crossplane-contrib / provider-upjet-gcp Goto Github PK

In the configuration of a PubSub Subscription , it seems to be that user cannot point out "never expire" in the expiration configuration at subscription level:

It would be great if I could set ttl "" to configure that the subscription never expires as other IaC tools.

External name configuration of 4 resources in the datalossprevention group:

• google_data_loss_prevention_deidentify_template
• google_data_loss_prevention_inspect_template
• google_data_loss_prevention_job_trigger
• google_data_loss_prevention_stored_info_type

External name configuration of 1 resources in the dataplex group:

• google_dataplex_lake

External name configuration of 10 resources in the dataproc group:

• google_dataproc_autoscaling_policy
• google_dataproc_cluster
• google_dataproc_cluster_iam_binding
• google_dataproc_cluster_iam_member
• google_dataproc_cluster_iam_policy
• google_dataproc_job
• google_dataproc_job_iam_binding
• google_dataproc_job_iam_member
• google_dataproc_job_iam_policy
• google_dataproc_workflow_template

External name configuration of 1 resources in the datastore group:

• google_datastore_index

External name configuration of 1 resources in the deploymentmanager group:

• google_deployment_manager_deployment

External name configuration of 4 resources in the dialogflow group:

• google_dialogflow_agent
• google_dialogflow_entity_type
• google_dialogflow_fulfillment
• google_dialogflow_intent

What resource do you need?

Provider Name: GCP
Terraform Resource Name: google_organization_iam_policy

What is your use case?

See this https://github.com/upbound/official-providers/pull/504#issuecomment-1222297858. google_organization_iam_policy should be configured separately given the organisation level access required to test it.

External name configuration of 2 resources in the appengine group:

• google_app_engine_service_split_traffic
• google_app_engine_standard_app_version

External name configuration of 1 resources in the assuredworkloads group:

• google_assured_workloads_workload

External name configuration of 15 resources in the bigquery group:

• google_bigquery_connection
• google_bigquery_data_transfer_config
• google_bigquery_dataset
• google_bigquery_dataset_access
• google_bigquery_dataset_iam_binding
• google_bigquery_dataset_iam_member
• google_bigquery_dataset_iam_policy
• google_bigquery_job
• google_bigquery_reservation
• google_bigquery_reservation_assignment
• google_bigquery_routine
• google_bigquery_table
• google_bigquery_table_iam_binding
• google_bigquery_table_iam_member
• google_bigquery_table_iam_policy

External name configuration of 10 resources in the bigtable group:

• google_bigtable_app_profile
• google_bigtable_gc_policy
• google_bigtable_instance
• google_bigtable_instance_iam_binding
• google_bigtable_instance_iam_member
• google_bigtable_instance_iam_policy
• google_bigtable_table
• google_bigtable_table_iam_binding
• google_bigtable_table_iam_member
• google_bigtable_table_iam_policy

External name configuration of 2 resources in the billing group:

• google_billing_account_iam_binding
• google_billing_account_iam_member

What happened?

Given a passwordSecretRef referencing a non existing secret
When User reconciles
It silently sets an empty password without reflecting any error in the CRD status nor in the provider logs

Sample provider log:

1.6715338598788996e+09    DEBUG    provider-gcp    External resource is up to date    {"controller": "managed/sql.gcp.upbound.io/v1beta1, kind=user", "request": "/kuttl-medium-mysql-instance-w6qpx-pr9tl", "uid": "af071a1a-82f4-427d-a337-64fcd44cdcdb", "version": "103110491", "external-name": "app", "requeue-after": 1671534459.878897}

Sample User CR status:

  NAME                                                              READY   SYNCED   EXTERNAL-NAME   AGE
  user.sql.gcp.upbound.io/kuttl-medium-mysql-instance-w6qpx-pr9tl   True    True     app             22h

  status:
  atProvider:
  id: app/%/kuttl-medium-mysql-instance-w6qpx-zv8tz
  conditions:
  - lastTransitionTime: "2022-12-19T12:08:52Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2022-12-19T12:07:32Z"
    reason: ReconcileSuccess
    status: "True"
    type: Synced
  - lastTransitionTime: "2022-12-19T12:08:04Z"
    reason: Finished
    status: "True"
    type: AsyncOperation
  - lastTransitionTime: "2022-12-19T12:08:04Z"
    reason: Success
    status: "True"
    type: LastAsyncOperation

How can we reproduce it?

Set an invalid passwordSecretRef pointing to a non existant secret

https://github.com/upbound/provider-gcp/blob/e0252bbec3e86726f82df44ffb91df9c6fcb7076/examples/sql/user.yaml#L10-L15

What environment did it happen in?

• Universal Crossplane Version: image: crossplane/crossplane:v1.10.1
• Provider Version: v0.20.0

What problem are you facing?

The Cluster's network and subnetwork selector does not work with a hub and spoke architecture.

How could Official GCP Provider help solve your problem?

Use the self-link within the network and subnetwork selector to target the correct project.

What problem are you facing?

The current Terraform provider is outdated.

How could Official GCP Provider help solve your problem?

Upgrade to the latest Terraform provider for GCP to enable access to more resources and bug fixes

Moving 1 resource to v1beta1 version

• google_assured_workloads_workload

What happened?

Getting an obscure permissions error where the issue is that the resource with the same name already exists.

How can we reproduce it?

Create a storage bucket with the name that already exists (storage buckets names are global, so it might exist in another project). Easy way to check it is to try and create a bucket manually with the name that is already taken, GCP will warn that the name is taken.
Crossplane gives an obscure error about permissions (which is incorrect).

Change the bucket name to a unique value and all works as expected.

What environment did it happen in?

• Crossplane Version: v1.8.0-rc.0.72.gdd23304b

• Provider Name: provider-gcp

• Provider Version: xpkg.upbound.io/upbound/provider-gcp:v0.5.0

• Cloud provider or hardware configuration
  

• Kubernetes version (use kubectl version)

kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.2", GitCommit:"f66044f4361b9f1f96f0053dd46cb7dce5e990a8", GitTreeState:"clean", BuildDate:"2022-06-15T14:22:29Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.4", GitCommit:"e6c093d87ea4cbb530a7b2ae91e54c0842d8308a", GitTreeState:"clean", BuildDate:"2022-03-06T21:32:53Z", GoVersion:"go1.17.7", Compiler:"gc", Platform:"linux/amd64"}

• Kubernetes distribution (e.g. Tectonic, GKE, OpenShift)
  KIND
• OS (e.g. from /etc/os-release)
  
• Kernel (e.g. uname -a)

Linux pop-os 5.18.10-76051810-generic #202207071639~1657252310~22.04~7d5e891 SMP PREEMPT_DYNAMIC Fri J x86_64 x86_64 x86_64 GNU/Linux

We allocated a :

apiVersion: sql.gcp.upbound.io/v1beta1
kind: DatabaseInstance
metadata:
  name: mydb
spec:
  deletionPolicy: "Delete"
  forProvider:
    deletionProtection: false
    databaseVersion: POSTGRES_13
    region: us-central1
    settings:
      - ipConfiguration:
          - privateNetwork: projects/.../mynetworkvpc
            requireSsl: true
        tier: db-custom-1-3840
        databaseFlags:
          - name: max_connections
            value: "500"
  writeConnectionSecretToRef:
    name: myrootcreds
    namespace: mynamespace

verified that it populated the secret with some certs and secrets.
then, when we gave it to :

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: mynewdbinstance
spec:
  sslMode: disable
  credentials:
    source: PostgreSQLConnectionSecret
    connectionSecretRef:
      namespace: mynamespace
      name: myrootcreds

and then tried to create a database schema using the provider-sql with:

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Database
metadata:
  name: mydb
spec:
  providerConfigRef:
    name: mynewdbinstance
  forProvider: {}

it fails with

status:
  conditions:
    - lastTransitionTime: '2022-11-19T00:23:33Z'
      message: >-
        observe failed: cannot select database: pq: Could not detect default
        username. Please provide one explicitly
      reason: ReconcileError
      status: 'False'
      type: Synced

if you look at the secret it does not contain the password field.

How can we reproduce it?

What environment did it happen in?

Crossplane version: 1.10.1
provider-sql version: crossplane/provider-sql:v0.5.0
upbound gcp version: xpkg.upbound.io/upbound/provider-gcp:v0.18.0

also tried this with provider-sql version: crossplane/provider-sql:v0.6.0 to no avail

What happened?

I rewrote one of my compositions to use the official GCP provider. Everything seems to be working except connectionDetails.

apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: google-postgresql-official
  labels:
    provider: google-official
    db: postgresql
spec:
  ...
  resources:
  - name: sql
    base:
      apiVersion: sql.gcp.upbound.io/v1beta1
      kind: DatabaseInstance
      spec:
        ...
    connectionDetails:
    - type: FromValue
      name: username
      value: postgres
    - fromConnectionSecretKey: password
    - fromConnectionSecretKey: publicIP
      name: endpoint
    - type: FromValue
      name: port
      value: "5432"

The full source code is in https://github.com/vfarcic/devops-toolkit-crossplane/blob/master/packages/sql/gcp-official.yaml#L171.

The secret does not contain any of the fields specified in connectionDetails. One of the other hand, almost identical Composition based on the "other" GCP provider works (https://github.com/vfarcic/devops-toolkit-crossplane/blob/master/packages/sql/gcp.yaml#L171).

How can we reproduce it?

Full instructions how to reproduce it are in https://github.com/vfarcic/devops-toolkit-crossplane/blob/master/packages/sql/gcp.md.

After the DB instance is created, check the fields in the secret my-db located in the Namespace infra.

What problem are you facing?

Provider Name: provider-gcp
Provider Version: development

https://github.com/upbound/official-providers/blob/cba2980241265105e38d027b79b7486a69abb31b/provider-gcp/examples-generated/storage/bucketobject.yaml#L13

GCP BucketObject resource contains two fields that represent the actual data to upload into a Bucket:

• content: String value uploaded as-is. This works as expected
• source: A reference to a file path, whose contents are uploaded. This is currently not supported

The source field is currently generated as a string. https://github.com/upbound/official-providers/blob/cba2980241265105e38d027b79b7486a69abb31b/provider-gcp/package/crds/storage.gcp.upbound.io_bucketobjects.yaml#L236-L240 However, this value cannot contain an actual file path, as it would be relative to the Terraform workspace in the provider environment. Marking the field as sensitive: true will generate a sourceSecretRef, however, this will also not work, since the provider implementation only accepts a file path and not actual file content encoded into a Secret.

How could Official Providers help solve your problem?

Allow the source field to reference a Secret with encoded file content and make a file path available to the underlying Terraform provide, which will have that file path set in the source field in main.tf.json. To support an example like below:

apiVersion: storage.gcp.upbound.io/v1beta1
kind: BucketObject
metadata:
  labels:
    testing.upbound.io/example-name: bucket-object
  name: bucket-object
spec:
  forProvider:
    bucketSelector: 
      matchLabels:
        testing.upbound.io/example-name: bucket-object
    name: bucket-object
    sourceSecretRef:
      name: bucket-object
      namespace: upbound-system
      key: upbound.txt
    contentType: text/plain

---

apiVersion: storage.gcp.upbound.io/v1beta1
kind: Bucket
metadata:
  labels:
    testing.upbound.io/example-name: bucket-object
  name: bucket-object-34234
spec:
  forProvider:
    location: US
    storageClass: MULTI_REGIONAL
    
---

apiVersion: v1
kind: Secret
metadata:
  labels:
    testing.upbound.io/example-name: bucket-object
  name: bucket-object
  namespace: upbound-system
data:
  upbound.txt: VlhCaWIzVnVaQW89Cg==

What happened?

When updating a Cluster, I observed the following error:

  Warning  CannotObserveExternalResource  49s (x309 over 5h6m)  managed/container.gcp.upbound.io/v1beta1, kind=cluster  cannot run plan: plan failed: 1 error occurred:
           * node_version can only be specified if remove_default_node_pool is not true

This is from https://github.com/hashicorp/terraform-provider-google/blob/89affbee97e69004aeb7d09b535a43bbed2590bb/google/resource_container_cluster.go#L4818, and makes sense given that specifying a node version when you don't want the default node pool to exist would be ineffectual. However, I don't believe that we manually set the node version, but rather that it was late initialized despite us using removeDefaultNodePool: true. Manually removing the node version appeared to be ineffectual as it continued to be re-added.

How can we reproduce it?

I believe just creating a Cluster with removeDefaultNodePool: true could do the trick, but the specific case that we saw it in was updating an existing cluster to enable workload identity.

What environment did it happen in?

• Universal Crossplane Version: v1.10.1-up.1
• Provider Version: v0.20.0

What resource do you need?

Terraform Resource Name: google_container_node_pool

Field: node_config.guest_accelerator.gpu_sharing_strategy

Note that the only docs I could find are on google_container_cluster, not google_container_node_pool.
Hopefully that's just a documentation discrepancy and under the hood both node_config objects have the same schema, but I'm not sure.
Although for our use case it's more useful on google_container_node_pool we could find a workaround if it were only available on google_container_cluster.

What is your use case?

We want to have Crossplane manage a node pool with GPU-sharing strategy.
We are managing our GPU node pools outside of crossplane in order to have this feature. Without it we would significantly increase our cloud costs.

What problem are you facing?

We will have contractors coming on board to increase coverage. Currently, we configure & test the resources but configuration requires some knowledge of Upjet and Crossplane that may be hard to get them used to, i.e. we may end up spending same amount of effort reviewing their configuration vs configuring on our own.

How could Official Providers help solve your problem?

Let's configure the remaining resources (312 CRDs) without testing and leave only the testing part to them. The exact set of API groups this issue targets will be listed below.

• accessapproval
  • google_folder_access_approval_settings
  • google_organization_access_approval_settings
  • google_project_access_approval_settings
• accesscontextmanager
  • google_access_context_manager_access_level
  • google_access_context_manager_access_level_condition
  • google_access_context_manager_access_policy
  • google_access_context_manager_access_policy_iam_binding
  • google_access_context_manager_access_policy_iam_member
  • google_access_context_manager_access_policy_iam_policy
  • google_access_context_manager_gcp_user_access_binding
  • google_access_context_manager_service_perimeter
  • google_access_context_manager_service_perimeter_resource
• activedirectory
  • google_active_directory_domain
  • google_active_directory_domain_trust
• apigee
  • google_apigee_endpoint_attachment
  • google_apigee_envgroup
  • google_apigee_envgroup_attachment
  • google_apigee_environment
  • google_apigee_environment_iam_binding
  • google_apigee_environment_iam_member
  • google_apigee_environment_iam_policy
  • google_apigee_instance
  • google_apigee_instance_attachment
  • google_apigee_organization
• apikeys
  • google_apikeys_key
• appengine
  • google_app_engine_application_url_dispatch_rules
  • google_app_engine_domain_mapping
  • google_app_engine_firewall_rule
  • google_app_engine_flexible_app_version
  • google_app_engine_service_network_settings
  • google_app_engine_service_split_traffic
  • google_app_engine_standard_app_version
• assuredworkloads
  • google_assured_workloads_workload
• bigquery
  • google_bigquery_connection
  • google_bigquery_data_transfer_config
  • google_bigquery_dataset
  • google_bigquery_dataset_access
  • google_bigquery_dataset_iam_binding
  • google_bigquery_dataset_iam_member
  • google_bigquery_dataset_iam_policy
  • google_bigquery_job
  • google_bigquery_reservation
  • google_bigquery_reservation_assignment
  • google_bigquery_routine
  • google_bigquery_table
  • google_bigquery_table_iam_binding
  • google_bigquery_table_iam_member
  • google_bigquery_table_iam_policy
• bigtable
  • google_bigtable_app_profile
  • google_bigtable_gc_policy
  • google_bigtable_instance
  • google_bigtable_instance_iam_binding
  • google_bigtable_instance_iam_member
  • google_bigtable_instance_iam_policy
  • google_bigtable_table
  • google_bigtable_table_iam_binding
  • google_bigtable_table_iam_member
  • google_bigtable_table_iam_policy
• billing
  • google_billing_account_iam_binding
  • google_billing_account_iam_member
  • google_billing_account_iam_policy
  • google_billing_budget
• binaryauthorization
  • google_binary_authorization_attestor
  • google_binary_authorization_attestor_iam_binding
  • google_binary_authorization_attestor_iam_member
  • google_binary_authorization_attestor_iam_policy
  • google_binary_authorization_policy
• certificatemanager
  • google_certificate_manager_certificate
  • google_certificate_manager_dns_authorization
• cloudasset
  • google_cloud_asset_folder_feed
  • google_cloud_asset_organization_feed
  • google_cloud_asset_project_feed
• cloudbuild
  • google_cloudbuild_trigger
  • google_cloudbuild_worker_pool
• clouddeploy
  • google_clouddeploy_delivery_pipeline
  • google_clouddeploy_target
• cloudidentity
  • google_cloud_identity_group
  • google_cloud_identity_group_membership
• cloudiot
  • google_cloudiot_device
  • google_cloudiot_registry
• cloudplatform
  • google_billing_subaccount
  • google_folder_iam_audit_config
  • google_folder_iam_binding
  • google_folder_iam_member
  • google_folder_iam_policy
  • google_folder_organization_policy
  • google_organization_iam_policy
  • google_organization_policy
  • google_project_iam_custom_role
  • google_project_organization_policy
• compute
  • google_compute_backend_service_signed_url_key
  • google_compute_router_peer
  • google_compute_security_policy
  • google_compute_service_attachment
  • google_compute_shared_vpc_host_project
  • google_compute_shared_vpc_service_project
  • google_compute_snapshot
  • google_compute_ssl_policy
  • google_compute_subnetwork_iam_binding
  • google_compute_subnetwork_iam_member
  • google_compute_subnetwork_iam_policy
  • google_compute_target_grpc_proxy
  • google_compute_target_http_proxy
  • google_compute_target_https_proxy
  • google_compute_target_instance
  • google_compute_target_tcp_proxy
  • google_compute_url_map
  • google_compute_vpn_gateway
  • google_compute_vpn_tunnel
• container
  • google_container_registry
• containeranalysis
  • google_container_analysis_note
  • google_container_analysis_occurrence
• containeraws
  • google_container_aws_cluster
  • google_container_aws_node_pool
• containerazure
  • google_container_azure_client
  • google_container_azure_cluster
  • google_container_azure_node_pool
• datacatalog
  • google_data_catalog_entry
  • google_data_catalog_entry_group
  • google_data_catalog_entry_group_iam_binding
  • google_data_catalog_entry_group_iam_member
  • google_data_catalog_entry_group_iam_policy
  • google_data_catalog_tag
  • google_data_catalog_tag_template
  • google_data_catalog_tag_template_iam_binding
  • google_data_catalog_tag_template_iam_member
  • google_data_catalog_tag_template_iam_policy
• dataflow
  • google_dataflow_job
• datafusion
  • google_data_fusion_instance
• datalossprevention
  • google_data_loss_prevention_deidentify_template
  • google_data_loss_prevention_inspect_template
  • google_data_loss_prevention_job_trigger
  • google_data_loss_prevention_stored_info_type
• dataproc
  • google_dataproc_autoscaling_policy
  • google_dataproc_cluster
  • google_dataproc_cluster_iam_binding
  • google_dataproc_cluster_iam_member
  • google_dataproc_cluster_iam_policy
  • google_dataproc_job
  • google_dataproc_job_iam_binding
  • google_dataproc_job_iam_member
  • google_dataproc_job_iam_policy
  • google_dataproc_workflow_template
• datastore
  • google_datastore_index
• deploymentmanager
  • google_deployment_manager_deployment
• dialogflow
  • google_dialogflow_agent
  • google_dialogflow_entity_type
  • google_dialogflow_fulfillment
  • google_dialogflow_intent
• dialogflowcx
  • google_dialogflow_cx_agent
  • google_dialogflow_cx_entity_type
  • google_dialogflow_cx_environment
  • google_dialogflow_cx_flow
  • google_dialogflow_cx_intent
  • google_dialogflow_cx_page
  • google_dialogflow_cx_version
• endpoints
  • google_endpoints_service
  • google_endpoints_service_consumers_iam_binding
  • google_endpoints_service_consumers_iam_member
  • google_endpoints_service_consumers_iam_policy
  • google_endpoints_service_iam_binding
  • google_endpoints_service_iam_member
  • google_endpoints_service_iam_policy
• essentialcontacts
  • google_essential_contacts_contact
• eventarc
  • google_eventarc_trigger
• filestore
  • google_filestore_instance
• firebaserules
  • google_firebaserules_release
  • google_firebaserules_ruleset
• firestore
  • google_firestore_document
  • google_firestore_index
• gameservices
  • google_game_services_game_server_cluster
  • google_game_services_game_server_config
  • google_game_services_game_server_deployment
  • google_game_services_game_server_deployment_rollout
  • google_game_services_realm
• gkehub
  • google_gke_hub_membership
• healthcare
  • google_healthcare_consent_store
  • google_healthcare_consent_store_iam_binding
  • google_healthcare_consent_store_iam_member
  • google_healthcare_consent_store_iam_policy
  • google_healthcare_dataset
  • google_healthcare_dataset_iam_binding
  • google_healthcare_dataset_iam_member
  • google_healthcare_dataset_iam_policy
  • google_healthcare_dicom_store
  • google_healthcare_dicom_store_iam_binding
  • google_healthcare_dicom_store_iam_member
  • google_healthcare_dicom_store_iam_policy
  • google_healthcare_fhir_store
  • google_healthcare_fhir_store_iam_binding
  • google_healthcare_fhir_store_iam_member
  • google_healthcare_fhir_store_iam_policy
  • google_healthcare_hl7_v2_store
  • google_healthcare_hl7_v2_store_iam_binding
  • google_healthcare_hl7_v2_store_iam_member
  • google_healthcare_hl7_v2_store_iam_policy
• iap
  • google_iap_app_engine_service_iam_binding
  • google_iap_app_engine_service_iam_member
  • google_iap_app_engine_service_iam_policy
  • google_iap_app_engine_version_iam_binding
  • google_iap_app_engine_version_iam_member
  • google_iap_app_engine_version_iam_policy
  • google_iap_brand
  • google_iap_client
  • google_iap_tunnel_iam_binding
  • google_iap_tunnel_iam_member
  • google_iap_tunnel_iam_policy
  • google_iap_tunnel_instance_iam_binding
  • google_iap_tunnel_instance_iam_member
  • google_iap_tunnel_instance_iam_policy
  • google_iap_web_backend_service_iam_binding
  • google_iap_web_backend_service_iam_policy
  • google_iap_web_iam_binding
  • google_iap_web_iam_policy
  • google_iap_web_type_app_engine_iam_binding
  • google_iap_web_type_app_engine_iam_policy
  • google_iap_web_type_compute_iam_binding
  • google_iap_web_type_compute_iam_policy
• logging
  • google_logging_billing_account_bucket_config
  • google_logging_billing_account_exclusion
  • google_logging_billing_account_sink
  • google_logging_folder_bucket_config
  • google_logging_folder_exclusion
  • google_logging_folder_sink
  • google_logging_log_view
  • google_logging_metric
  • google_logging_organization_bucket_config
  • google_logging_organization_exclusion
  • google_logging_organization_sink
  • google_logging_project_bucket_config
  • google_logging_project_exclusion
  • google_logging_project_sink
• memcache
  • google_memcache_instance
• mlengine
  • google_ml_engine_model
• monitoring
  • google_monitoring_custom_service
  • google_monitoring_dashboard
  • google_monitoring_group
  • google_monitoring_metric_descriptor
  • google_monitoring_slo
• networkconnectivity
  • google_network_connectivity_hub
  • google_network_connectivity_spoke
• networkmanagement
  • google_network_management_connectivity_test
• networkservices
  • google_network_services_edge_cache_keyset
  • google_network_services_edge_cache_origin
  • google_network_services_edge_cache_service
• notebooks
  • google_notebooks_environment
  • google_notebooks_instance
  • google_notebooks_instance_iam_binding
  • google_notebooks_instance_iam_member
  • google_notebooks_instance_iam_policy
  • google_notebooks_location
  • google_notebooks_runtime
  • google_notebooks_runtime_iam_binding
  • google_notebooks_runtime_iam_member
  • google_notebooks_runtime_iam_policy
• orgpolicy
  • google_org_policy_policy
• osconfig
  • google_os_config_os_policy_assignment
  • google_os_config_patch_deployment
• oslogin
  • google_os_login_ssh_public_key
• privateca
  • google_privateca_ca_pool
  • google_privateca_ca_pool_iam_binding
  • google_privateca_ca_pool_iam_member
  • google_privateca_ca_pool_iam_policy
  • google_privateca_certificate
  • google_privateca_certificate_authority
  • google_privateca_certificate_template
  • google_privateca_certificate_template_iam_binding
  • google_privateca_certificate_template_iam_member
  • google_privateca_certificate_template_iam_policy
• recaptcha
  • google_recaptcha_enterprise_key
• resourcemanager
  • google_resource_manager_lien
• scc
  • google_scc_notification_config
  • google_scc_source
• secretmanager
  • google_secret_manager_secret_iam_binding
  • google_secret_manager_secret_iam_member
  • google_secret_manager_secret_iam_policy
• sourcerepo
  • google_sourcerepo_repository
  • google_sourcerepo_repository_iam_binding
  • google_sourcerepo_repository_iam_member
  • google_sourcerepo_repository_iam_policy
• spanner
  • google_spanner_database
  • google_spanner_database_iam_binding
  • google_spanner_database_iam_member
  • google_spanner_database_iam_policy
  • google_spanner_instance
  • google_spanner_instance_iam_binding
  • google_spanner_instance_iam_member
  • google_spanner_instance_iam_policy
• storage
  • google_storage_bucket_acl
  • google_storage_bucket_iam_binding
  • google_storage_bucket_iam_member
  • google_storage_bucket_iam_policy
  • google_storage_default_object_access_control
  • google_storage_default_object_acl
  • google_storage_hmac_key
  • google_storage_notification
  • google_storage_object_access_control
  • google_storage_object_acl
• storagetransfer
  • google_storage_transfer_job
• tags
  • google_tags_tag_binding
  • google_tags_tag_key
  • google_tags_tag_key_iam_binding
  • google_tags_tag_key_iam_member
  • google_tags_tag_key_iam_policy
  • google_tags_tag_value
  • google_tags_tag_value_iam_binding
  • google_tags_tag_value_iam_member
  • google_tags_tag_value_iam_policy
• tpu
  • google_tpu_node
• vertexai
  • google_vertex_ai_dataset
• vpcaccess
  • google_vpc_access_connector
• workflows
  • google_workflows_workflow
• iam_workload_identity
  • google_iam_workload_identity_pool
  • google_iam_workload_identity_pool_provider

What resource do you need?

Terraform Resource Name: cluster.container.gcp
Field: autoscaling_profile

The autoscaling_profile field is not available in the Cluster resource.
See terraform documentation for details.

A previous attempt to add this field to the community provider: crossplane-contrib/provider-gcp#478

Relates to private issue: https://github.com/upbound/official-providers/issues/824

What resource do you need?

Terraform Resource Name: storage_hmac_key

What is your use case?

Lack of storage_hmac_key prevents any client usage of GCS buckets as AWS S3 buckets.

storage_hmac_key is required for GCS bucket to be used by clients through the AWS S3 API instead of GCS API.

See the following related documentation:
https://cloud.google.com/storage/docs/aws-simple-migration
https://cloud.google.com/storage/docs/authentication/hmackeys
https://cloud.google.com/storage/docs/authentication/managing-hmackeys#terraform

This resource was present in https://doc.crds.dev/github.com/crossplane-contrib/provider-jet-gcp/storage.gcp.jet.crossplane.io/HMACKey/[email protected]

/CC

External name configuration of 14 resources in the cloudplatform group:

• google_organization_iam_custom_role
• google_organization_iam_member
• google_organization_iam_policy
• google_organization_policy
• google_project_default_service_accounts
• google_project_iam_audit_config
• google_project_iam_binding
• google_project_iam_custom_role
• google_project_iam_policy
• google_project_organization_policy
• google_project_service
• google_project_usage_export_bucket
• google_service_account_iam_binding
• google_service_networking_peered_dns_domain

External name configuration of 5 resources in the cloudrun group:

• google_cloud_run_domain_mapping
• google_cloud_run_service
• google_cloud_run_service_iam_binding
• google_cloud_run_service_iam_member
• google_cloud_run_service_iam_policy

External name configuration of 1 resources in the cloudscheduler group:

• google_cloud_scheduler_job

External name configuration of 1 resources in the cloudtasks group:

• google_cloud_tasks_queue

External name configuration of 1 resources in the composer group:

• google_composer_environment

External name configuration of 5 resources in the compute group:

• google_compute_attached_disk
• google_compute_autoscaler
• google_compute_backend_bucket
• google_compute_backend_bucket_signed_url_key
• google_compute_backend_service

Hello,

I have the following error:
observe failed: cannot run refresh: refresh failed: Missing required argument: The argument "enable_components" is required, but no definition was found.

This is due to the loggingConfig which is an array containing enableComponents.
When loggingService is none, loggingConfig can be ignored but I believe the api (or the terraform representation) returns something like

loggingConfig: [{
    enableComponents: []
}]

And if I'm not mistaken, crossplane requires a non-empty value for a property when it's the only one in the object. Meaning, the content returned by the api is not valid (only loggingConfig: [] would be valid).

It happened on GKE, Crossplane 1.10.1, GCP provider 0.19.0.
And:

apiVersion: container.gcp.upbound.io/v1beta1
kind: Cluster
spec:
  forProvider:
    project: test-error
    location: us-central1-a
    initialNodeCount: 1
    networkingMode: VPC_NATIVE
    networkRef:
      name: base
    subnetworkRef:
      name: cluster-subnet
    loggingService: none
    loggingConfig: []             # with and without this line
    releaseChannel:
      - channel: RAPID
    removeDefaultNodePool: true
    addonsConfig:
      - httpLoadBalancing:
          - disabled: false
    privateClusterConfig:
      - enablePrivateNodes: true
        enablePrivateEndpoint: false
        masterIpv4CidrBlock: 172.16.0.16/28
    ipAllocationPolicy:
      - clusterIpv4CidrBlock: 5.0.0.0/16
        servicesIpv4CidrBlock: 5.1.0.0/16
    defaultSnatStatus:
      - disabled: true
    masterAuthorizedNetworksConfig:
      - cidrBlocks:
          - cidrBlock: 0.0.0.0/0
            displayName: World

Pending resolution of #14 we are collecting questionable resources here:

External name configuration of 9 resources in the iap group:

• google_iap_tunnel_instance_iam_policy
• google_iap_web_backend_service_iam_binding
• google_iap_web_backend_service_iam_policy
• google_iap_web_iam_binding
• google_iap_web_iam_policy
• google_iap_web_type_app_engine_iam_binding
• google_iap_web_type_app_engine_iam_policy
• google_iap_web_type_compute_iam_binding
• google_iap_web_type_compute_iam_policy
• google_healthcare_hl7_v2_store_iam_binding
• google_healthcare_hl7_v2_store_iam_policy

(Extracted from upbound/official-providers#281)

External name configuration of 2 resources in the storage group:

• google_storage_bucket_iam_binding
• google_storage_bucket_iam_policy

(Extracted from upbound/official-providers#444)

External name configuration of 2 resources in the secretmanager group:

• google_secret_manager_secret_iam_binding
• google_secret_manager_secret_iam_policy

External name configuration of 2 resources in the sourcerepo group:

• google_sourcerepo_repository_iam_binding
• google_sourcerepo_repository_iam_policy

External name configuration of 4 resources in the spanner group:

• google_spanner_database_iam_binding
• google_spanner_database_iam_policy
• google_spanner_instance_iam_binding
• google_spanner_instance_iam_policy

(Extracted from upbound/official-providers#284)

External name configuration of 2 resources in the notebooks group:

• google_notebooks_runtime_iam_binding
• google_notebooks_runtime_iam_policy

External name configuration of 1 resources in the orgpolicy group:

• google_org_policy_policy

External name configuration of 4 resources in the privateca group:

• google_privateca_ca_pool_iam_binding
• google_privateca_ca_pool_iam_policy
• google_privateca_certificate_template_iam_binding
• google_privateca_certificate_template_iam_policy

(Extracted from upbound/official-providers#283)

External name configuration of 1 resources in the notebooks group:

• google_notebooks_instance_iam_binding

(Extracted from #17)

External name configuration of resources in the compute group:

• google_compute_subnetwork_iam_binding
• google_compute_subnetwork_iam_policy

(Extracted from #18)

External name configuration of resources in the iap group:

• google_iap_tunnel_iam_binding
• google_iap_app_engine_service_iam_binding
• google_iap_app_engine_service_iam_policy
• google_iap_app_engine_version_iam_binding
• google_iap_app_engine_version_iam_policy
• google_iap_tunnel_iam_policy
• google_iap_tunnel_instance_iam_binding

External name configuration of resources in the healthcare group:

• google_healthcare_consent_store_iam_policy
• google_healthcare_dataset_iam_binding
• google_healthcare_dataset_iam_policy
• google_healthcare_dicom_store_iam_binding
• google_healthcare_dicom_store_iam_policy
• google_healthcare_fhir_store_iam_binding
• google_healthcare_fhir_store_iam_policy

What happened?

Trying to use upbound/provider-gcp provider on openshift 4.10 where the k8s api plugin the OwnerReferencesPermissionEnforcement is turned on by default,, the MR never reconciles and displays the following error message

   message: 'connect failed: cannot get terraform setup: cannot track ProviderConfig usage: 
   cannot apply ProviderConfigUsage: cannot create object: providerconfigusages.gcp.upbound.io
      "ad06b191-1412-432b-bc6a-435f43de0228" is forbidden: cannot set blockOwnerDeletion
      if an ownerReference refers to a resource you can''t set finalizers on: , <nil>'
    reason: ReconcileError

This seems quite similar to crossplane/crossplane#3443

How can we reproduce it?

Turn on the OwnerReferencesPermissionEnforcement plugin (see https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement) in the k8s cluster running upbound/provider-gcp provider integration tests

What environment did it happen in?

• Opensource Crossplane Version: image: crossplane/crossplane:v1.10.1
• Provider Version: xpkg.upbound.io/upbound/provider-gcp:v0.20.0
• Openshift version 1.10

 kubectl version 
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.9", GitCommit:"c1de2d70269039fe55efb98e737d9a29f9155246", GitTreeState:"clean", BuildDate:"2022-07-13T14:26:51Z", GoVersion:"go1.17.11", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5+012e945", GitCommit:"3c28e7a79b58e78b4c1dc1ab7e5f6c6c2d3aedd3", GitTreeState:"clean", BuildDate:"2022-07-13T08:38:41Z", GoVersion:"go1.17.12", Compiler:"gc", Platform:"linux/amd64"}

We found this problem while moving from crossplane jet gcp provider to upbound gcp provider:

old:

apiVersion: compute.gcp.jet.crossplane.io/v1alpha1
kind: SSLCertificate
metadata:
  name: my-ssl-cert-2
spec:
  forProvider:
    name: my-ssl-cert-2
    certificateSecretRef:
      name: tls-wildcard-crt
      key: tls.crt
      namespace: mynamespace
    privateKeySecretRef:
      name: tls-wildcard-crt
      key: tls.key
      namespace: mynamespace

new:

apiVersion: compute.gcp.upbound.io/v1beta1
kind: SSLCertificate
metadata:
  name: my-ssl-cert-2
  annotations:
    crossplane.io/external-name: my-ssl-cert-2
spec:
  forProvider:
    #name: my-ssl-cert-2
    certificateSecretRef:
      name: tls-wildcard-crt
      key: tls.crt
      namespace: mynamespace
    privateKeySecretRef:
      name: tls-wildcard-crt
      key: tls.key
      namespace: mynamespace

What happened?

We are expecting that the ssl certificate does not recreate and the status data would just populate given that the
crossplane.io/external-name: my-ssl-cert-2 was specified in the annotations of the new version.

How can we reproduce it?

yaml included

What environment did it happen in?

• Universal Crossplane Version:
  not using uxp

• Provider Version:
  old:

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-jet-gcp
spec:
  package: crossplane/provider-jet-gcp:v0.2.0-preview

new:

apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-upbound-gcp
spec:
  package: xpkg.upbound.io/upbound/provider-gcp:v0.18.0

What happened?

I attempted to create a Project using v0.9.0 version of Project.cloudplatform.gcp.upbound.io/v1beta1. I received the following error:

1.662006147674133e+09 DEBUG events Warning {"object": {"kind":"Project","name":"aaron-platform-test-87654","uid":"c150507c-f0e9-44f7-bc07-ca5921bd7096","apiVersion":"cloudplatform.gcp.upbound.io/v1beta1","resourceVersion":"29423"}, "reason": "CannotObserveExternalResource", "message": "cannot run refresh: refresh failed: the user does not have permission to access Project "aaron-platform-test-87654" or it may not exist: "}

Importing existing projects works fine.

How can we reproduce it?

Add a unique hash to the following:

apiVersion: cloudplatform.gcp.upbound.io/v1beta1
kind: Project
metadata:
  name: aaron-platform-test-<HASH>
spec:
  deletionPolicy: Orphan
  forProvider:
    folderId: '761317604662'
    labels:
      owner: squad-platform
      service: testing
    projectId: aaron-platform-test-<HASH>
    skipDelete: true

What environment did it happen in?

• Crossplane Version: 1.9.0
• Provider Name: provider-gcp
• Provider Version: v0.9.0

What problem are you facing?

I would like to create an internal loadbalancer in a SharedVPC environment. As part of this work I have to create a RegionTargetHTTPProxy, which has to select a RegionURLMap. When I select it with the matchLabel selector, the provider replaces the RegionURLMap field with the resource ID, which is pointing to a different project where it's actually located. From this reason I get an error message that the RegionTargetHTTPProxy cannot be created, because it cannot find the selected resources.

This issue could be fixed by using the selflink instead of the resource id in the matchlabel selector.

How could Official GCP Provider help solve your problem?

The above mentioned issue could be solved by editing the resource configurator for the google_compute_forwarding_rule in the following way:

	p.AddResourceConfigurator("google_compute_region_target_http_proxy", func(r *config.Resource) {
		config.MarkAsRequired(r.TerraformResource, "region")

		r.References["url_map"] = config.Reference{
			Type:      "RegionURLMap",
			Extractor: common.PathSelfLinkExtractor,
		}

	})

What happened?

https://marketplace.upbound.io/providers/upbound/provider-gcp/v0.17.0/resources/secretmanager.gcp.upbound.io/SecretVersion/v1beta1

When secretVersion attempts to create, I receive this error:

Conditions:
    Last Transition Time:  2022-11-09T20:23:19Z
    Reason:                ReconcileSuccess
    Status:                True
    Type:                  Synced
    Last Transition Time:  2022-11-09T20:23:19Z
    Reason:                Creating
    Status:                False
    Type:                  Ready
    Last Transition Time:  2022-11-09T20:23:57Z
    Reason:                Finished
    Status:                True
    Type:                  AsyncOperation
    Last Transition Time:  2022-11-09T20:23:20Z
    Message:               apply failed: Error creating SecretVersion: googleapi: got HTTP response code 404 with body: <!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 404 (Not Found)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>404.</b> <ins>That’s an error.</ins>
  <p>The requested URL <code>/v1/test:addVersion?alt=json</code> was not found on this server.  <ins>That’s all we know.</ins>
: 
    Reason:  ApplyFailure
    Status:  False
    Type:    LastAsyncOperation

How can we reproduce it?

Try doing what I did above.

---
apiVersion: v1
kind: Secret
metadata:
  annotations:
    meta.upbound.io/example-id: secretmanager/v1beta1/secretversion
  labels:
    testing.upbound.io/example-name: test
  name: test
  namespace: default
type: Opaque
stringData:
  secret: "test"
---
apiVersion: secretmanager.gcp.upbound.io/v1beta1
kind: SecretVersion
metadata:
  annotations:
    meta.upbound.io/example-id: secretmanager/v1beta1/secretversion
  labels:
    testing.upbound.io/example-name: test
  name: test
spec:
  forProvider:
    secretDataSecretRef:
      key: secret
      name: test
      namespace: default
    secretSelector:
      matchLabels:
        testing.upbound.io/example-name: test
---
apiVersion: secretmanager.gcp.upbound.io/v1beta1
kind: Secret
metadata:
  annotations:
    meta.upbound.io/example-id: secretmanager/v1beta1/secretversion
  labels:
    testing.upbound.io/example-name: test
  name: test
spec:
  forProvider:
    labels:
      environment: dev
    replication:
      - automatic: true

What environment did it happen in?

UXP v1.10.1-up.1
provider-gcp v0.17.0
K8a v1.25.0

As suggested into

https://github.com/upbound/upjet/blob/main/docs/add-new-resource-short.md mentions

There are cases where the resource requires user to take an action that is not possible with a Crossplane provider or automated testing tool. In such cases, we should leave the actions to be taken as annotation on the resource like the following:
annotations:
upjet.upbound.io/manual-intervention: "User needs to upload a authorization script and give its path in spec.forProvider.filePath"

An issue in the official-providers repo explaining the situation should be opened preferably with the example manifests (and any resource configuration) already tried.

What happened?

The CloudSql User can not be deleted unless the DatabaseInstance was deleted first:

https://github.com/upbound/provider-gcp/blob/090f08482cf66c04771bbcf4d983c4138e97d234/examples/sql/user.yaml#L4-L5

status:
  atProvider:
    id: default//kuttl-medium-mysql-instance-w6qpx-zv8tz
  conditions:
  - lastTransitionTime: "2022-12-16T16:27:20Z"
    message: 'observe failed: cannot run plan: plan failed: Instance cannot be destroyed:
      Resource google_sql_user.kuttl-medium-mysql-instance-w6qpx-pr9tl has lifecycle.prevent_destroy
      set, but the plan calls for this resource to be destroyed. To avoid this error
      and continue with the plan, either disable lifecycle.prevent_destroy or reduce
      the scope of the plan using the -target flag.'
    reason: ReconcileError
    status: "False"
    type: Synced
  - lastTransitionTime: "2022-12-16T16:25:34Z"
    reason: Available
    status: "True"
    type: Ready
  - lastTransitionTime: "2022-12-16T16:24:47Z"
    reason: Finished
    status: "True"
    type: AsyncOperation
  - lastTransitionTime: "2022-12-16T16:24:47Z"
    reason: Success
    status: "True"
    type: LastAsyncOperation

How can we reproduce it?

https://github.com/upbound/platform-ref-gcp/blob/ecd7de576e9da710360e17952b2c3cfd1be851c9/package/database/postgres/composition.yaml#L37-L52

Workaround

Imperative workaround:

https://github.com/upbound/platform-ref-gcp/blob/ecd7de576e9da710360e17952b2c3cfd1be851c9/examples/testhooks/delete-sql-user.sh#L4-L7

Delete the sql user before deleting the database not to orphan the user object
Use explicit ordering of the sql resources to avoid database stuck
Note(turkenh): This is a workaround for the infamous dependency problem during deletion.
${KUBECTL} delete user.sql.gcp.upbound.io --all

Declarative workaround:

• a Kyverno Policy could enforce a specific deletion order for the MRs,

@bobh66 is preparing a write up for this, see https://crossplane.slack.com/archives/CEG3T90A1/p1671041047666789?thread_ts=1671039517.972969&cid=CEG3T90A1

• crossplane/crossplane#3393

What environment did it happen in?

• Universal Crossplane Version:
• Provider Version:

Moving 3 resources to v1beta1 version

• google_app_engine_domain_mapping
• google_app_engine_flexible_app_version
• google_app_engine_service_split_traffic

google_app_engine_domain_mapping - The resource requires a verified domain.

google_app_engine_flexible_app_version - returns an error:

 Message:               apply failed: Error creating FlexibleAppVersion: googleapi: Error 404: <eye3 title='/CloudGaia.GenerateAccessToken, NOT_FOUND'/> APPLICATION_ERROR;google.iam.credentials.v1/CloudGaia.GenerateAccessToken;Account disabled: 57634375066;AppErrorCode=5;StartTimeMs=1677241408857;unknown;Deadline(sec)=5.0;ResFormat=uncompressed;ServerTimeSec=0.011431517;LogBytes=-1;FailFast;EffSecLevel=privacy_and_integrity;ReqFormat=uncompressed;ReqID=aadd8d4552d84583;GlobalID=0;Server=[2002:a17:903:2cb::]:9887: 

google_app_engine_service_split_traffic - Need clarify configuration: returns several errors, one of them

Error creating ServiceSplitTraffic: googleapi: Error 409: Cannot operate on apps/official-provider-testing/services/liveapp/versions/apps/official-provider-testing/services/liveapp/versions/liveapp-v1 because an operation is already in progress for apps/official-provider-testing/services/liveapp/versions/apps/official-provider-testing/services/liveapp/versions/liveapp-v1 by c85518c3-d54c-4a4d-8186-97cbab0e5239.

servicesplittraffic.txt

What problem are you facing?

The user/password for SQL DatabaseInstance is configured by a standalone resource of User.sql

Currently, it does not populate any connection secret.

How could Official GCP Provider help solve your problem?

Configure sensitive fields population down to connection secret to being reused within the Compositions.

A good example of such Composition can be found upbound/platform-ref-gcp#39 where we have GCP-based Database abstraction implementation.

Moving 4 resources to v1beta1 version

• google_billing_account_iam_binding
• google_billing_account_iam_policy
• google_billing_budget
• google_billing_account_iam_member

What problem are you facing?

Provider Name: provider-gcp
Provider Version:

Moved from https://github.com/upbound/official-providers/issues/446

• google_kms_crypto_key_iam_policy
• google_kms_crypto_key_iam_binding
• google_kms_key_ring_iam_policy
• google_kms_key_ring_iam_binding

The above resources are a powerful mechanism and similarly to iam roles it can lead to cluster-wide outage (see example: https://upboundio.slack.com/archives/C013YNJ423Y/p1659622122579009).

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_crypto_key_iam

Three different resources help you manage your IAM policy for KMS crypto key. Each of these resources serves a different use case:

google_kms_crypto_key_iam_policy: Authoritative. Sets the IAM policy for the crypto key and replaces any existing policy already attached.
google_kms_crypto_key_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the crypto key are preserved.
google_kms_crypto_key_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the crypto key are preserved.

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_kms_key_ring_iam

Three different resources help you manage your IAM policy for KMS key ring. Each of these resources serves a different use case:

google_kms_key_ring_iam_policy: Authoritative. Sets the IAM policy for the key ring and replaces any existing policy already attached.
google_kms_key_ring_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the key ring are preserved.
google_kms_key_ring_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the key ring are preserved.

More details and discussion about the dangers of using those resources can be found here: #14

How could Official Providers help solve your problem?

The suggestion is not to implement those, but use google_kms_crypto_key_iam_member and google_kms_key_ring_iam_member exclusively. Similar decision has been made in the platform team regarding the usage of other iam resources.

What problem are you facing?

I often run into this issue:

 Events:                                                                                                                                                                                                                                                                                                                                                                  
   Type     Reason                         Age                From                                                               Message                                                                                                                                                                                                                                  
   ----     ------                         ----               ----                                                               -------                                                                                                                                                                                                                                  
   Warning  CannotObserveExternalResource  18s (x7 over 74s)  managed/cloudplatform.gcp.upbound.io/v1beta1, kind=serviceaccount  cannot run refresh: refresh failed: "account_id" ("jonnys-subscription-ngpq4-bf2ws") doesn't match regexp "^[a-z](?:[-a-z0-9]{4,28}[a-z0-9])$":

For ServiceAccount resources. Their names can only be so short. But the name is auto generated and 12 characters of the 28 are wasted by random ids.

How could Official GCP Provider help solve your problem?

I would love to be able to overwrite the account_id of a service account.

What resource do you need?

Terraform Resource Name:

• cloud_run_v2_service
• cloud_run_v2_job

What is your use case?

Deploy cloud-run services and jobs.

What problem are you facing?

Following resources from https://github.com/upbound/official-providers/issues/284 could not be tested due to lack of project/org level permissions for testing.

All of the untested resources require org level permissions to actually create the resources.

External name configuration of 1 resources in the recaptcha group:

• google_recaptcha_enterprise_key
  requires additional permissions on the project level
  • resourcemanager.projects.get
  • serviceusage.services.get

External name configuration of 1 resources in the resourcemanager group:

• google_resource_manager_lien
  requires additional permissions on the project level
  • resourcemanager.projects.updateLiens

External name configuration of 2 resources in the scc group:

• google_scc_notification_config
• google_scc_source

Both resources require additional permissions on org level and org must be enrolled in the security command center program

• Organization Admin roles/resourcemanager.organizationAdmin
• Security Center Admin roles/securitycenter.admin
• Security Admin roles/iam.securityAdmin
• Create Service Accounts roles/iam.serviceAccountCreator

How could Official Providers help solve your problem?

Provide a way to safely test resources requiring project/org level resources

Moving 2 resources to v1beta1 version

• google_binary_authorization_attestor
• google_binary_authorization_policy

kind: SSLPolicy
metadata:
  name: my-ssl-policy-main
spec:
  providerConfigRef:
    name: default
  forProvider:
    project: PROJECT_ID_X
    profile: MODERN
    minTlsVersion: "TLS_1_2" 

was in jet gcp but is not in upbound provider gcp... would appreciate if you can bring that over!

What problem are you facing?

The ManagedZone does not allow you to select the correct network when using cross-project binding .

• https://cloud.google.com/dns/docs/zones/cross-project-binding
• https://cloud.google.com/dns/docs/zones/zones-overview#cross-project_binding

How could Official GCP Provider help solve your problem?

Use the self_url instead of the resource id to select the network. This will make it possible to reference networks in a different project using a shared vpc.

What problem are you facing?

Provider Name: provider-gcp
Provider Version: all...

This issue grew out of a discussion in #squad-control-planes. Google has multiple apis which can be used to configure IAM for a resource. These APIs come in three varieties:

• *_iam_binding
• *_iam_policy
• *_iam_member

The behavior of these API calls make them incompatible with one another. Terraform calls this out in a collection of standard Notes which appear on all IAM resource pages:

Note:
google_project_iam_policy cannot be used in conjunction with google_project_iam_binding, google_project_iam_member, or google_project_iam_audit_config or they will fight over what your policy should be.

Note:
google_project_iam_binding resources can be used in conjunction with google_project_iam_member resources only if they do not grant privilege to the same role.

Note:
The underlying API method projects.setIamPolicy has a lot of constraints which are documented here. In addition to these constraints, IAM Conditions cannot be used with Basic Roles such as Owner. Violating these constraints will result in the API returning 400 error code so please review these if you encounter errors with this resource.

Lastly, terraform offers this warning:

Be careful!
You can accidentally lock yourself out of your project using this resource. Deleting a google_project_iam_policy removes access from anyone without organization-level access to the project. Proceed with caution. It's not recommended to use google_project_iam_policy with your provider project to avoid locking yourself out, and it should generally only be used with projects fully managed by Terraform. If you do use this resource, it is recommended to import the policy before applying the change.

If two users were to implement their permissions using different resources -- say one uses a *_iam_member and another uses a *_iam_policy, those resources would "fight" over the ultimate permissions available in the account. It is also possible, with google_project_iam_policy and google_organization_iam_policy to catastrophically leave an account or organization with zero permissions configured (to wipe out all IAM data).

How could Official Providers help solve your problem?

Given that Crossplane Managed Resources are meant to be deployed and reconciled individually, only *_iam_member behaves as a Managed Resource. We should drop support for the other two apis.

External name configuration of 8 resources in the healthcare group:

• google_healthcare_dicom_store
• google_healthcare_fhir_store
• google_healthcare_hl7_v2_store
• google_healthcare_consent_store_iam_member
• google_healthcare_dataset_iam_member
• google_healthcare_dicom_store_iam_member
• google_healthcare_fhir_store_iam_member
• google_healthcare_hl7_v2_store_iam_member

External name configuration of 5 resources in the iap group:

• google_iap_brand
• google_iap_client
• google_iap_app_engine_service_iam_member
• google_iap_app_engine_version_iam_member
• google_iap_tunnel_iam_member

List:

• google_dns_record_set https://github.com/upbound/official-providers/issues/445
• google_kms_crypto_key https://github.com/upbound/official-providers/issues/446
• google_kms_key_ring https://github.com/upbound/official-providers/issues/446
• google_pubsub_topic https://github.com/upbound/official-providers/issues/394
• google_pubsub_subscription
• google_container_registry https://github.com/upbound/official-providers/issues/447
• google_service_networking_connection https://github.com/upbound/official-providers/issues/448
• google_project_iam_member #20
• google_service_account_iam_member #20
• google_service_account_iam_policy #20
• google_compute_network_peering https://github.com/upbound/official-providers/issues/276
• google_secret_manager_secret https://github.com/upbound/official-providers/issues/284
• google_secret_manager_secret_version https://github.com/upbound/official-providers/issues/284

Milestone: https://github.com/upbound/official-providers/milestone/7

Moving 10 resources to v1beta1 version

• google_bigtable_app_profile
• google_bigtable_gc_policy
• google_bigtable_instance
• google_bigtable_instance_iam_binding
• google_bigtable_instance_iam_member
• google_bigtable_instance_iam_policy
• google_bigtable_table
• google_bigtable_table_iam_binding
• google_bigtable_table_iam_member
• google_bigtable_table_iam_policy

What problem are you facing?

Currently in a GCP environment that restricts the creation of service account keys.

How could Official GCP Provider help solve your problem?

Would like to have the ability to use temporary access tokens that can be generated via a CronJob for provider authentication.

What resource do you need?

google_artifact_registry_repository
google_artifact_registry_repository_iam_member

Terraform Resource Name:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/artifact_registry_repository
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/artifact_registry_repository_iam

What is your use case?

Adding user to enable read access to repository

External name configuration of 3 resources in the accessapproval group

• google_folder_access_approval_settings
• google_organization_access_approval_settings
• google_project_access_approval_settings

External name configuration of 9 resources in the accesscontextmanager group:

• google_access_context_manager_access_level
• google_access_context_manager_access_level_condition
• google_access_context_manager_access_policy
• google_access_context_manager_access_policy_iam_binding
• google_access_context_manager_access_policy_iam_member
• google_access_context_manager_access_policy_iam_policy
• google_access_context_manager_gcp_user_access_binding
• google_access_context_manager_service_perimeter
• google_access_context_manager_service_perimeter_resource

External name configuration of 2 resources in the activedirectory group:

• google_active_directory_domain
• google_active_directory_domain_trust

External name configuration of 10 resources in the apigee group:

• google_apigee_endpoint_attachment
• google_apigee_envgroup
• google_apigee_envgroup_attachment
• google_apigee_environment
• google_apigee_environment_iam_binding
• google_apigee_environment_iam_member
• google_apigee_environment_iam_policy
• google_apigee_instance
• google_apigee_instance_attachment
• google_apigee_organization

External name configuration of 1 resources in the apikeys group:

• google_apikeys_key

What problem are you facing?

I would like to create an internal loadbalancer in a SharedVPC environment. As part of this work I have to create a ForwardingRule, which has to select an Address, a Network, a SubNetwork and a TargetProxy. When I select these resources with the matchLabel selector, the provider replaces the Address, Network, SubNetwork, Target fields with the resource ID, which is pointing to a different project where they actually located. From this reason I get an error message that the ForwardingRule cannot be created, because it cannot find the selected resources.

This issue could be fixed by using the selflink instead of the resource id in the matchlabel selector.

How could Official GCP Provider help solve your problem?

The above mentioned issue could be solved by editing the resource configurator for the google_compute_forwarding_rule in the following way:

	p.AddResourceConfigurator("google_compute_forwarding_rule", func(r *config.Resource) {
		// Note(donovanmuller): See https://github.com/upbound/upjet/issues/95
		// BackendService is also a valid reference Type
		r.References["backend_service"] = config.Reference{
			Type:      "RegionBackendService",
			Extractor: common.PathSelfLinkExtractor,
		}
		r.References["ip_address"] = config.Reference{
			Type:      "Address",
			Extractor: common.PathSelfLinkExtractor,
		}
		r.References["network"] = config.Reference{
			Type:      "Network",
			Extractor: common.PathSelfLinkExtractor,
		}
		r.References["subnetwork"] = config.Reference{
			Type:      "Subnetwork",
			Extractor: common.PathSelfLinkExtractor,
		}
		r.References["target"] = config.Reference{
			Type:      "RegionTargetHTTPProxy",
			Extractor: common.PathSelfLinkExtractor,
		}
		config.MarkAsRequired(r.TerraformResource, "region")
	})

External name configuration of 1 resources in the billing group:

• google_billing_budget

External name configuration of 5 resources in the binaryauthorization group:

• google_binary_authorization_attestor
• google_binary_authorization_attestor_iam_binding
• google_binary_authorization_attestor_iam_member
• google_binary_authorization_attestor_iam_policy
• google_binary_authorization_policy

External name configuration of 2 resources in the certificate group:

• google_certificate_manager_certificate
• google_certificate_manager_dns_authorization

External name configuration of 3 resources in the cloudasset group:

• google_cloud_asset_folder_feed
• google_cloud_asset_organization_feed
• google_cloud_asset_project_feed

External name configuration of 2 resources in the cloudbuild group:

• google_cloudbuild_trigger
• google_cloudbuild_worker_pool

External name configuration of 2 resources in the clouddeploy group:

• google_clouddeploy_delivery_pipeline
• google_clouddeploy_target

External name configuration of 4 resources in the cloudfunctions group:

• google_cloudfunctions_function
• google_cloudfunctions_function_iam_binding
• google_cloudfunctions_function_iam_member
• google_cloudfunctions_function_iam_policy

External name configuration of 2 resources in the cloudidentity group:

• google_cloud_identity_group
• google_cloud_identity_group_membership

External name configuration of 2 resources in the cloudiot group:

• google_cloudiot_device
• google_cloudiot_registry

External name configuration of 7 resources in the cloudplatform group:

• google_billing_subaccount
• google_folder_iam_audit_config
• google_folder_iam_binding
• google_folder_iam_member
• google_folder_iam_policy
• google_folder_organization_policy
• google_organization_iam_audit_config

Moving 2 resources in the compute group:

• google_compute_shared_vpc_host_project
• google_compute_shared_vpc_service_project

Note: These two resources have commented-out configurations in the respective config/external_name.go.

Please also see:
#69 (comment)

External name configuration of 13 resources in the logging group:

• google_logging_billing_account_exclusion
• google_logging_billing_account_sink
• google_logging_folder_bucket_config
• google_logging_folder_exclusion
• google_logging_folder_sink
• google_logging_log_view
• google_logging_metric
• google_logging_organization_bucket_config
• google_logging_organization_exclusion
• google_logging_organization_sink
• google_logging_project_bucket_config
• google_logging_project_exclusion
• google_logging_project_sink

External name configuration of 1 resources in the memcache group:

• google_memcache_instance

External name configuration of 1 resources in the mlengine group:

• google_ml_engine_model

External name configuration of 5 resources in the monitoring group:

• google_monitoring_custom_service
• google_monitoring_dashboard
• google_monitoring_group
• google_monitoring_metric_descriptor
• google_monitoring_slo

External name configuration of 2 resources in the network group:

• google_network_connectivity_hub
• google_network_connectivity_spoke

External name configuration of 1 resources in the networkmanagement group:

• google_network_management_connectivity_test

External name configuration of 3 resources in the networkservices group:

• google_network_services_edge_cache_keyset
• google_network_services_edge_cache_origin
• google_network_services_edge_cache_service

External name configuration of 5 resources in the notebooks group:

• google_notebooks_instance_iam_binding
• google_notebooks_instance_iam_policy
• google_notebooks_location
• google_notebooks_runtime_iam_binding
• google_notebooks_runtime_iam_policy

What resource do you need?

Terraform Resource Name:

• google_iam_workload_identity_pool
• google_iam_workload_identity_pool_provider

What is your use case?

I want to use configure GitHub Action auth to access GCP (GKE cluster). To do so, I need 2 things:

• Add a new GCP service account (available in Upbound GCP provider).
• Add a new GCP workload identity pool and provider (missing in Upbound GCP provider).

Related docs:

• GCP: Manage workload identity pools and providers
• GitHub: OpenID Connect

Note: The 2 requested resources are not mentioned in #13

What problem are you facing?

I would like to create an internal loadbalancer in a SharedVPC environment. As part of this work I have to create as Address resource, which has to select a SubNetwork. When I select it with the matchLabel selector, the provider replaces the SubNetwork field with the resource ID, which is pointing to a different project where it's actually located. From this reason I get an error message that the Address cannot be created, because it cannot find the selected SubNetwork.

This issue could be fixed by using the selflink instead of the resource id in the matchlabel selector.

How could Official GCP Provider help solve your problem?

The above mentioned issue could be solved by editing the resource configurator for the google_compute_address in the following way:

	p.AddResourceConfigurator("google_compute_address", func(r *config.Resource) {
		r.References["network"] = config.Reference{
			Type:      "Network",
			Extractor: common.PathSelfLinkExtractor,
		}
		r.References["subnetwork"] = config.Reference{
			Type:      "Subnetwork",
			Extractor: common.PathSelfLinkExtractor,
		}
		config.MarkAsRequired(r.TerraformResource, "region")
	})

What happened?

created a vm with : https://marketplace.upbound.io/providers/upbound/provider-gcp/v0.20.0/resources/compute.gcp.upbound.io/Instance/v1beta

using :

apiVersion: compute.gcp.upbound.io/v1beta1
kind: Instance
metadata:
  name: CLOWN_NAME_X
spec:
  forProvider:
    bootDisk:
      - initializeParams:
          #- image: debian-cloud/debian-11
          - image: GCP_IMAGE_ID_X
    machineType: f1-micro
    networkInterface:
      - subnetwork: VPC_REGIONAL_SUBNET_X
        #for public ip address include the following section XD
        #accessConfig:
        #  - networkTier: PREMIUM
    zone: FIRST_ZONE_X
    tags:
      - pfpt-clowns
    metadata:
      enable-oslogin: "true"
    project: PROJECT_ID_X

expecting the status field to have all of the ip information but it does not show any:

  status:
    atProvider:
      bootDisk:
      - diskEncryptionKeySha256: ""
      cpuPlatform: Intel Broadwell
      currentStatus: RUNNING
      id: projects/mynetwork/zones/europe-west3-a/instances/clown4-private
      instanceId: "123"
      labelFingerprint: ----
      metadataFingerprint: -----
      networkInterface:
      - ipv6AccessType: ""
        name: nic0
      selfLink: https://www.googleapis.com/compute/v1/----
      tagsFingerprint: ----
    conditions:
    - lastTransitionTime: "2022-12-08T23:03:04Z"
      reason: Available
      status: "True"
      type: Ready
    - lastTransitionTime: "2022-12-08T23:02:44Z"
      reason: ReconcileSuccess
      status: "True"
      type: Synced
    - lastTransitionTime: "2022-12-08T23:03:00Z"
      reason: Finished
      status: "True"
      type: AsyncOperation
    - lastTransitionTime: "2022-12-08T23:03:00Z"
      reason: Success
      status: "True"
      type: LastAsyncOperation

using gcloud describe shows the ip info
i really dont want to lug in another provider to read it... seems overkill and complex..

How can we reproduce it?

straight forward apply something similar to above.

What environment did it happen in?

• Universal Crossplane Version: 1.10.1
• Provider Version: xpkg.upbound.io/upbound/provider-gcp:v0.18.0