Project creation with auto_create_network=false should not fail when constraints/compute.skipDefaultNetworkCreation is enforced

[dlinares-linux]

Hi all,

Reporting this issue faced when I enforced an organization policy at organization level to skip the default network creation (constraints/compute.skipDefaultNetworkCreation).
Any project created with auto_create_network = false fails because it doesn't find the default network to try and delete it. As the result, the project is created on GCP, but is not imported to the tfstate.

Here is my code that fails (I apply it in 2 steps, the org policy first)

# Org policy to enforce constraints/compute.skipDefaultNetworkCreation
resource "google_organization_policy" "org_policy_compute_skip_default_network_creation" {
  org_id     = var.org_id
  constraint = "compute.skipDefaultNetworkCreation"

  boolean_policy {
    enforced = true
  } 
}

# Create a folder under my org
resource "google_folder" "my_test_folder" {
  display_name = "My test folder"
  parent       = "organizations/${var.org_id}"
}

# Creation of a project
resource "google_project" "my_test_project" {
  name                = "my-test-project"
  project_id          = "my-test-project"
  folder_id           = google_folder.my_test_folder.name
  billing_account     = var.billing_account
  auto_create_network = false
}

That code will generate the following error:

Error: Error deleting default network in project my-test-project: Error deleting network: googleapi: Error 404: The resource 'projects/my-test-project/global/networks/default' was not found, notFound

I believe this is a bug and the project creation should not fail irrespective to whether an org policy is there or not to skip the default network creation.

[nat-henderson]

Agreed - I can fix that.

[nat-henderson]

Ah, that's been fixed since 2.17.0 - please upgrade your provider and the issue should disappear.

[dlinares-linux]

Hi @ndmckinley ,
I am using the following, which is the latest for the provider:

terraform version
Terraform v0.12.13
+ provider.google v3.0.0-beta.1

Please also note that I faced a similar issue with the constraints/serviceuser.services. If that org policy is set to deny the compute.googleapis.com, then, the project creation fails because it tries to use the compute API to delete the default network and fails.

[nat-henderson]

Can you link your debug logs? I don't have access to an organization I can set that constraint on, so I'll have to work from your logs.

[nat-henderson]

Please also note that I faced a similar issue with the constraints/serviceuser.services. If that org policy is set to deny the compute.googleapis.com, then, the project creation fails because it tries to use the compute API to delete the default network and fails.

I find this part acceptable - if you have denied access to compute.googleapis.com, lots of project attributes won't work. A handful of project features are in compute. You can just get what you're looking for by not setting auto_create_network there.

[dlinares-linux]

Hi @ndmckinley ,
Here is a link to a gist showing some logs (with DEBUG level) : https://gist.github.com/dlinares-linux/d83fb7ea79997dc8a22b56aa2a3ff539
For this test, I have only applied the policy enforcing compute.skipDefaultNetworkCreation.
Kind regards,
David

[nat-henderson]

Hi, @dlinares-linux,

The log you've pasted includes only the top 20 and bottom 20 lines of the output - I need much more detail than that. If you're uncomfortable posting it publicly, you can email it to me at the email address on my profile, nmckinley@google.com.

[xynova]

We just ran with 2.20 and faced the issue too

required_providers {
google = "v2.20.0"
google-beta = "v2.20.0"
}

[chrisst]

closing as this is a duplicate of #3582

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!