google_vpc_access_connector returns http 400

[MasterBroda]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.14.9

Affected Resource(s)

• google_vpc_access_connector

Terraform Configuration Files

resource "google_vpc_access_connector" "connector" {
  provider = google-beta
  project  = "<service-project>"
  name     = "dummy-connector"
  region   = "northamerica-northeast1"
  subnet {
    name       = "<subnet-name>"
    project_id = "<host-project>"
  }
}

Debug Output

2021/04/08 10:44:55 [INFO] terraform: building graph: GraphTypeApply
2021/04/08 10:44:55 [DEBUG] Resource state not found for node "google_vpc_access_connector.connector", instance google_vpc_access_connector.connector
2021/04/08 10:44:55 [DEBUG] adding implicit provider configuration provider["registry.terraform.io/hashicorp/google-beta"], implied first by google_vpc_access_connector.connector
2021/04/08 10:44:55 [DEBUG] ProviderTransformer: "google_vpc_access_connector.connector" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/hashicorp/google-beta"]
2021/04/08 10:44:55 [DEBUG] ProviderTransformer: "google_vpc_access_connector.connector (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/hashicorp/google-beta"]
2021/04/08 10:44:55 [DEBUG] pruning unused provider["registry.terraform.io/hashicorp/google"]
2021/04/08 10:44:55 [DEBUG] ReferenceTransformer: "var.project_id" references: []
2021/04/08 10:44:55 [DEBUG] ReferenceTransformer: "google_vpc_access_connector.connector" references: []
2021/04/08 10:44:55 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/hashicorp/google-beta\"]" references: []
2021/04/08 10:44:55 [DEBUG] ReferenceTransformer: "google_vpc_access_connector.connector (expand)" references: []
2021/04/08 10:44:55 [DEBUG] ReferenceTransformer: "var.region" references: []
2021/04/08 10:44:55 [DEBUG] Starting graph walk: walkApply
2021-04-08T10:44:55.920-0400 [INFO]  plugin: configuring client automatic mTLS
2021-04-08T10:44:55.948-0400 [DEBUG] plugin: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/google-beta/3.63.0/darwin_amd64/terraform-provider-google-beta_v3.63.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/google-beta/3.63.0/darwin_amd64/terraform-provider-google-beta_v3.63.0_x5]
2021-04-08T10:44:55.955-0400 [DEBUG] plugin: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/google-beta/3.63.0/darwin_amd64/terraform-provider-google-beta_v3.63.0_x5 pid=29555
2021-04-08T10:44:55.956-0400 [DEBUG] plugin: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/google-beta/3.63.0/darwin_amd64/terraform-provider-google-beta_v3.63.0_x5
2021-04-08T10:44:55.980-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: configuring server automatic mTLS: timestamp=2021-04-08T10:44:55.980-0400
2021-04-08T10:44:56.022-0400 [DEBUG] plugin.terraform-provider-google-beta_v3.63.0_x5: plugin address: address=/var/folders/fd/gkc8wf5j0rj9wq53xx7wh47jsny9j3/T/plugin079933214 network=unix timestamp=2021-04-08T10:44:56.021-0400
2021-04-08T10:44:56.022-0400 [DEBUG] plugin: using plugin: version=5
2021-04-08T10:44:56.116-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:56 [INFO] Authenticating using DefaultClient...: timestamp=2021-04-08T10:44:56.116-0400
2021-04-08T10:44:56.116-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:56 [INFO]   -- Scopes: [https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/cloud-identity https://www.googleapis.com/auth/ndev.clouddns.readwrite https://www.googleapis.com/auth/devstorage.full_control https://www.googleapis.com/auth/userinfo.email]: timestamp=2021-04-08T10:44:56.116-0400
google_vpc_access_connector.connector: Creating...
2021/04/08 10:44:56 [DEBUG] EvalApply: ProviderMeta config value set
2021/04/08 10:44:56 [DEBUG] google_vpc_access_connector.connector: applying the planned Create change
2021-04-08T10:44:56.121-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:56 [DEBUG] Creating new Connector: map[string]interface {}{"machineType":"e2-micro", "maxThroughput":1000, "minThroughput":200, "subnet":map[string]interface {}{"name":"snet-function-np-app", "projectId":"pcs-nonprod-svpc"}}: timestamp=2021-04-08T10:44:56.121-0400
2021-04-08T10:44:56.121-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:56 [DEBUG] Waiting for state to become: [success]: timestamp=2021-04-08T10:44:56.121-0400
2021-04-08T10:44:56.121-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:56 [DEBUG] Retry Transport: starting RoundTrip retry loop: timestamp=2021-04-08T10:44:56.121-0400
2021-04-08T10:44:56.121-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:56 [DEBUG] Retry Transport: request attempt 0: timestamp=2021-04-08T10:44:56.121-0400
2021-04-08T10:44:56.121-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:56 [DEBUG] Google API Request Details:
---[ REQUEST ]---------------------------------------
POST /v1beta1/projects/pcs-nonprod-controlplane/locations/northamerica-northeast1/connectors?alt=json&connectorId=dummy-connector HTTP/1.1
Host: vpcaccess.googleapis.com
User-Agent: Terraform/0.14.9 (+https://www.terraform.io) Terraform-Plugin-SDK/2.4.4 terraform-provider-google-beta/dev
Content-Length: 140
Content-Type: application/json
Accept-Encoding: gzip

{
 "machineType": "e2-micro",
 "maxThroughput": 1000,
 "minThroughput": 200,
 "subnet": {
  "name": "<subnet-name>",
  "projectId": "<host-project-name>"
 }
}

-----------------------------------------------------: timestamp=2021-04-08T10:44:56.121-0400
2021-04-08T10:44:57.605-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:57 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Thu, 08 Apr 2021 14:44:57 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
  "error": {
    "code": 400,
    "message": "Request contains an invalid argument.",
    "status": "INVALID_ARGUMENT"
  }
}

-----------------------------------------------------: timestamp=2021-04-08T10:44:57.605-0400
2021-04-08T10:44:57.606-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:57 [DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 400 with body: HTTP/2.0 400 Bad Request
Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Thu, 08 Apr 2021 14:44:57 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
  "error": {
    "code": 400,
    "message": "Request contains an invalid argument.",
    "status": "INVALID_ARGUMENT"
  }
}: timestamp=2021-04-08T10:44:57.605-0400
2021-04-08T10:44:57.606-0400 [INFO]  plugin.terraform-provider-google-beta_v3.63.0_x5: 2021/04/08 10:44:57 [DEBUG] Retry Transport: Returning after 1 attempts: timestamp=2021-04-08T10:44:57.605-0400
2021/04/08 10:44:57 [DEBUG] google_vpc_access_connector.connector: apply errored, but we're indicating that via the Error pointer rather than returning it: Error creating Connector: googleapi: Error 400: Request contains an invalid argument.

Error: Error creating Connector: googleapi: Error 400: Request contains an invalid argument.

  on main.tf line 25, in resource "google_vpc_access_connector" "connector":
  25: resource "google_vpc_access_connector" "connector" {


2021-04-08T10:44:57.623-0400 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-04-08T10:44:57.626-0400 [DEBUG] plugin: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/google-beta/3.63.0/darwin_amd64/terraform-provider-google-beta_v3.63.0_x5 pid=29555
2021-04-08T10:44:57.626-0400 [DEBUG] plugin: plugin exited
[terragrunt] 2021/04/08 10:44:57 Hit multiple errors:
exit status 1

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

I'm trying to create a vpc connector in a shared VPC setting.
I can create it using the gcloud cli but terraform fails with a 400 response.

gcloud beta compute networks vpc-access connectors create test-connector --region northamerica-northeast1 --subnet <subnet-name> --subnet-project <host-project>

References

• #0000

[edwardmedia]

@MasterBroda I can't repro the issue. I noticed the region you selected. Can you check if northamerica-northeast1 is valid?

resource "google_vpc_access_connector" "connector" {
  provider = google-beta
  project  = "<service-project>"
  name     = "dummy-connector"
  region   = "northamerica-northeast1".  <------ where did you get it?
  subnet {
    name       = "<subnet-name>"
    project_id = "<host-project>"
  }
}

[MasterBroda]

@edwardmedia region = "northamerica-northeast1" is the region where the subnet is located. When I don't add it, I get the following error Error: Cannot determine region: set in this resource, or set provider-level 'region' or 'zone'.

I also pass it in the equivalent gcloud command gcloud beta compute networks vpc-access connectors create test-connector --region northamerica-northeast1 --subnet <subnet-name> --subnet-project <host-project> which runs successfully.

[edwardmedia]

@MasterBroda I was looking at the region in below url.
/v1beta1/projects/pcs-nonprod-controlplane/locations/northamerica-northeast1/connectors

Here is what the provider doc explains regarding region which seems not the one you thought where the subnet is located

region - (Optional) Region where the VPC Access connector resides. If it is not provided, the provider region is used.

The error is clear and that matches what you need to do.

I am not able to repro your original error. Do you want to try a different region (ie us-central1) to see if that works for you? You may also try to run the example to see what happens?

[edwardmedia]

@MasterBroda is this still an issue?

[MasterBroda]

@edwardmedia sorry for the delay.
I exported GOOGLE_REGION as an env variable and applied the following resource and it worked.

resource "google_vpc_access_connector" "connector" {
  provider = google-beta
  project  = "<service-project>"
  region   = "northamerica-northeast1"
  name     = "test-con"
  subnet {
    name       = "<subnet-name>"
    project_id = "<host-project>"
  }
}

[MasterBroda]

I'm not sure why I have to export the env variable since I'm already passing the region in the code.

[edwardmedia]

@MasterBroda no, you don't have to export the env variable.
You have redacted major attributes so I can't tell what is wrong. My guess it complains below endpoint. Are you able to verify if it exist?

/v1beta1/projects/pcs-nonprod-controlplane/locations/northamerica-northeast1/connectors

For you to debug the issue, are you able to run the example?

[MasterBroda]

@edwardmedia the example doesn't fully work as the networks and subnets (including the /28 subnet for the vpc connector) are created beforehand by the folder admin.

resource "google_vpc_access_connector" "connector" {
  provider = google-beta
  project  = "<service-project>"
  region   = "northamerica-northeast1"
  name     = "test-con"
  subnet {
    name       = "<subnet-name>"
    project_id = "<host-project>"
  }
}

I think I've found what might be causing the error. My module sets up the service accounts and their roles, healthcheck firewall rules, NAT router, external IP, etc along with the vpc-connector.
There needs to be a delay in the vpc connector creation otherwise it runs into errors.
When i ran it the second time, it got created perfectly.
I've added a depends_on so that this bit runs after the service account creation.

[edwardmedia]

@MasterBroda yes, when you mentioned resources got created in the 2nd run, I immediately thought it might be time issue. With the code you provided, I can't see particularly wrong. I have tested multiple times and could repro the error you encountered.
Please close the issue if you have identified the cause. Or leave it open if you still have questions

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!