terraform-provider-google icon indicating copy to clipboard operation
terraform-provider-google copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Documentation for google_identity_platform_config quotas is not correct.

Open archimed-shaman opened this issue 1 year ago • 5 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.5.7 on linux_amd64

  • provider registry.terraform.io/cyrilgdn/postgresql v1.18.0
  • provider registry.terraform.io/hashicorp/google v5.0.0
  • provider registry.terraform.io/hashicorp/random v3.5.1
  • provider registry.terraform.io/hectorj/googlesiteverification v0.4.2

Affected Resource(s)

  • google_identity_platform_config

Terraform Configuration Files

resource "google_identity_platform_config" "default" {
  project = var.gcp_project

  autodelete_anonymous_users = true

  sign_in {
    allow_duplicate_emails = true

    anonymous {
      enabled = false
    }

    email {
      enabled           = true
      password_required = true
    }
  }

  quota {
    sign_up_quota_config {
      quota          = 1000
      start_time     = ""
      # quota_duration = "7200s"
    }
  }

  authorized_domains = [
    "localhost"
  ]
}

Description

Quota description in the example and in the description is not correct.

While start_time is specified as optional, the following error occurs on the empty or absent value:

│ Error: Error updating Config "projects/project-name/config": googleapi: Error 400: INVALID_CONFIG : SignUp quota must start between now and 365 days from now.
│ 
│   with module.identity-platform.google_identity_platform_config.default,
│   on modules/identity/main.tf line 1, in resource "google_identity_platform_config" "default":
│    1: resource "google_identity_platform_config" "default" {

start_time looks to be mandatory for this section and must be a timestimp like 2023-10-07T22:38:23Z. Also, looks like quota_duration is mandatory too as it has no default value. On empty value the following error occurs:

googleapi: Error 400: INVALID_CONFIG : SignUp quota duration must be between 1 hour and 7 days.

b/304233470

archimed-shaman avatar Oct 07 '23 23:10 archimed-shaman

@archimed-shaman what do you see if you completely remove start_time?

  quota {
    sign_up_quota_config {
      quota          = 1000
      quota_duration = "7200s"
    }
  }

I do see the example contains

start_time     = ""

What do you see in its plan even you leave start_time = "" in the config? Can you share yours?

      + quota {
          + sign_up_quota_config {
              + quota          = 1000
              + quota_duration = "7200s"
            }
        }

edwardmedia avatar Oct 08 '23 13:10 edwardmedia

If you leave off start_time completely you get the following error:

Error: Error updating Config "projects/{project_name}/config": googleapi: Error 400: INVALID_CONFIG : SignUp quota must start between now and 365 days from now.

One way to fix it when you need to have a specific quota is to use:

quota {
    sign_up_quota_config {
      quota = 1000
      start_time = timeadd(timestamp(), "1m") # 1 minute in the future because by the time it executes in GCP this time will be in the past (increase depending on typical GCP execution)
      quota_duration = "7200s"
    }
  }

Otherwise remove the entire quota block to just use defaults which is 100.

While the documentation is incorrect, I believe the behavior is correct. The documentation should show that quota, start_time and quota_duration are mandatory if quota and sign_up_quota_config are used to set a custom sign up quota.

alexkirmse avatar Jan 22 '24 17:01 alexkirmse

Hi, I know it's kinda not for this, but where do we set this quota in GCP console? I can't find this anywhere, in API quoatas and system limtis for identity toolkit there's nothing related to this sign up quota. I would love to verify the setting in console but I don't see it anywhere in the UI I only found this: https://cloud.google.com/identity-platform/quotas is this the same for documentation? Cause documentation from Google about identity platform is imho very poor: https://cloud.google.com/identity-platform/docs/reference/rest/v2/Config#quotaconfig no default, no link to what we are quoting.

is it this one: New account creation | 100 accounts/hour for each IP address ?

Boardtale avatar Feb 10 '24 10:02 Boardtale 

timeadd(timestamp(), "1m")

Hi @alexkirmse I am using the timestamp() function without the timeadd function, which works too.

  quota {
    sign_up_quota_config {
      quota = 1000
      start_time = timestamp()
      quota_duration = "7200s"
    }
  }

The timestamp value will be (known after apply).

  + quota {
          + sign_up_quota_config {
              + quota          = 1000
              + quota_duration = "7200s"
              + start_time     = (known after apply)
            }
        }

Michael-shihao-li avatar Feb 13 '24 19:02 Michael-shihao-li

Regarding my previous comment. I found out this quota in UI. Shame it's only temporary duration thou :( not permanent thing

Boardtale avatar Feb 13 '24 20:02 Boardtale