Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag binding with google_tags_location_tag_binding on compute resources requires unique identifier #14210

Open
alexbacchin-asx opened this issue Apr 5, 2023 · 7 comments

Comments

@alexbacchin-asx
Copy link

alexbacchin-asx commented Apr 5, 2023

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

In order to use the resource google_tags_location_tag_binding with compute resources (instance, disks, snapshots, etc) the binding needs to be done to the project number and the resource unique identifier (int64) and not the name

E.g that works!

 resource "google_tags_location_tag_binding" "binding" {
      + id        = (known after apply)
      + location  = "australia-southeast1-c"
      + name      = (known after apply)
      + parent    = "//compute.googleapis.com/projects/27050xxxxx/zones/australia-southeast1-c/disks/379577yyyyyyyy"
      + tag_value = "tagValues/28148078zzzzzz"
    }

At the moment only the google_compute_instance resource outputs the unique identifier via instance_id field

These improvements can be done in 2 options:

  1. Output the unique identifier on taggable compute and data resources:
    - google_compute_disk
    - google_compute_snapshot
    - google_compute_image

  2. Modify google_tags_location_tag_binding to fetch project number and compute resource unique identifier from compute API before tag binding. This would match the gcloud resource-manager tags bindings create

#### THIS DOES NOT WORK #####
 resource "google_tags_location_tag_binding" "binding" {
      + id        = (known after apply)
      + location  = "australia-southeast1-c"
      + name      = (known after apply)
      + parent    = "//compute.googleapis.com/projects/<project_id>/zones/australia-southeast1-c/disks/<disk_name>"
      + tag_value = "tagValues/28148078zzzzzz"
    }

New or Affected Resource(s)

google_tags_location_tag_binding

References

  • #0000

b/305278289

@nphilbrook
Copy link
Contributor

@rileykarson I'm curious why you tagged this with upstream? The compute API returns this value, it's just not in the attributes of the Terraform resource.

@rileykarson
Copy link
Collaborator

I thought I'd commented here at the time, sorry! The API has custom behaviour for this reference, and we would have expected it to just require a project id and resource name based on https://google.aip.dev/122#full-resource-names and https://google.aip.dev/cloud/2510#google-apis

@nphilbrook
Copy link
Contributor

I thought I'd commented here at the time, sorry! The API has custom behaviour for this reference, and we would have expected it to just require a project id and resource name based on https://google.aip.dev/122#full-resource-names and https://google.aip.dev/cloud/2510#google-apis

When you say "The API" you are referring to the CRM tags API, correct? I recently experienced significant pain trying to tag a compute disk (not even using Terraform, just exploring options with gcloud). I'm not sure if you have visibility to see my support case or not as a Google employee, but me and the support rep eventually got to the bottom of it - I was trying to use the disk name as the final element of the Full Resource Name and the CRM tags API requires the disk ID, which is not documented anywhere and the opposite of the naming expected by the asset IAM Policy Analyzer. It was incredibly confusing and infuriating when I tried to tag a disk, met with permission denied, and when passing the exact same Full Resource Name and permission to the policy analyzer, it said I had the permission.

Sorry for the rant, just an ongoing frustration with GCP's inability to get all services on board with one way to refer to objects.

@rileykarson
Copy link
Collaborator

rileykarson commented May 17, 2023

When you say "The API" you are referring to the CRM tags API, correct?

Yup, the CRM Tags API. https://google.aip.dev/122#fields-representing-another-resource is clear "When a field represents another resource, the field should be of type string and accept the resource name of the other resource." (and since this can reference an arbitrary resource, https://google.aip.dev/122#full-resource-names means it should be a full resource name)

Sorry for the rant, just an ongoing frustration with GCP's inability to get all services on board with one way to refer to objects.

Yeah, lack of consistency is a frustration I share.

@alexbacchin-asx
Copy link
Author

alexbacchin-asx commented May 17, 2023

Here is my ugly workaround to tag disks (it might not work as-is as I extracted these resources from 2 modules)

data "google_client_config" "current" {
}

data "http" "request" {
  url = format("https://compute.googleapis.com/compute/v1/projects/%s/zones/%s/disks/%s", var.project_id, var.zone, var.disk_name)

  # Optional request headers
  request_headers = {
    Accept        = "application/json"
    Authorization = format("Bearer %s", data.google_client_config.current.access_token)
  }

  lifecycle {
    postcondition {
      condition     = contains([201, 200], self.status_code)
      error_message = "Status code invalid"
    }
  }

}

resource "google_tags_location_tag_binding" "binding" {
 
  parent    = "//compute.googleapis.com/projects/${var.project_number}/zones/${trimprefix(var.zone, format("https://www.googleapis.com/compute/v1/projects/%s/zones/", var.project_id))}/disks/${lookup(jsondecode(data.http.request.response_body),"id","")}"
  tag_value = "tagValues/3423xxxxxx"
  location = var.region
}

@lineshthakr
Copy link

lineshthakr commented Aug 31, 2023

google_tags_location_tag_binding.binding will not be created

####THIS IS MY main.tf FILE########

resource "google_tags_location_tag_binding" "binding" {
location = "europe-west3"
parent = "projects/123450---/regions/europe-west3/instances/68814419811070000000"
tag_value = "tagValues/2814813zzzzzzzz"
}

####### I AM GETTING BELOW ERROR##########

Error: Error creating LocationTagBinding: googleapi: Error 400: Request contains an invalid argument.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.BadRequest",
│ "fieldViolations": [
│ {
│ "description": "Must be a valid One Platform resource name of a tag compatible regional resource",
│ "field": "binding.resource"
│ },
│ {
│ "description": "Resource type not supported in location europe-west3",
│ "field": "binding.resource"
│ }
│ ]
│ }
│ ]

@github-actions github-actions bot added forward/review In review; remove label to forward service/cloudresourcemanager-tags labels Oct 5, 2023
@melinath melinath added forward/linked and removed forward/review In review; remove label to forward labels Oct 12, 2023
@hoppefamily
Copy link

me too

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants