terraform-example-foundation icon indicating copy to clipboard operation
terraform-example-foundation copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

3-networks - terraform-validator constraint violation : "Flow logs are disabled in subnetwork"

Open plassen opened this issue 3 years ago • 4 comments

TL;DR

(Disclaimer: as I don't see any issue or note about this error around here, so probably the problem is mine)

When applying the Cloud Build 'plan' trigger to the gcp-networks repo, I get validation errors for the subnet creation objects, complaining that the flow logging option is disabled, when in fact, the 'log_config' block is defined on the generated tfplan.

The manual deployment of the 'shared' section went well (step 11) because it doesn't mention applying terraform-validator to the generated tfplan. When doing so, it also complains about it :)

Expected behavior

should provide no violations because var.subnetworks_enable_logging is with its default value 'true'

Observed behavior

log-a2091d83-0a40-4a3c-b444-acd7fcb392c1.txt

Terraform Configuration

details from the files on the 'env/development' subfolder:

variables.tf:
variable "subnetworks_enable_logging" {
  type        = bool
  description = "Toggle subnetworks flow logging for VPC Subnetworks."
  default     = true
}

sample from main.tf:
module "restricted_shared_vpc" {
  source                           = "../../modules/restricted_shared_vpc"
  project_id                       = local.restricted_project_id
  project_number                   = local.restricted_project_number
  environment_code                 = local.environment_code
  access_context_manager_policy_id = var.access_context_manager_policy_id
  restricted_services              = ["bigquery.googleapis.com", "storage.googleapis.com"]
  members                          = ["serviceAccount:${var.terraform_service_account}"]
  private_service_cidr             = local.restricted_private_service_cidr
  org_id                           = var.org_id
  parent_folder                    = var.parent_folder
  bgp_asn_subnet                   = local.bgp_asn_number
  default_region1                  = var.default_region1
  default_region2                  = var.default_region2
  domain                           = var.domain
  windows_activation_enabled       = var.windows_activation_enabled
  dns_enable_inbound_forwarding    = var.dns_enable_inbound_forwarding
  dns_enable_logging               = var.dns_enable_logging
  firewall_enable_logging          = var.firewall_enable_logging
  optional_fw_rules_enabled        = var.optional_fw_rules_enabled
  nat_enabled                      = var.nat_enabled
  nat_bgp_asn                      = var.nat_bgp_asn
  nat_num_addresses_region1        = var.nat_num_addresses_region1
  nat_num_addresses_region2        = var.nat_num_addresses_region2
  folder_prefix                    = var.folder_prefix
  mode                             = local.mode

  subnets = [
    {
      subnet_name           = "sb-${local.environment_code}-shared-restricted-${var.default_region1}"
      subnet_ip             = local.restricted_subnet_primary_ranges[var.default_region1]
      subnet_region         = var.default_region1
      subnet_private_access = "true"
      subnet_flow_logs      = var.subnetworks_enable_logging
      description           = "First ${local.env} subnet example."
    },
    {
      subnet_name           = "sb-${local.environment_code}-shared-restricted-${var.default_region2}"
      subnet_ip             = local.restricted_subnet_primary_ranges[var.default_region2]
      subnet_region         = var.default_region2
      subnet_private_access = "true"
      subnet_flow_logs      = var.subnetworks_enable_logging
      description           = "Second ${local.env} subnet example."
    }
  ]
 secondary_ranges = {
    "sb-${local.environment_code}-shared-restricted-${var.default_region1}" = local.restricted_subnet_secondary_ranges[var.default_region1]
  }
  allow_all_ingress_ranges = local.enable_transitivity ? local.restricted_hub_subnet_ranges : null
  allow_all_egress_ranges  = local.enable_transitivity ? local.restricted_subnet_aggregates : null
}

Terraform Version

Terraform v0.13.7
+ provider registry.terraform.io/hashicorp/google v3.90.1
+ provider registry.terraform.io/hashicorp/google-beta v3.90.1
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/hashicorp/random v3.1.0

Additional information

No response

plassen avatar Dec 22 '21 18:12 plassen

I'm getting the same error.

dhess avatar Jan 07 '22 02:01 dhess

Hey folks,

The way to enable flow logs configuration changed.

To be able to fix the problem, we should change the gcp_network_enable_flow_logs_v1.yaml from:

network := asset.resource.data
enable_flow_logs := lib.get_default(network, "enableFlowLogs", false)
enable_flow_logs == false

to

network := asset.resource.data
log_config := lib.get_default(network, "logConfig", {})
enable_flow_logs := lib.get_default(log_config, "enable", false)
enable_flow_logs == false

This fix should be made in the policy-library repo and replicated in Foundation.

amandakarina avatar Jan 14 '22 12:01 amandakarina

@amandakarina Can you update this repo so we can close this out?

bharathkkb avatar Jan 21 '22 17:01 bharathkkb

Issue already opened in policy-repo

amandakarina avatar Jan 21 '22 19:01 amandakarina

fixed by https://github.com/terraform-google-modules/terraform-example-foundation/pull/779

bharathkkb avatar Sep 09 '22 01:09 bharathkkb