Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade from v8.1 -> v9.2 with shared VPC & GKE enabled #530

Closed
Zamyatin opened this issue Jan 11, 2021 · 2 comments
Closed

Upgrade from v8.1 -> v9.2 with shared VPC & GKE enabled #530

Zamyatin opened this issue Jan 11, 2021 · 2 comments

Comments

@Zamyatin
Copy link

Zamyatin commented Jan 11, 2021
edited
Loading

Hello all - wondering if I could get some understanding here. According to the upgrade guide there have been some changes in the way the project-factory manages the IAM permissions around the service-{project-number}@@container-engine-robot.iam.gserviceaccount.com service account to enable node attachment to the shared VPC subnet.

Per the docs, I should see a delete/recreate cycle happen on those service accounts, with a resource named module.example.module.service-project.module.shared_vpc_access.google_compute_subnetwork_iam_member.gke_shared_vpc_subnets, assuming I have:

  • container.googleapis.com already enabled - (it is)
  • a host VPC project ID submitted to the module - (done)
  • a list(string) of subnet FQIDs - (done)

I am seeing the deletion of the IAM permissions on the subnets:

  • module.project.module.project-factory.google_compute_subnetwork_iam_member.gke_shared_vpc_subnets
  • module.project.module.project-factory.google_project_iam_member.gke_host_agent[0]

I am not seeing the recreation of those resources. I'm parsing through the code for v9.2 of the Project factory and I don't see any reference to a resource called gke_shared_vpc_subnets(excepting an old migrate.py file, probably from back in the v3-v4 days).

Also odd: while I do see a gke_host_agent resource, that resource is not triggering recreation during a terraform plan. I can confirm that i do have module.project.module.project-factory.module.project_services.google_project_service.project_services["container.googleapis.com"] in Terraform state, which should trigger the creation of this role

So, I have a couple questions:

  1. Is there some Terraform at-plan vs at-apply issue happening here where active_apis is not calculated (in particular, during a terraform plan). I get the sense that the setintersction() function may not be getting calculated for some reason, but I can't discern what would cause it not to.
  2. Where is this gke_shared_vpc_subnets resource? I do not see it in code on v9.x? I'm not sure how that would get created, unless there's some call to an external module that I'm missing here?
  3. Are these docs correct? The fact that I don't see gke_shared_vpc_subnets suggests to me they may not be.

Thanks for any help you can provide,
-Raj

FWIW Here's my pretty standard config:

module "project" {
  source  = "terraform-google-modules/project-factory/google"
  version = "~> 9.2"

  name            = var.name
  org_id          = var.org_id
  billing_account = var.billing_account
  folder_id       = var.parent_folder

  default_service_account    = var.default_service_account
  lien                       = var.protect_with_lien
  disable_dependent_services = var.disable_dependent_services
  auto_create_network        = var.auto_create_network
  skip_gcloud_download       = true

  shared_vpc         = var.shared_vpc_host_project_id
  shared_vpc_subnets = var.shared_vpc_subnets

  activate_apis = distinct(concat(local.core_app_apis, var.additional_apis))

  labels = var.labels
}
@bharathkkb
Copy link
Member

Hi @Zamyatin
I believe what is happening here in the 9.x release we moved the SVPC role bindings feature to a separate shared_vpc submodule. For context #445. Unfortunately this was not super clear in the upgrade guide. So you would have to use

  source  = "terraform-google-modules/project-factory/google//modules/shared_vpc"
  version = "9.2.0"

Due to community feedback we have added it back in the 10.0 release to the main module #446

@Zamyatin
Copy link
Author

Ohhhhh... I see. So basically the use of the project factory is now:

  • If you have a project to create with a shared VPC, then we're effectively calling the sub-module (which in-turn calls the core_project_factory module).
  • if you have a project that does not use a Shared VPC, then you just call the core project-factory module as I have above.

I imagine some of the module-level control-flow features (count, for_each, etc coming from Terraform v0.13+) will become very useful in upcoming versions of the project-factory, exactly for this type of thing?

Thank you so much for the guidance. I've been banging my head against this one for a few days now. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Zamyatin @bharathkkb