terraform-google-modules / cloud-foundation-training Goto Github PK

The examples use GCP provider v3.9.0, which doesn't appear to support IAM conditions in google_project_iam_binding. This breaks Lab 2 (IAM), and maybe some others as well.

Error: Unsupported block type

on .terraform/modules/project_iam_bindings/modules/projects_iam/main.tf line 37, in resource "google_project_iam_binding" "project_iam_authoritative":
37: dynamic "condition" {

TL;DR

While using file from the path (https://github.com/terraform-google-modules/cloud-foundation-training/tree/master/Solutions)/04-Instance-Group/main.tf.solution file .

Getting below error

│ Error: Error resolving image name 'debian-cloud/debian-9': Could not find image or family debian-cloud/debian-9
│
│ with module.instance_template.google_compute_instance_template.tpl,
│ on .terraform/modules/instance_template/modules/instance_template/main.tf line 58, in resource "google_compute_instance_template" "tpl":
│ 58: resource "google_compute_instance_template" "tpl" {

Expected behavior

Should work fine

Observed behavior

Getting below error

│ Error: Error resolving image name 'debian-cloud/debian-9': Could not find image or family debian-cloud/debian-9
│
│ with module.instance_template.google_compute_instance_template.tpl,
│ on .terraform/modules/instance_template/modules/instance_template/main.tf line 58, in resource "google_compute_instance_template" "tpl":
│ 58: resource "google_compute_instance_template" "tpl" {

Terraform Configuration

(qwiklabs-gcp-03-9a00e2ed0b4f)$ terraform init
Initializing modules...

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/google-beta from the dependency lock file
- Reusing previous version of hashicorp/google from the dependency lock file
- Reusing previous version of hashicorp/local from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Using previously-installed hashicorp/google-beta v4.31.0
- Using previously-installed hashicorp/google v4.31.0
- Using previously-installed hashicorp/local v2.2.3
- Using previously-installed hashicorp/random v3.3.2

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Terraform Version

(qwiklabs-gcp-03-9a00e2ed0b4f)$ terraform init
Initializing modules...

Initializing the backend...

Initializing provider plugins...
- Reusing previous version of hashicorp/google-beta from the dependency lock file
- Reusing previous version of hashicorp/google from the dependency lock file
- Reusing previous version of hashicorp/local from the dependency lock file
- Reusing previous version of hashicorp/random from the dependency lock file
- Using previously-installed hashicorp/google-beta v4.31.0
- Using previously-installed hashicorp/google v4.31.0
- Using previously-installed hashicorp/local v2.2.3
- Using previously-installed hashicorp/random v3.3.2

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Additional information

from the file(main.tf.soution) after removing the line 75 and 76 ( source_image_family = "debian-9"
source_image_project = "debian-cloud").Re-initiate the terraform and re-applied the plan and it works fine.

In main.tf and iam.tf we reference the service account as
sa-cft-training@${var.project_id}.iam.gserviceaccount.com
It should be
cft-training@${var.project_id}.iam.gserviceaccount.com
without sa- as in the 00-Setup lab and subsequent labs

I stumbled upon this course while browsing through the Google Terraform modules. Here's some minor things that I discovered along the way:

• The license note at the start of every file is a bit distracting
• Instance group chapter:
  • main.tf contains the word "moduel"
  • the readme for task 1 contains a dead link (https://github.com/terraform-google-modules/terraform-google-vm/modules/instance_template)
• Load balancer chapter
  • main.tf: protcol (missing second "o")

In 00-Setup, section 4 describes downloading a service account key for Terraform. However, this is unnecessary since in Section 2, we're using gcloud auth application-default login, such that Terraform can use ADC.

(It is presumably best practice to use ADC and not use the service account key.)

I have tested the 01-Getting-Started phase without downloading the service account key, and it works fine.

When I attempt to apply the infrastructure in module 3, I get a failure due to missing compute engine api

`smieszny@penguin ~/g/c/03-Networking> terraform apply plan.out
module.network.module.vpc.google_compute_network.network: Creating...

Error: Error creating Network: googleapi: Error 403: Access Not Configured. Compute Engine API has not been used in project 1025699268247 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=1025699268247 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured

on .terraform/modules/network/terraform-google-modules-terraform-google-network-665226b/modules/vpc/main.tf line 20, in resource "google_compute_network" "network":
20: resource "google_compute_network" "network" {`

for lab 1, a participant had to enable one more service before the creation of the bucket worked:

gcloud services enable storage-api.googleapis.com

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Repository problems

These problems occurred while renovating this repository. View logs.

• WARN: getNewValue error

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): Update cft/developer-tools Docker tag to v1.21
• chore(deps): update dependency google-cloud-storage to v1.44.0
• chore(deps): update dependency wand to v0.6.13
• chore(deps): Update Terraform terraform-google-modules/project-factory/google to v15
• chore(deps): update dependency google-cloud-storage to v2
• chore(deps): update terraform terraform-google-modules/cloud-nat/google to v5
• chore(deps): update terraform terraform-google-modules/network/google to v9
• chore(deps): update terraform terraform-google-modules/vm/google to v11
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

https://github.com/morgante/terraform-codelab is used in this Qwiklab so we should move it to this repo.

On the step 5 I have

terraform init

Initializing the backend...

Error: Error inspecting states in the "gcs" backend:
querying Cloud Storage failed: storage: bucket doesn't exist

Prior to changing backends, Terraform inspects the source and destination
states to determine what kind of migration steps need to be taken, if any.
Terraform failed to load the states. The data in both the source and the
destination remain unmodified. Please resolve the above error and try again.
01-Getting-Started.zip

Error on executing terraform plan for labs 04 and 05:

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.local_file.instance_startup_script: Refreshing state...
module.instance_template.data.google_compute_image.image_family: Refreshing state...
module.managed_instance_group.data.google_compute_zones.available: Refreshing state...
module.instance_template.data.google_compute_image.image: Refreshing state...

Error: googleapi: Error 403: Required 'compute.zones.list' permission for 'projects/welham-cft', forbidden

  on .terraform/modules/managed_instance_group/modules/mig/main.tf line 31, in data "google_compute_zones" "available":
  31: data "google_compute_zones" "available" {

Fixed with change to 00-setup:

gcloud projects add-iam-policy-binding ${PROJECT_ID} --member="serviceAccount:${SERVICE_ACCOUNT}" --role="roles/compute.viewer"

Participants shouldn't necessarily need to download/use JSON service account keys in the lab. We should update instructions to guide participants to either use service account impersonation or application default credentials.

TL;DR

Update the provider requirements using required_providers for compatibility with Terraform 0.12.26+

Terraform Resources

https://www.terraform.io/language/providers/requirements#v0-12-compatible-provider-requirements

Detailed design

No response

Additional information

No response

Using pixelbook terminal
Using personal project (not training)

Happening in all modules:

exported credential per command
export GOOGLE_CLOUD_KEYFILE_JSON="$(pwd)/cft-training.json"

Received error Error: storage.NewClient() failed: dialing: google: could not find default credentials. when running terraform init

Added
credentials = "../cft-training.json" to backend.tf to fix

Wording in section 1 suggests to create a binding for a 'user' and 'group' but I believe the intent of this portion is to add a set of roles to the service account created in earlier portions.

Perhaps this could be reworded to be more clear.

Bump all modules used to support TF 0.15.x

In executing module 1, I was unable to execute terraform init with the following

smieszny@penguin ~/g/c/01-Getting-Started> terraform init

Initializing the backend...

Error: storage.NewClient() failed: dialing: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

I solved this by running

export GOOGLE_APPLICATION_CREDENTIALS=$GOOGLE_CLOUD_KEYFILE_JSON

TL;DR

Update cft/developer-tools

Terraform Resources

No response

Detailed design

No response

Additional information

No response

TO reproduce:
Start a clean run for Lab 03 (cleaned up Lab 02):
https://github.com/terraform-google-modules/cloud-foundation-training/tree/master/03-Networking

terraform apply plan.out

Failed with message:

Error: Error creating Network: googleapi: Error 403: Required 'compute.networks.create' permission for 'projects/xxx-xxx/global/networks/lab03-vpc', forbidden

  on .terraform/modules/network/modules/vpc/main.tf line 20, in resource "google_compute_network" "network":
  20: resource "google_compute_network" "network" {

After wait for couple of minutes, re-run the terraform apply successfully created the network.
I suspect that the first error is due to the IAM binding delay given IAM and Networking configuration are under the same module.

Please clarify.

Running terraform apply plan.out fails because a service is disabled:

Error: Error reading Project Service cft-training-nyc-21/cloudfunctions.googleapis.com: Batch "project/cft-training-nyc-21/services" for request "List Project Services cft-training-nyc-21" returned error: batch request and retry as single request failed - final error: Failed to list enabled services for project cft-training-nyc-21: googleapi: Error 403: Service Usage API has not been used in project 888892115941 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/serviceusage.googleapis.com/overview?project=888892115941 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured. To debug individual requests, try disabling batching: https://www.terraform.io/docs/providers/google/guides/provider_reference.html#enable_batching

Running gcloud services enable serviceusage.googleapis.com fixes the issue.

As training content grows, run throughs can become repetitive and time consuming. We should leverage regular CFT int testing to automate these. This will help us catch any errors easily before training sessions due to shifting API requirements (example cloudbuild enablement for CF) or dependency errors (#30).

We have defined solutions, my proposal is we swap each problem set's boilerplate main.tf with solution main.tf. 00 will be part of setup and 01 - 06 will be deployed in order.