-
Notifications
You must be signed in to change notification settings - Fork 538
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCP subnet share conditions not working correctly #152
Comments
When variable vpc_networks is incorrectly formed the failure happens and leaves all subnets shared Incorrect formatting and error observed below
|
#97 is related. |
To add some more context here, these IAM resources are using a This will also happen if you pass the If we're going to continue to use the |
@aaron-lane @morgante
variable "shared_vpc_subnets" {
description = "List of subnets fully qualified subnet IDs (ie. projects/$project_id/regions/$region/subnetworks/$subnet_id)"
type = "list"
default = [
"http://projects/base-project-196723/regions/us-east1/subnetworks/default",
"projects/base-project-196723/regions/us-central1/subnetworks/default",
"XXXX/base-project-196723/regions/us-central1/subnetworks/subnet-1",
]
}
resource "null_resource" "invalid_subnets" {
count = "${length(var.shared_vpc_subnets)}"
triggers = {
subnet = "${replace(var.shared_vpc_subnets[count.index],
"/(https://www.googleapis.com/compute/v1/)?projects/[a-z0-9-]+/regions/[a-z0-9-]+/subnetworks/[a-z0-9-]+/", "") == "" ? false : true}"
}
}
locals {
invalid_subnets = "${null_resource.invalid_subnets.*.triggers.subnet}"
}
resource "null_resource" "valid_subnet" {
count = "${length(var.shared_vpc_subnets)}"
triggers = {
subnet = "${local.invalid_subnets[count.index] ? "dummy-subnet" : var.shared_vpc_subnets[count.index]}"
}
}
output "valid_subnets" {
value = "${null_resource.valid_subnet.*.triggers.subnet}"
} It will give following output:
which cause fail for incorrect subnet item |
@kopachevsky this should indeed be solved in the Terraform configuration; If we are relying on the |
@aaron-lane I agree "dummy-subnet" not good way to point user with the problem it his config, I've tried options form issue you mentioned above initially, for some reason it wont work for me, I even raised stackoverflow question https://stackoverflow.com/questions/56042077/terraform-v0-11-xx-null-resource-not-always-works-as-assertion |
…rking correctly - added regexp based subnet name validation - added relative region and subnet values extractions from source string
…rking correctly - added second subnet with https://www.googleapis.com/compute/v1 prefix to tests
…rking correctly. - fixed subnet region to available
…rking correctly - removed typos - removed meta programming from tests
…rking correctly - fixed local variables initialization from attributes
@kopachevsky As an incremental fix, please provide a PR which only automatically strips the |
…rking correctly - temporary commit to check early fail if shared vpc subnet name not valid (HTTPS changed to HTTP) - revert after check
…rking correctly - revert: temporary commit to check early fail if shared vpc subnet name not valid (HTTPS changed to HTTP)
Based on the default 3 conditions
shared_vpc
and no subnets => no grantsshared_vpc
and no subnets => grant to the project (all networks/subnets)shared_vpc
and subnets => grant to the subnets (and not to the project)If the subnet id get messed up ( fat finger) while attempting case 3, project factory ends up sharing the entire set of networks in the host project VPC to the service project. Which is a serious security issue. Ideally it should follow step 1 and should not grant any thing and error out.
The text was updated successfully, but these errors were encountered: