Reputation: 727
Terraform: Cross project referencing not allowed
I'm seeing something strange with google_compute_firewall, the compute instance is in a shared subnet.
I assume a firewall rule needs to be associated to the network which that subnet belongs to. But we can't add the firewall rule to that network because:
google_compute_firewall.intacct-firewall: Error creating Firewall: googleapi: Error 400: Invalid value for field 'resource.network': 'projects/it-production-186816/global/networks/production'. Cross project referencing is not allowed for this resource., invalid
Unable to find anything documented for firewall rules on shared networks. Are we to add the firewall to the local VPC and not the shared VPC?
The compute image has this network configuration:
network_interface {
subnetwork = "${var.subnetwork}"
subnetwork_project = "${var.vpc_parent}"
access_config = {
nat_ip = "${google_compute_address.dokku.address}"
}
}
So although the compute instance is in project-1, the network it's using is in project-2
EDIT:
My main.tf:
# Backend config
terraform {
backend "gcs" {
bucket = "intacct-staging-remote-backend"
project = "fr-intacct-staging"
credentials = "./creds/serviceaccount.json"
}
}
#
# Provider config
provider "google" {
region = "${var.gcp_region}"
project = "${var.gcp_project}"
credentials = "${file("./creds/serviceaccount.json")}"
}
#
# Static IP Address for the app
resource "google_compute_address" "dokku" {
name = "fr-intacct-staging-ip"
address_type = "EXTERNAL"
}
#
# Compute Instance Config
resource "google_compute_instance" "dokku" {
project = "${var.gcp_project}"
name = "dokku-host1"
machine_type = "${var.comp_type}"
zone = "${var.gcp_zone}"
allow_stopping_for_update = "true"
tags = ["intacct"]
# Install Dokku
metadata_startup_script = <<SCRIPT
sudo yum install -y wget
wget https://raw.githubusercontent.com/dokku/dokku/v0.14.5/bootstrap.sh
sudo DOKKU_TAG=${var.dokku_version} bash bootstrap.sh
sudo dokku apps:create fr-intacct-staging
sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sudo systemctl restart network
setenforce 0
SCRIPT
boot_disk {
initialize_params {
image = "${var.compute_image}"
}
}
network_interface {
subnetwork = "${var.subnetwork}"
subnetwork_project = "${var.vpc_parent}"
access_config = {
nat_ip = "${google_compute_address.dokku.address}"
}
}
}
#
# Firewall rule for app access
resource "google_compute_firewall" "intacct-firewall" {
name = "intacct-firewall"
network = "projects/it-production-186816/global/networks/production"
allow {
protocol = "tcp"
ports = [ "80" ]
}
source_ranges = [ "0.0.0.0/0" ]
target_tags = [ "intacct" ]
}
It seems wrong to be using another provider config for the other project to add a firewall rule.
If it is that way, then so be it... but since the service account in use has permission on the other project, it seems wrong that we'd have to use another provider for the other project?
Upvotes: 4
Views: 7407
Answers (3)
Reputation: 1896
Just listing another scenario where this issue Cross project referencing is not allowed for this resource. can occur !!
say you configure your cloud shell variables to use tf_project_123 and in your providers.tf you mention your project as tf_project_321. Then this issue occurs.
In my case, I was using google cloud shell from tf_project_321 project & I used tf_project_123 in my providers file. All I had to do was update my gcloud project details (shell command - gcloud config set project tf_project_123)
When providing details to terraform tool, just ensure the providers project details, permissions and shell vars are in sync.
Upvotes: 0
Reputation: 727
The correct answer was to create another local module for creating the firewall rule in the host project.
Upvotes: 0
Reputation: 2421
There is no issue with the error, you should execute your terraform in the project where the network is declared.
If it's project-2 (as you are in a multiple project env), you should execute your terraform on project-2 and not declare your terraform to use project-1 to do configuration in another project. That's exactly what the error is telling you :)
UPDATE
Let's be even more precise.
So you could declare another provider, it's what I would prefer to do as I would know precisely where the code is executed and the project, but you could also try to specify the project inside the resource like you did on the compute instance, for the firewall rule:
resource "google_compute_firewall" "intacct-firewall" {
project = "projcet-2"
name = "intacct-firewall"
network = "projects/it-production-186816/global/networks/production"
allow {
protocol = "tcp"
ports = [ "80" ]
}
source_ranges = [ "0.0.0.0/0" ]
target_tags = [ "intacct" ]
}
There is a catch to doing this, the service account you are using should have rights to do thing in both projects.
Upvotes: 3
Related Questions
- Terraform is using wrong google project
- Plan Error: Cloud Resource Manager API has not been used
- Terraform/GCP Error: project: required field is not set
- importing gcp resource into terraform fails even if the resource exists
- Terraform 1.2.0: Referencing resources and object mapping
- Unable to create google project with Terraform
- how to refer GCP resources in terraform?
- Terraform set GCP name tag Incorrect attribute value type error
- Error invalid instance URLs: resource "google_compute_instance_group" "t-compute-instance-group"
- terraform 'condition' error in google_project_iam_binding