-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tag binding with google_tags_location_tag_binding on compute resources requires unique identifier #14210
Comments
@rileykarson I'm curious why you tagged this with |
I thought I'd commented here at the time, sorry! The API has custom behaviour for this reference, and we would have expected it to just require a project id and resource name based on https://google.aip.dev/122#full-resource-names and https://google.aip.dev/cloud/2510#google-apis |
When you say "The API" you are referring to the CRM tags API, correct? I recently experienced significant pain trying to tag a compute disk (not even using Terraform, just exploring options with gcloud). I'm not sure if you have visibility to see my support case or not as a Google employee, but me and the support rep eventually got to the bottom of it - I was trying to use the disk name as the final element of the Full Resource Name and the CRM tags API requires the disk ID, which is not documented anywhere and the opposite of the naming expected by the asset IAM Policy Analyzer. It was incredibly confusing and infuriating when I tried to tag a disk, met with permission denied, and when passing the exact same Full Resource Name and permission to the policy analyzer, it said I had the permission. Sorry for the rant, just an ongoing frustration with GCP's inability to get all services on board with one way to refer to objects. |
Yup, the CRM Tags API. https://google.aip.dev/122#fields-representing-another-resource is clear "When a field represents another resource, the field should be of type string and accept the resource name of the other resource." (and since this can reference an arbitrary resource, https://google.aip.dev/122#full-resource-names means it should be a full resource name)
Yeah, lack of consistency is a frustration I share. |
Here is my ugly workaround to tag disks (it might not work as-is as I extracted these resources from 2 modules)
|
google_tags_location_tag_binding.binding will not be created####THIS IS MY main.tf FILE######## resource "google_tags_location_tag_binding" "binding" { ####### I AM GETTING BELOW ERROR########## Error: Error creating LocationTagBinding: googleapi: Error 400: Request contains an invalid argument. |
me too |
Community Note
Description
In order to use the resource google_tags_location_tag_binding with compute resources (instance, disks, snapshots, etc) the binding needs to be done to the project number and the resource unique identifier (int64) and not the name
E.g that works!
At the moment only the google_compute_instance resource outputs the unique identifier via instance_id field
These improvements can be done in 2 options:
Output the unique identifier on taggable compute and data resources:
- google_compute_disk
- google_compute_snapshot
- google_compute_image
Modify google_tags_location_tag_binding to fetch project number and compute resource unique identifier from compute API before tag binding. This would match the gcloud resource-manager tags bindings create
New or Affected Resource(s)
google_tags_location_tag_binding
References
b/305278289
The text was updated successfully, but these errors were encountered: