_secondary_range_name = "${var.cluster_service_name}"
  }

Debug Output

Expected Behavior

What should have happened?

Actual Behavior

{
"error": {
"code": 400,
"message": "must use a network belonging to project \"MY PROJECT\".",
"errors": [
{
"message": "must use a network belonging to project \"MY PROJECT\".",
"domain": "global",
"reason": "badRequest"
}
],
"status": "INVALID_ARGUMENT"
}
}

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
bug
Source
picture javiercri

Most helpful comment

resource "google_container_cluster" "primary" {
  name               = "${var.name}"
  description        = "${var.description}"
  zone               = "${var.zone}"
  initial_node_count = 1
  network = "${var.network}"
  subnetwork = "${var.subnetwork}"

  ip_allocation_policy {
    cluster_secondary_range_name = "${var.cluster_secondary_name}"
    services_secondary_range_name = "${var.cluster_service_name}"
  }
}

Here is my main for the cluster. I check your example and I check all the permissions for my projects and all are ok.
I follow the instructions here and I can deploy my cluster.
https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#summary_of_roles_granted_on_subnets but not with terraform. I can't deploy with a network that is not in my project.
I use my network and subnetwork variable exactly like the example:

--network projects/[HOST_PROJECT_ID]/global/networks/shared-net \
--subnetwork projects/[HOST_PROJECT_ID]/regions/us-central1/subnetworks/tier-1

Do you have a config for this variable "--enable-ip-alias" or it is automatic?

picture javiercri on 25 May 2018
🎉1 👍1

All 5 comments

Hey @javiercri, sorry to hear this isn't working for you! Would you mind posting a full config for the resource, as well as plan output and debug logs? That would help me figure out why it isn't working.

In the meantime, feel free to check out how I set up shared vpc with gke in this test: https://github.com/terraform-providers/terraform-provider-google/blob/master/google/resource_container_cluster_test.go#L2129

danawillow picture danawillow on 24 May 2018
👍1 
resource "google_container_cluster" "primary" {
  name               = "${var.name}"
  description        = "${var.description}"
  zone               = "${var.zone}"
  initial_node_count = 1
  network = "${var.network}"
  subnetwork = "${var.subnetwork}"

  ip_allocation_policy {
    cluster_secondary_range_name = "${var.cluster_secondary_name}"
    services_secondary_range_name = "${var.cluster_service_name}"
  }
}

Here is my main for the cluster. I check your example and I check all the permissions for my projects and all are ok.
I follow the instructions here and I can deploy my cluster.
https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-shared-vpc#summary_of_roles_granted_on_subnets but not with terraform. I can't deploy with a network that is not in my project.
I use my network and subnetwork variable exactly like the example:

--network projects/[HOST_PROJECT_ID]/global/networks/shared-net \
--subnetwork projects/[HOST_PROJECT_ID]/regions/us-central1/subnetworks/tier-1

Do you have a config for this variable "--enable-ip-alias" or it is automatic?

javiercri picture javiercri on 25 May 2018
🎉1 👍1

It's automatic when ip_allocation_policy is set.

danawillow picture danawillow on 25 May 2018

https://github.com/terraform-providers/terraform-provider-google/commit/974c3f7646ae2d54a7d5f06cfcd8868ca2fcde65
I see your yesterday commit and I download the 1.13 version (Yesterday I use the 1.12)
Fixed with the new provider version v 1.13.
Thank you so much :)

javiercri picture javiercri on 25 May 2018

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

hashibot[bot] picture hashibot[bot] on 18 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ldelossa picture ldelossa  ·  27Comments
shaulishaked picture shaulishaked  ·  24Comments
aeneasr picture aeneasr  ·  25Comments
josephlewis42 picture josephlewis42  ·  33Comments
derekschauland picture derekschauland  ·  26Comments