Terraform-provider-google: google_project throws an error if org policy skipDefaultNetworkCreation is enforced

Created on 7 May 2019 · 18Comments · Source: hashicorp/terraform-provider-google

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

Terraform v0.11.13
+ provider.google v2.5.1
+ provider.random v2.1.2

Affected Resource(s)

google_project

Terraform Configuration Files

resource "random_integer" "random" {
  max = 2000
  min = 1000
}
variable "credentials" {
  default = "credentials.json"
}

provider "google" {
  version     = "~> 2.2"
  credentials = "${file("${var.credentials}")}"
}

resource "google_project" "main" {
  name = "myproject"
  project_id = "myproject-${random_integer.random.id}"
  folder_id = "<set your folder>"
  auto_create_network = false
  billing_account = "<Set your billing account?"
}

Debug Output

Panic Output

Expected Behavior

Project without default network should be created.

Actual Behavior

Project is created with the following error

1 error(s) occurred:

* google_project.main: 1 error(s) occurred:
* google_project.main: Error deleting default network in project myproject-1285: Error deleting network: googleapi: Error 404: The resource 'projects/myproject-1285/global/networks/default' was not found, notFound

Steps to Reproduce

terraform apply

Important Factoids

Very important!
In order to reproduce this issue you need to do:

Set organization policy constraints/compute.skipDefaultNetworkCreation to Enforced either on org level or on the folder level
Set auto_create_network = false

References

#0000

bug

Source

marko7460

Most helpful comment

I just ran into this as well. Removing auto_create_network or setting it to true does in fact work in this situation. I just think this should be handled by the google_project resource so that when auto_create_network is false, instead of trying to delete a default network that doesn't exist, simply consider it success that the default network does in fact not exist.

bbrouwer on 23 May 2019

👍2

All 18 comments

The error is happening because the network is always created when a project is created, but if auto_create_network is false it will go back and delete that network. This is somewhat explained in the docs but the name is a bit misleading. IIRC the reason that field name was chosen was to stay consistent with the UI.

If you omit that field I believe the project creation should succeed. If it does I'll update the documentation to reflect that.

chrisst on 8 May 2019

bbrouwer on 23 May 2019

👍2

So it sounds to me like what's happening here is:

The organization policy is forcing the network to not be created at all
The code for auto_create_network never considered that the network may not exist, because at the time written, the organization policy didn't exist, so there would never be a situation where you'd create a project and find it without the default network. So it tries to delete a network that doesn't exist, and throws an error.

I've opened GoogleCloudPlatform/magic-modules#2117 to resolve this by catching the error and ignoring it. If I've misunderstood the situation, I'm happy to try a different solution, I'll just need more details. :)

paddycarver on 31 Jul 2019

That's exactly what was happening.

marko7460 on 31 Jul 2019

This has been merged and should be fixed in the next release.

paddycarver on 12 Aug 2019

@paddycarver I'm still seeing this error occur with v2.13.0:

Terraform version:

[root@ddf76968e6b8 setup]# terraform version
Terraform v0.12.6
+ provider.google v2.13.0
+ provider.google-beta v2.13.0
+ provider.null v2.1.2
+ provider.random v2.1.2

Error:

Error: Error deleting default network in project ci-network-b0ad: Error deleting network: googleapi: Error 404: The resource 'projects/ci-network-b0ad/global/networks/default' was not found, notFound

morgante on 20 Aug 2019

👍1

I'll take a look!

paddycarver on 20 Aug 2019

👍1

I´m having a similar issue

Terraform v0.12.6

provider.google v2.13.0

Error: Error deleting default network in project tf-billing08: Error waiting for Deleting Network: error while retrieving operation: Get https://www.googleapis.com/compute/v1/projects/tf-billing08/global/operations/operation-1566914277192-59119a8e2b16e-5837383f-f7835950?alt=json&prettyPrint=false: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

The link says:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}

Do I missing something, like a dependence on provider resource to create a projet?

rafaeldasilva on 27 Aug 2019

@chrisst I just hit this and wound up with the project created in Google but marked as tainted in the terraform state.

When I planned again it wanted to destroy/recreate the project. I let it proceed and it failed:

module.REDACTED.google_project.project: Destroying... [id=REDACTEDID]
module.REDACTED.google_project.project: Destruction complete after 5s
module.REDACTED.google_project.project: Creating...

Error: error creating project REDACTEDID (REDACTEDNAME): googleapi: Error 409: Requested entity already exists, alreadyExists. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission

This is a showstopper. Is there any alternative to creating projects outside of terraform and importing them?

eriksw on 10 Jan 2020

@eriksw have you tried removing auto_create_network from your config for the google_project resource?

chrisst on 10 Jan 2020

@chrisst Leaving it unset allows project creation via terraform to succeed.

It's worrying to see that "auto_create_network": true is persisted in the state, however, given that the network definitely does not exist.

eriksw on 10 Jan 2020

@eriksw we will leave this bug open until you don't have to use "auto_create_network": true or omit it from your config as a work around.

chrisst on 13 Jan 2020

👍1

Drive-by: I'm not convinced all the errors around this are the same issue, but I think some of them would be fixed by using errwrap.Wrapf at https://github.com/terraform-providers/terraform-provider-google/blob/master/google/resource_google_project.go#L459 so that we can later parse it as a googleapi.error and see whether it's a 404

danawillow on 14 Jan 2020

@danawillow @chrisst @paddycarver Is there an ETA for fixing this? It's very confusing behavior and also represents a regression from previous fixes.

morgante on 5 Feb 2020

Sorry for the delay, looks like this fell through the cracks again.
@danawillow your guess was correct and I've added a PR for this scenario.

@all Once this is merged this issue will auto close again, but let me know if there is a scenario I haven't caught yet and I'll reopen.

chrisst on 6 Feb 2020

@chrisst Did this make it into the 3.8.0 release, or do we need to wait for the next one?

morgante on 18 Feb 2020

Looks like it missed the 3.8.0 release, but it did make it into the 3.9.0 release. It got missed in the changelog generation, adding it back in via https://github.com/terraform-providers/terraform-provider-google/pull/5707

chrisst on 18 Feb 2020

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!