Sets up a new VPC network on Google Cloud
Home Page: https://registry.terraform.io/modules/terraform-google-modules/network/google
License: Apache License 2.0
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![release-please[bot] avatar](https://avatars.githubusercontent.com/in/40688?v=4 "release-please[bot]")
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "renovate[bot]")
It looks like Cloud Build config is failing in the prepare stage. See this error:
Error: Error deleting default network in project ci-network-54f9: Error waiting for Deleting Network: The network resource 'projects/ci-network-54f9/global/networks/default' is already being used by 'projects/ci-network-54f9/global/firewalls/default-allow-rdp'
on .terraform/modules/project/terraform-google-modules-terraform-google-project-factory-f93d3cd/modules/core_project_factory/main.tf line 126, in resource "google_project" "main":
126: resource "google_project" "main" {
I don't know if I am doing the right thing... I try and I cannot get values from output subnets_secondary_ranges:
subnets = [
{
subnet_name = "${var.project_id}-subnet-0"
subnet_ip = "10.0.0.0/20"
subnet_region = "${var.region}"
},
]
secondary_ranges = {
"${var.project_id}-subnet-0" = [
{
range_name = "${var.project_id}-subnet-0-services"
ip_cidr_range = "172.16.0.0/20"
},
{
range_name = "${var.project_id}-subnet-0-pods"
ip_cidr_range = "172.16.16.0/20"
},
]
}
to fullfill terraform-google-kubernetes-engine inputs ip_range_services and ip_range_pods:
ip_range_services = "${module.vpc.subnets_secondary_ranges}"
ip_range_pods = "${module.vpc.subnets_secondary_ranges[0]}"
Error: Error refreshing state: 2 errors occurred:
* module.gke.var.ip_range_pods: variable ip_range_pods in module gke should be type string, got list
* module.gke.var.ip_range_services: variable ip_range_services in module gke should be type string, got list
Add next_hop_ilb for google_compute_route (beta). This will come after support for the beta provider has been added #68
The multiple vpc in the examples folder break at locals block. This is the error message output,
The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.
Error: Reserved block type name in module block
on main.tf line 9, in module "gcp-multiple-vpc":
9: locals {
The block type name "locals" is reserved for use by Terraform in a future
version.
We should consider splitting tests as currently they run one-by-one and take some time.
Example in GKE repo:
https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/blob/master/build/int.cloudbuild.yaml
Steps to reproduce:
module "vpc-network" {
source = "github.com/terraform-google-modules/terraform-google-network"
project_id = "${module.vpc-host.project_id}"
network_name = "tf-training-network"
subnets = [
{
subnet_name = "gke-prod"
subnet_ip = "10.0.0.0/17"
subnet_region = "us-east1"
},
{
subnet_name = "gke-dev"
subnet_ip = "10.1.0.0/17"
subnet_region = "us-east1"
}
]
secondary_ranges = {
gke-prod = []
gke-dev = []
}
}Add subnet_flow_logs = true to one of the subnets and get no new changes when running terraform apply. Same for other additional flags passed to any subnet.
Update: This is the same when adding shared_vpc_host = true (meaning we can't currently convert a vpc to a shared vpc)
Do we intend to have this module expose beta options as a separate module similar to how the GKE module provides this by using templating?
In my use case next hop ILB for routes is currently in the beta provider and i would like to see it exposed in this module.
That being said there is a workaround (declare beta route resource outside this module), so it's not a blocker but more of a nice to have.
If you use the fabric-net-svpc-access module to associate a project to a host vpc project, and you set host_service_agent_role to true, the kubernetes service agent in the service project is NOT granted the roles/container.hostServiceAgentUser role.
I'm assuming that it gets created correctly, by default, when simply setting shared_vpc_enabled and shared_vpc in the project_factory module, since I have a project created that way, and the [email protected] for that project does have that role on the host project.
In the project where I specify no shared_vpc_enabled, but then explicitly use the fabric-net-svpc-access module to associated the host project with the service project, only the explicitly listed host_service_agent_users are granted that role.
It looks to me like the default kubernetes service agent account (service-[PROJECT_NUMBER]@container-engine-robot.iam.gserviceaccount.com) should automatically be added to that list, or the docs should at least specify how to construct that account identifier manually in order to ensure it is included.
The error message resulting from the missing role points users to this page, which really isn't entirely accurate - https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted
In this case, the problem is not resolved by disabling and re-enabling the kubernetes api, nor was it caused by deleting the service account.
And while I have you, if service accounts are going to have the project NUMBER in them, can we please also have the project number visible in the resource manager in the console? It is obnoxious to have to click through to the settings on each project, which loads a completely new page, just to see each project's number. Simply figuring out which projects' service accounts had the role and why took far too long, because I had no easy way to correlate the list of accounts with the list of projects visible in resource manager. I had to check each one. Project number keeps cropping up in various contexts, and it continues to be a PITA whenever it does because it isn't readily visible in the UI. Why not use project_id instead of project num, or else make project num just as visible as the project id is?
For the Network 2.0 version, we'd like to make a few architecture changes.
Specifically:
subnets submodule.routes submodule.vpc submodule.If you want to do everything in 1 module call, you will continue to be able to do so (through the root module). If you want to split things out, you can invoke the root module to only create the VPC then directly invoke submodules yourself for the other features.
This should future-proof the architecture and make issues like #100 simpler to deal with.
For my environment, there is a terraform specific service account with the right set of permissions to modify the infrastructure. So I generate a secrets.json key for the service account use this key as below to execute terraform :
GOOGLE_APPLICATION_CREDENTIALS=secrets.json TF_VAR_xxxx=yyy TF_VAR_zzz=aaa terraform apply --input=false
This works just fine, terraform is executing while impersonating the desired service account.
Except for delete-default-gateway-routes.sh
This script is executing as local-exec and is not using the GOOGLE_APPLICATION_CREDENTIALS environment variable set. The script is executing as the account setup by gcloud auth application-default login.
This results is undesired and inconsistent behavioour IMO.
As written in https://www.terraform.io/docs/configuration/data-sources.html#data-resource-dependencies adding a depends_on in a data declaration, the execution of the data value is postponed to the apply phase of terraform.
In the release 1.4.1 the same issue was fixed for subnets #92 but introduced for network itself.
https://github.com/terraform-google-modules/terraform-google-network/blob/v1.4.1/main.tf#L29-L33
Error: "next_hop_vpn_tunnel": only one of `next_hop_gateway,next_hop_instance,next_hop_ip,next_hop_vpn_tunnel` can be specified, but `next_hop_gateway,next_hop_instance,next_hop_ip,next_hop_vpn_tunnel` were specified.
on .terraform/modules/vpc/main.tf line 83, in resource "google_compute_route" "route":
83: resource "google_compute_route" "route" {
I get this error if I specify a route to create. This is due to the code here
https://github.com/terraform-google-modules/terraform-google-network/blob/release/2.0/main.tf#L91
The simplest possible config seems to result in an error:
module "net-firewall" {
source = "terraform-google-modules/network/google//modules/fabric-net-firewall"
project_id = data.terraform_remote_state.vpc.outputs.project_id
network = data.terraform_remote_state.vpc.outputs.network_name
admin_ranges = local.admin_ranges
admin_ranges_enabled = true
internal_ranges_enabled = true
internal_ranges = local.all_ranges
ssh_source_ranges = ["0.0.0.0/0"]
}
Always errors out because of conflict between having both allow and deny dynamic blocks when setting up custom_rules, even when there are NO custom_rules.
[terragrunt] 2019/10/27 11:09:47 Running command: terraform apply
Error: "deny": conflicts with allow
on .terraform/modules/net-firewall/terraform-google-modules-terraform-google-network-7810346/modules/fabric-net-firewall/main.tf line 112, in resource "google_compute_firewall" "custom":
112: resource "google_compute_firewall" "custom" {
Error: "allow": conflicts with deny
on .terraform/modules/net-firewall/terraform-google-modules-terraform-google-network-7810346/modules/fabric-net-firewall/main.tf line 112, in resource "google_compute_firewall" "custom":
112: resource "google_compute_firewall" "custom" {
[terragrunt] 2019/10/27 11:09:50 Hit multiple errors:
exit status 1
I use Google Network module with Project Factory, when I try destroy all resources I receive following errors.
.............................
module.host_project01.google_project_service.project_services: Destruction complete after 14smodule.host-project01-network.google_compute_subnetwork.subnetwork.0: Still destroying... (ID:
europe-west2/subnet-01, 30s elapsed)module.host-project01-network.google_compute_subnetwork.subnetwork.1: Still destroying... (ID:
europe-west2/subnet-02, 30s elapsed)module.host-project01-network.google_compute_subnetwork.subnetwork.2: Still destroying... (ID:
europe-west2/subnet-03, 30s elapsed)module.host-project01-network.google_compute_subnetwork.subnetwork.3: Still destroying... (ID:
europe-west2/subnet-04, 30s elapsed)
Error: Error applying plan:
4 error(s) occurred:
* module.host-project01-network.google_compute_subnetwork.subnetwork[1] (destroy): 1 error(s) occurred:
* google_compute_subnetwork.subnetwork.1: Error waiting for Deleting Subnetwork: googleapi: Error 403: Access Not Configured. Compute Engine API has not been used in project 3324343423423423 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=3324343423423423 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured* module.host-project01-network.google_compute_subnetwork.subnetwork[2] (destroy): 1 error(s) occurred:
* google_compute_subnetwork.subnetwork.2: Error waiting for Deleting Subnetwork: googleapi: Error 403: Access Not Configured. Compute Engine API has not been used in project 3324343423423423
before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=3324343423423423 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured* module.host-project01-network.google_compute_subnetwork.subnetwork[3] (destroy): 1 error(s) occurred:
Following "module.host_project01.google_project_service.project_services" resource destroy I receive this error.
My templates contains following resources,
module "host-project01-network" {
source = "/modules/google-network"
project_id = "${module.host_project01.project_id}"
network_name = "host-vpc-network"
routing_mode = "REGIONAL"
shared_vpc_host = "true"
subnets = [
{......................
module "host_project01" {
source = "/modules/project-factory"
random_project_id = "true"
name = "host-project-01"
org_id = "${var.organization_id}"
billing_account = "${var.billing_account}"
activate_apis = ["compute.googleapis.com"]
credentials_path = "${local.credentials_file_path}"
}
I expect project_id = "${module.host_project01.project_id}" line to create an implicit dependency between network and project factory modules and Terraform will destroy resources in a suitable order to respect dependencies but it seems doesn't work.
The output expects at least one subnet to have a secondary range.
Config:
module "network2" {
source = "../../modules/network"
project_id = "${data.terraform_remote_state.projects.net-host-project-id}"
network_name = "sandbox-vpc2"
shared_vpc_host = "true"
subnets = [
{
subnet_name = "sandbox-compute"
subnet_ip = "10.18.0.0/20"
subnet_region = "us-central1"
subnet_private_access = false
},
]
secondary_ranges = {
sandbox-compute = []
}
}Error:
Error: Error running plan: 1 error(s) occurred:
* module.network2.output.subnets_secondary_ranges: Resource 'google_compute_subnetwork.subnetwork' does not have attribute 'secondary_ip_range' for variable 'google_compute_subnetwork.subnetwork.*.secondary_ip_range'
Because the team(s) that have permission to modify networks in my architecture may differ from the team(s) that can perform other work, I really prefer to be able to declare subnets separately from declaring the network itself and making the project a VPC host project.
Declaring the network and host project alone is easy enough - just set var.subnets to []
However, it would be nice to be able to use this module to declare the subnets and routes, rather than copying those 2 resources into a module of their own. I don't see any obvious reason not to make those first 2 resources in main.tf optional, based on variables passed in, but before I put in the work of making a PR, it'd be nice to know if that change will be accepted - I don't know if that's an operating model google is interested in supporting.
The subnet and route resources really only use the network name, so it's very low-impact change to make, since that is already a variable. We just need to indicate whether we should create a network and then refer to that resource when creating subnets and routes or just use the passed-in network name (in my case, the passed-in name would be populated by remote_state that retrieves the network_name that got assigned when the network itself was created).
Renaming a secondary ip range returns an error that the CIDR address range is conflicting.
module.test-vpc-module.google_compute_subnetwork.subnetwork[0]: Modifying... (ID: us-west1/subnet-01)
secondary_ip_range.0.range_name: "subnet-01-secondary-01" => "subnet-01-secondary-pods"
Error: Error applying plan:
1 error(s) occurred:
* module.test-vpc-module.google_compute_subnetwork.subnetwork[0]: 1 error(s) occurred:
* google_compute_subnetwork.subnetwork.0: Error updating Subnetwork "us-west1/subnet-01": googleapi: Error 400: Invalid value for field 'resource.secondaryIpRanges[0].ipCidrRange': '192.168.64.0/24'. Invalid IPCidrRange: 192.168.64.0/24 conflicts with existing subnetwork 'subnet-01' in region 'us-west1'., invalid
After importing the default network, the next terraform apply requires destruction then recreation due to the following variables changing.
resource "google_compute_network" "network" {
~ auto_create_subnetworks = true -> false # forces replacement
...
- description = "Default network for the project" -> null # forces replacement
...I would like to add these to the variables.tf so that they can be set in a user module.
terraform applyterraform destroy or change the number of items in var.subnetsterraform apply again. This time it will failError will be something like this:
Error: Error in function call
on .terraform/modules/vpc/terraform-google-modules-terraform-google-network-7810346/main.tf line 57, in data "google_compute_subnetwork" "created_subnets":
57: region = element(google_compute_subnetwork.subnetwork.*.region, count.index)
|----------------
| count.index is 0
| google_compute_subnetwork.subnetwork is empty tuple
Call to function "element" failed: cannot use element function with an empty
list.
#99 Cannot create VPC with only one subnet
Hello, in the main.tf file seems to be a deprecated option on subnetwork config called "enable_flow_logs". It seems to be replaced for log_config.
When I tried to execute a terraform plan using this module, it is returning this message:
Error: "enable_flow_logs": [REMOVED] This field is being removed in favor of log_config. If log_config is present, flow logs are enabled. Please remove this field
If is possible, could you remove this field from main.tf file?
Thanks in advance.
Best regards.
Feature Request to set sample rate of subnet flow logs.
Gcp's default is 50% but we want it to be 100%.
There's several changes since the current release 0.4.0, and for newcomers like me trying to follow the documentation and examples it's a lot of unnecessary troubleshooting.
If there's no blocking bugs, would it be an idea to create a new release?
I've covered beta provider features for subnet and route in this PR:
#124
It introduces two new submodules - routes-beta and subnetworks-beta, example and tests that simply check for values being passed to target resources and utilized by GCP.
What we miss here are two complex examples showing how relevant fields actually work, and tests covering it:
Changing the name of an output requires manual fixes. I would have expected to find this change in either the changelog or the upgrade guide for 2.x.
In #73 the topic of outputs came up - #73 (comment) . A feature add to consolidate the outputs (subnets_names, subnets_ips, subnets_regions, subnets_private_access, subnets_flow_logs, subnets_secondary_ranges) into a map indexed by subnet name was proposed.
I'm creating this issue to track that conversation and works.
I propose that a new output be created without removing the old outputs so as not introduce a breaking change to this module
I am running terraform init, plan, apply, destroy for every release of a in-house module using GCP Cloud Build as you can see from below cloudbuild.yaml file.
This was working fine until I started running into below issue where the default gateway deletion script is not found when running terraform apply. This only happens when running on Cloud Build, I cannot reproduce the problem on my local machine.
Any idea ?
/bin/sh: .terraform/modules/xpn/terraform-google-modules-terraform-google-network-e273b5e/scripts/delete-default-gateway-routes.sh: not found
- steps
# download service account key
- name: gcr.io/cloud-builders/gsutil
args: ['cp', 'gs://XXXXXXXXXX/secrets.json', 'secrets.json']
# setup test environment
- name: bash
args: ["bash", "-c", "mv backend.tf.test backend.tf"]
# init test environment
- name: hashicorp/terraform:light
args: ["init"]
env:
- "GOOGLE_APPLICATION_CREDENTIALS=secrets.json"
# plan test environment
- name: hashicorp/terraform:light
args: ["plan", "-input=false", "-var-file=variables.test.tfvars", "-refresh=true", "-out=tf-modules-environment.test.tfplan"]
env:
- "GOOGLE_APPLICATION_CREDENTIALS=secrets.json"
- "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=secrets.json"
# apply test environment
- name: hashicorp/terraform:light
args: ["apply", "-auto-approve", "tf-modules-environment.test.tfplan"]
env:
- "GOOGLE_APPLICATION_CREDENTIALS=secrets.json"
- "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=secrets.json"
- name: hashicorp/terraform:light
args: ["destroy", "-auto-approve", "-var-file=variables.test.tfvars"]
env:
- "GOOGLE_APPLICATION_CREDENTIALS=secrets.json"
- "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=secrets.json"
Error: Error running command '.terraform/modules/xpn/terraform-google-modules-terraform-google-network-e273b5e/scripts/delete-default-gateway-routes.sh xpn-terratest-04 terratest-xpn': exit status 127. Output: /bin/sh: .terraform/modules/xpn/terraform-google-modules-terraform-google-network-e273b5e/scripts/delete-default-gateway-routes.sh: not found
The VPC module fails when trying to create a VPC with a single Subnet
called via
module "vpc" {
source = "terraform-google-modules/network/google"
version = "~> 1.4.0"
project_id = var.project
network_name = var.network_name
routing_mode = "GLOBAL"
subnets = var.vpc_subnets
}
wile variables.tf setup as so
variable "vpc_subnets" {
type = list(map(string))
default = [{
subnet_name = "primary"
subnet_ip = "10.99.0.0/24"
subnet_region = "us-central1"
},{
subnet_name = "secondary"
subnet_ip = "10.99.1.0/24"
subnet_region = "us-central1"
},
]
description = "Name for the subnets"
}
the error being produced is
on .terraform/modules/vpc/terraform-google-modules-terraform-google-network-7810346/main.tf line 56, in data "google_compute_subnetwork" "created_subnets":
56: name = element(google_compute_subnetwork.subnetwork.*.name, count.index)
|----------------
| count.index is 0
| google_compute_subnetwork.subnetwork is empty tuple
Call to function "element" failed: cannot use element function with an empty
list.
Error: Error in function call
on .terraform/modules/vpc/terraform-google-modules-terraform-google-network-7810346/main.tf line 57, in data "google_compute_subnetwork" "created_subnets":
57: region = element(google_compute_subnetwork.subnetwork.*.region, count.index)
|----------------
| count.index is 0
| google_compute_subnetwork.subnetwork is empty tuple
Call to function "element" failed: cannot use element function with an empty
list.
Hello,
Could a new release be cut to include the most recent changes? (Description field) I'm tracking the GitHub master in my source declaration and would prefer to track a tag or version on the registry.
Thanks!
terraform -version
Terraform v0.12.19
module "vpc" {
source = "terraform-google-modules/network/google"
version = "2.0.2" # used to be 1.1.0
project_id = var.data_pipline_project_id
network_name = local.network_name
subnets = [
{
subnet_name = local.composer_subnet
subnet_ip = var.composer_subnet_range
subnet_region = var.composer_region
subnet_private_access = "true"
subnet_flow_logs = "true"
},
]
secondary_ranges = {
"${local.composer_subnet}" = [
{
range_name = var.composer_secondary_subnet_services_name
ip_cidr_range = var.composer_secondary_subnet_services_cidr_range
},
{
range_name = var.composer_secondary_subnet_pods_name
ip_cidr_range = var.composer_secondary_subnet_pods_cidr_range
},
]
}
}causes a recreation of the network and the subnetwork which causes recreation of the composer cluster in that subnetwork which is undesirable.
# module.hsq-dev.module.composer_network.module.vpc.google_compute_network.network will be destroyed
- resource "google_compute_network" "network" {
- auto_create_subnetworks = false -> null
- delete_default_routes_on_create = false -> null
- id = "hsq-dev-composer-network" -> null
- name = "hsq-dev-composer-network" -> null
- project = "hsq-dev-pipeline-c573" -> null
- routing_mode = "GLOBAL" -> null
- self_link = "https://www.googleapis.com/compute/v1/projects/hsq-dev-pipeline-c573/global/networks/hsq-dev-composer-network" -> null
- timeouts {}
}
# module.hsq-dev.module.composer_network.module.vpc.google_compute_subnetwork.subnetwork[0] will be destroyed
- resource "google_compute_subnetwork" "subnetwork" {
- creation_timestamp = "2019-08-02T10:45:02.363-07:00" -> null
- enable_flow_logs = true -> null
- fingerprint = "jNJueFxmo_A=" -> null
- gateway_address = "172.16.0.1" -> null
- id = "us-central1/composer-subnet" -> null
- ip_cidr_range = "172.16.0.0/19" -> null
- name = "composer-subnet" -> null
- network = "https://www.googleapis.com/compute/v1/projects/hsq-dev-pipeline-c573/global/networks/hsq-dev-composer-network" -> null
- private_ip_google_access = true -> null
- project = "hsq-dev-pipeline-c573" -> null
- region = "us-central1" -> null
- secondary_ip_range = [
- {
- ip_cidr_range = "172.16.32.0/21"
- range_name = "services"
},
- {
- ip_cidr_range = "172.16.40.0/21"
- range_name = "pods"
},
] -> null
- self_link = "https://www.googleapis.com/compute/v1/projects/hsq-dev-pipeline-c573/regions/us-central1/subnetworks/composer-subnet" -> null
- log_config {
- aggregation_interval = "INTERVAL_5_SEC" -> null
- flow_sampling = 0.5 -> null
- metadata = "INCLUDE_ALL_METADATA" -> null
}
- timeouts {}
}
# module.hsq-dev.module.composer_network.module.vpc.module.subnets.google_compute_subnetwork.subnetwork["us-central1/composer-subnet"] will be created
+ resource "google_compute_subnetwork" "subnetwork" {
+ creation_timestamp = (known after apply)
+ enable_flow_logs = (known after apply)
+ fingerprint = (known after apply)
+ gateway_address = (known after apply)
+ id = (known after apply)
+ ip_cidr_range = "172.16.0.0/19"
+ name = "composer-subnet"
+ network = "hsq-dev-composer-network"
+ private_ip_google_access = true
+ project = "hsq-dev-pipeline-c573"
+ region = "us-central1"
+ secondary_ip_range = [
+ {
+ ip_cidr_range = "172.16.32.0/21"
+ range_name = "services"
},
+ {
+ ip_cidr_range = "172.16.40.0/21"
+ range_name = "pods"
},
]
+ self_link = (known after apply)
+ log_config {
+ aggregation_interval = "INTERVAL_5_SEC"
+ flow_sampling = 0.5
+ metadata = "INCLUDE_ALL_METADATA"
}
}
# module.hsq-dev.module.composer_network.module.vpc.module.vpc.google_compute_network.network will be created
+ resource "google_compute_network" "network" {
+ auto_create_subnetworks = false
+ delete_default_routes_on_create = false
+ gateway_ipv4 = (known after apply)
+ id = (known after apply)
+ ipv4_range = (known after apply)
+ name = "hsq-dev-composer-network"
+ project = "hsq-dev-pipeline-c573"
+ routing_mode = "GLOBAL"
+ self_link = (known after apply)
}
is there any way to make the upgrade not to have the recreation effect on the network and the subnetwork?
Current readme says source is terraform-google-modules/terraform-google-network/google//modules/fabric-net-svpc-access which did not work for me.
terraform-google-modules/network/google//modules/fabric-net-svpc-access is what worked.
The example code on the main page should work for new users with no modification. It throws these errors if you try to use it as-is:
Error: "log_config.0.metadata": one of `log_config.0.aggregation_interval,log_config.0.flow_sampling,log_config.0.metadata` must be specified
on .terraform/modules/vpc/terraform-google-modules-terraform-google-network-3e28d88/modules/subnets/main.tf line 28, in resource "google_compute_subnetwork" "subnetwork":
28: resource "google_compute_subnetwork" "subnetwork" {
Error: "log_config.0.aggregation_interval": one of `log_config.0.aggregation_interval,log_config.0.flow_sampling,log_config.0.metadata` must be specified
on .terraform/modules/vpc/terraform-google-modules-terraform-google-network-3e28d88/modules/subnets/main.tf line 28, in resource "google_compute_subnetwork" "subnetwork":
28: resource "google_compute_subnetwork" "subnetwork" {
Error: "log_config.0.flow_sampling": one of `log_config.0.aggregation_interval,log_config.0.flow_sampling,log_config.0.metadata` must be specified
on .terraform/modules/vpc/terraform-google-modules-terraform-google-network-3e28d88/modules/subnets/main.tf line 28, in resource "google_compute_subnetwork" "subnetwork":
28: resource "google_compute_subnetwork" "subnetwork" {
Hi People,
I was wondering if there's a possibility to bump the terraform-provider-google version to the latest 3.1.0, since there are quite some bugs that are fixed with it. The version is pinned to 2.19.0 and this is preventing me from using the network module in the same state. The only options for now I have are to use another state, fork, drop or bump it via a PR.
If you agree with bumping the version I can also open a PR against the module with it.
Thanks!
Error: "enable_flow_logs": [REMOVED] This field is being removed in favor of log_config. If log_config is present, flow logs are enabled. Please remove this field
The error message pretty much sums it up. Maybe pass a log_config map to the module? I tried to solve it, but didn't manage to pass an object inside of the subnet list.
Creates internal firewall rule (module.test-firewall-submodule.google_compute_firewall.allow-internal[0]) only with icmp. Will tcp, udp ingress rules are skipped. Can you please check ?
The variable next_hop_internet should be able to handle a boolean value similar to the variables:
shared_vpc_host
subnet_private_access
subnet_flow_logs
The below config throws an error because next_hop_internet requires "true"
routes = [
{
name = "egress-internet"
description = "route through IGW to access internet"
destination_range = "0.0.0.0/0"
tags = "egress-inet"
next_hop_internet = true
}
]
I have a pretty simple network configuration. When trying to upgrade from version 1.4.3 to 2.0.1 terraform claims that it needs to delete and re-create the network and all it's subnetworks (even if there's no other configuration change).
I would expect updating the module version would not result in a complete network destruction and re-creation.
Here's the network configuration:
module "vpc" {
source = "terraform-google-modules/network/google"
version = "~> 1.4.0"
# version = "~> 2.0.1"
project_id = data.terraform_remote_state.project.outputs.project_id
network_name = "lulu-vpc"
subnets = [
{
subnet_name = var.subnet_gke_name
subnet_ip = var.subnet_gke_cidr
subnet_region = var.region
},
{
subnet_name = var.subnet_vms_name
subnet_ip = var.subnet_vms_cidr
subnet_region = var.region
},
]
secondary_ranges = {
subnet-gke = [
{
range_name = var.subnet_gke_services_name
ip_cidr_range = var.subnet_gke_services_cidr
},
{
range_name = var.subnet_gke_pods_name
ip_cidr_range = var.subnet_gke_pods_cidr
},
]
}
}This is a snippet from the resulting plan:
# module.vpc.module.vpc.google_compute_network.network will be destroyed
- resource "google_compute_network" "network" {
- auto_create_subnetworks = false -> null
- delete_default_routes_on_create = false -> null
- id = "lulu-vpc" -> null
- name = "lulu-vpc" -> null
- project = "lulu-production-001" -> null
- routing_mode = "GLOBAL" -> null
- self_link = "https://www.googleapis.com/compute/v1/projects/lulu-production-001/global/networks/lulu-vpc" -> null
- timeouts {}
}
# module.vpc.google_compute_network.network[0] will be created
+ resource "google_compute_network" "network" {
+ auto_create_subnetworks = false
+ delete_default_routes_on_create = false
+ gateway_ipv4 = (known after apply)
+ id = (known after apply)
+ name = "lulu-vpc"
+ project = "lulu-production-001"
+ routing_mode = "GLOBAL"
+ self_link = (known after apply)
The only difference I see is the removal of the empty timeout configuration.
module "vpc" {
source = "terraform-google-modules/network/google"
version = "1.5.0"
project_id = var.project_id
network_name = local.datalab_network
routing_mode = "REGIONAL"
subnets = [
{
subnet_name = local.datalab_subnet
subnet_ip = local.subnet_ip
subnet_region = var.region
subnet_private_access = "true"
subnet_flow_logs = "true"
},
]
secondary_ranges = {
"${local.datalab_subnet}" = []
}
}Produces a warning:
Warning: "enable_flow_logs": [DEPRECATED] This field is being removed in favor of log_config. If log_config is present, flow logs are enabled.
on .terraform/modules/hsq-dev.datalab_network.vpc/terraform-google-modules-terraform-google-network-8368373/main.tf line 51, in resource "google_compute_subnetwork" "subnetwork":
51: resource "google_compute_subnetwork" "subnetwork" {
Since secondary_ranges is a map, it is not possible to utilize it if your subnets have the same name. In GCP the subnet names must be unique for a given region, this module should allow for the same.
The enable-logging for firewall rules was announced GA in early 2019 but not yet supported by GCP's GA provider. It is only supported by beta provider.
In this link below, the code has been commented out, but the feature needs to be supported by google provider (GA)
A new bug is introduced into this module, due to the introduction of the following code:
#81
As written in https://www.terraform.io/docs/configuration/data-sources.html#data-resource-dependencies adding a depends_on in a data declaration, the execution of the data value is postponed to the apply phase of terraform.
The created_subnets value is being used in the output of the module for outputting the subnets_secondary_ranges.
We are using the secondary ranges in other modules, as they depend on these ranges (a kubernetes cluster uses secondary ranges for its pods and containers).
Running a terraform plan & apply will now always cause a replacement of the kubernetes cluster, as terraform is not able to find the diff of the state during the plan phase.
To fix this issue we need to get rid of the depends_on in the data block. Perhaps this PR already fixes the issue, but just for 2.x:
#73
Could a patch be created for a 1.4.1 or whatsoever bugfix release?
main.tf content:
module "vpc" {
source = "terraform-google-modules/network/google"
version = "v1.2.0"
project_id = var.projectid
network_name = var.clusterid_network
routing_mode = "GLOBAL"
subnets = [
{
subnet_name = var.clusterid_subnet
subnet_ip = var.clusterid_subnet_cidr
subnet_region = var.region
}
]
}
After running terraform plan/apply, following error shows up:
Error: Error in function call
on .terraform/modules/vpc/terraform-google-modules-terraform-google-network-7b0ee13/main.tf line 56, in data "google_compute_subnetwork" "created_subnets":
56: name = element(google_compute_subnetwork.subnetwork.*.name, count.index)
|----------------
| count.index is 0
| google_compute_subnetwork.subnetwork is empty tuple
Call to function "element" failed: cannot use element function with an empty
list.
When a subnet is modfied in source, only one resource is modified in the plan/apply
When a subnet in the list of var.subnets is updated or deleted, it forces recreation of all subsequent subnets in the list.
If I were to update the subnet_ip for subnet-01 it would force re-creation of subnet-02 as well.
module "vpc" {
source = "terraform-google-modules/network/google"
version = "~> 1.0.0"
...
subnets = [
{
subnet_name = "subnet-01"
subnet_ip = "10.10.10.0/24"
subnet_region = "us-west1"
},
{
subnet_name = "subnet-02"
subnet_ip = "10.10.20.0/24"
subnet_region = "us-west1"
subnet_private_access = "true"
subnet_flow_logs = "true"
description = "This subnet has a description"
},
]
...
}
using this module with the following config
module "net-shared-vpc-access" {
source = "terraform-google-modules/network/google//modules/fabric-net-svpc-access"
host_project_id = "${data.terraform_remote_state.vpchost.outputs.project_id}"
service_project_num = 1
service_project_ids = ["${data.terraform_remote_state.vpcservice1.outputs.project_id}"]
host_subnets = ["${data.terraform_remote_state.vpchost.outputs.east_subnetwork_id}", "${data.terraform_remote_state.vpchost.outputs.west_subnetwork_id}"]
host_subnet_regions = ["us-east1", "us-west1"]
host_subnet_users = ["serviceAccount:${data.terraform_remote_state.vpcservice1.outputs.default_account}", "serviceAccount:${data.terraform_remote_state.vpcservice1.outputs.default_account}"]
}produces the error:
Error: Invalid function argument
on .terraform/modules/net-shared-vpc-access/terraform-google-modules-terraform-google-network-2ada6f9/modules/fabric-net-svpc-access/main.tf line 30, in resource "google_compute_subnetwork_iam_binding" "subnets":
30: members = compact(split(",", lookup(var.host_subnet_users,
31:
|----------------
| var.host_subnet_users is tuple with 2 elements
Invalid value for "inputMap" parameter: lookup() requires a map as the first
argument.
terraform --version
Terraform v0.11.13
+ provider.google v2.8.0
+ provider.google-beta v2.8.0
+ provider.google-beta-janus (unversioned)
+ provider.null v2.1.2
The code below produces an error:
module "vpc" {
source = "terraform-google-modules/network/google"
project_id = "${var.data_pipline_project_id}"
network_name = "${var.data_pipline_project_id}-composer-network"
subnets = [
{
subnet_name = "${local.dataflow_subnet}"
subnet_ip = "10.10.64.0/18"
subnet_region = "us-west1"
subnet_private_access = "true"
subnet_flow_logs = "true"
},
{
subnet_name = "${local.composer_subnet}"
subnet_ip = "${var.composer_subnet_ranges}"
subnet_region = "${var.composer_region}"
subnet_private_access = "true"
subnet_flow_logs = "true"
},
]
secondary_ranges = {
"${local.dataflow_subnet}" = [
]
"${local.composer_subnet}" = [
{
range_name = "${var.composer_secondary_subnet_services_name}"
ip_cidr_range = "${var.composer_secondary_subnet_services_cidr_range}"
},
{
range_name = "${var.composer_secondary_subnet_pods_name}"
ip_cidr_range = "${var.composer_secondary_subnet_pods_cidr_range}"
}
]
}
}
"module.composer_network.module.vpc.google_compute_subnetwork.subnetwork: secondary_ip_range: should be a list"
Hi,
Not sure if this has been caught with another issue (I had a look but couldn't find anything - apologies if my search was lacking...)
The enable_flow_logs setting in Terraform has been deprecated in favour of log_config and therefore when using this module, you get a warning.
If this hasn't been captured yet, I'd be happy to help with updating this. ๐
Thanks
The Concourse set up isn't working any more due to switching to the DevEx-based process.
See terraform-google-modules/terraform-google-project-factory#135
Can we add an option to delete default VPC gateway route on the created VPC?
A customer is asking for this feature as they wish to intercept all egress traffic with a security device. They will create their own route for this interception and routing of traffic from the security device to the gateway.
Thanks!
The module surely needs to use iam_member instead of iam_binding, or provide the same 'additive' option that the iam modules provide - easily done by simply using the subnets_iam module (https://github.com/terraform-google-modules/terraform-google-iam/tree/master/modules/subnets_iam )
If you use the module as it is, you are pretty much guaranteed to break stuff
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.