google_project throws an error if org policy skipDefaultNetworkCreation is enforced

[marko7460]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment
• If an issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to "hashibot", a community member has claimed the issue already.

Terraform Version

Terraform v0.11.13
+ provider.google v2.5.1
+ provider.random v2.1.2

Affected Resource(s)

• google_project

Terraform Configuration Files

resource "random_integer" "random" {
  max = 2000
  min = 1000
}
variable "credentials" {
  default = "credentials.json"
}

provider "google" {
  version     = "~> 2.2"
  credentials = "${file("${var.credentials}")}"
}

resource "google_project" "main" {
  name = "myproject"
  project_id = "myproject-${random_integer.random.id}"
  folder_id = "<set your folder>"
  auto_create_network = false
  billing_account = "<Set your billing account?"
}

Debug Output

Panic Output

Expected Behavior

Project without default network should be created.

Actual Behavior

Project is created with the following error

1 error(s) occurred:

* google_project.main: 1 error(s) occurred:
* google_project.main: Error deleting default network in project myproject-1285: Error deleting network: googleapi: Error 404: The resource 'projects/myproject-1285/global/networks/default' was not found, notFound

Steps to Reproduce

1. terraform apply

Important Factoids

Very important!
In order to reproduce this issue you need to do:

1. Set organization policy constraints/compute.skipDefaultNetworkCreation to Enforced either on org level or on the folder level
2. Set auto_create_network = false

References

• #0000

[chrisst]

The error is happening because the network is always created when a project is created, but if auto_create_network is false it will go back and delete that network. This is somewhat explained in the docs but the name is a bit misleading. IIRC the reason that field name was chosen was to stay consistent with the UI.

If you omit that field I believe the project creation should succeed. If it does I'll update the documentation to reflect that.

[bbrouwer]

I just ran into this as well. Removing auto_create_network or setting it to true does in fact work in this situation. I just think this should be handled by the google_project resource so that when auto_create_network is false, instead of trying to delete a default network that doesn't exist, simply consider it success that the default network does in fact not exist.

[paddycarver]

So it sounds to me like what's happening here is:

• The organization policy is forcing the network to not be created at all
• The code for auto_create_network never considered that the network may not exist, because at the time written, the organization policy didn't exist, so there would never be a situation where you'd create a project and find it without the default network. So it tries to delete a network that doesn't exist, and throws an error.

I've opened GoogleCloudPlatform/magic-modules#2117 to resolve this by catching the error and ignoring it. If I've misunderstood the situation, I'm happy to try a different solution, I'll just need more details. :)

[marko7460]

That's exactly what was happening.

[paddycarver]

This has been merged and should be fixed in the next release.

[morgante]

@paddycarver I'm still seeing this error occur with v2.13.0:

Terraform version:

[root@ddf76968e6b8 setup]# terraform version
Terraform v0.12.6
+ provider.google v2.13.0
+ provider.google-beta v2.13.0
+ provider.null v2.1.2
+ provider.random v2.1.2

Error:

Error: Error deleting default network in project ci-network-b0ad: Error deleting network: googleapi: Error 404: The resource 'projects/ci-network-b0ad/global/networks/default' was not found, notFound

[paddycarver]

I'll take a look!

[rafaeldasilva]

I´m having a similar issue

Terraform v0.12.6

• provider.google v2.13.0

Error: Error deleting default network in project tf-billing08: Error waiting for Deleting Network: error while retrieving operation: Get https://www.googleapis.com/compute/v1/projects/tf-billing08/global/operations/operation-1566914277192-59119a8e2b16e-5837383f-f7835950?alt=json&prettyPrint=false: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

The link says:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}

Do I missing something, like a dependence on provider resource to create a projet?

[eriksw]

@chrisst I just hit this and wound up with the project created in Google but marked as tainted in the terraform state.

When I planned again it wanted to destroy/recreate the project. I let it proceed and it failed:

module.REDACTED.google_project.project: Destroying... [id=REDACTEDID]
module.REDACTED.google_project.project: Destruction complete after 5s
module.REDACTED.google_project.project: Creating...

Error: error creating project REDACTEDID (REDACTEDNAME): googleapi: Error 409: Requested entity already exists, alreadyExists. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission

This is a showstopper. Is there any alternative to creating projects outside of terraform and importing them?

[chrisst]

@eriksw have you tried removing auto_create_network from your config for the google_project resource?

[eriksw]

@chrisst Leaving it unset allows project creation via terraform to succeed.

It's worrying to see that "auto_create_network": true is persisted in the state, however, given that the network definitely does not exist.

[chrisst]

@eriksw we will leave this bug open until you don't have to use "auto_create_network": true or omit it from your config as a work around.

[danawillow]

Drive-by: I'm not convinced all the errors around this are the same issue, but I think some of them would be fixed by using errwrap.Wrapf at https://github.com/terraform-providers/terraform-provider-google/blob/master/google/resource_google_project.go#L459 so that we can later parse it as a googleapi.error and see whether it's a 404

[morgante]

@danawillow @chrisst @paddycarver Is there an ETA for fixing this? It's very confusing behavior and also represents a regression from previous fixes.

[chrisst]

Sorry for the delay, looks like this fell through the cracks again.
@danawillow your guess was correct and I've added a PR for this scenario.

@ALL Once this is merged this issue will auto close again, but let me know if there is a scenario I haven't caught yet and I'll reopen.

[morgante]

@chrisst Did this make it into the 3.8.0 release, or do we need to wait for the next one?

[chrisst]

Looks like it missed the 3.8.0 release, but it did make it into the 3.9.0 release. It got missed in the changelog generation, adding it back in via #5707

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!