Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CONSUMER_INVALID error from plan of already created google_compute_organization_security_policy #20671

Open
jamesphillpotts-fr opened this issue Dec 12, 2024 · 1 comment

Comments

@jamesphillpotts-fr
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.8
on linux_amd64

  • provider registry.terraform.io/hashicorp/google v6.4.0
  • provider registry.terraform.io/hashicorp/google-beta v6.4.0
    (also tested with v6.12.0 of the provider)

Affected Resource(s)

google_compute_organization_security_policy

Terraform Configuration

terraform {
  required_version = "~> 1.9.6"

  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 6.4.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "~> 6.4.0"
    }
  }
}

resource "google_compute_organization_security_policy" "block_ports" {
  provider     = google-beta
  display_name = "blocks"
  description  = "Deny inbound and outbound traffic across the organization"
  parent       = "organizations/${var.org_id}"
}

resource "google_compute_organization_security_policy_association" "association" {
  provider      = google-beta
  name          = var.org_name
  attachment_id = "organizations/${var.org_id}"
  policy_id     = google_compute_organization_security_policy.block_ports.id
}

locals {
  global_ports = {
    "rdp_tcp_ingress"  = { name = "RDP", protocol = "tcp", direction = "INGRESS", port = 3389 }
  }
}

resource "google_compute_organization_security_policy_rule" "block_ports" {
  provider  = google-beta
  for_each  = local.global_ports
  policy_id = google_compute_organization_security_policy.block_ports.id
  action    = "deny"
  direction = each.value.direction
  priority  = 1000 + index(keys(local.global_ports), each.key)

  match {
    config {
      src_ip_ranges  = each.value.direction == "INGRESS" ? ["0.0.0.0/0"] : null
      dest_ip_ranges = each.value.direction == "EGRESS" ? ["0.0.0.0/0"] : null
      layer4_config {
        ip_protocol = each.value.protocol
        ports       = [each.value.port]
      }
    }
  }
  description = "Block ${each.value.name} ${each.value.protocol} ${lower(each.value.direction)} on port ${each.value.port}"
  depends_on  = [google_compute_organization_security_policy_association.association]
}

Debug Output

https://gist.github.com/jamesphillpotts-fr/06ddfeb0241d8c9529d0c821252d1255
(stripped of large amounts of private information to just the bits that mention the request with the error)

Expected Behavior

With no changes since previous apply, expect no errors or changes with new plan

Actual Behavior

The following error:

Error: Error when reading or editing ComputeOrganizationSecurityPolicy "locations/global/securityPolicies/123456789": googleapi: Error 400: Project 'securityPolicies/123456789' not found or deleted.

Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developers console",
        "url": "https://console.developers.google.com"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadatas": {
      "consumer": "unknown",
      "service": "compute.googleapis.com"
    },
    "reason": "CONSUMER_INVALID"
  }
]
, badRequest

  with google_compute_organization_security_policy.block_ports,
  on orgsecuritypolicy.tf line 1, in resource "google_compute_organization_security_policy" "block_ports":
   1: resource "google_compute_organization_security_policy" "block_ports" {

Steps to reproduce

  1. Already previously created the resources using terraform apply
  2. Using existing state, terraform plan

Important Factoids

Also raised as GCP Support Ticket 55674129 per TAM as this appears to perhaps have been caused by a REST API path processing issue.

References

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_organization_security_policy
https://cloud.google.com/compute/docs/reference/rest/beta/organizationSecurityPolicies/get

@shuyama1
Copy link
Collaborator

Hi @jamesphillpotts-fr, we noticed similar errors in our integration tests between 12/08 and 12/11, which appeared to be related to an API issue that should now be resolved. Could you confirm if you're still encountering this issue today? Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants