terraform-google-project-factory icon indicating copy to clipboard operation
terraform-google-project-factory copied to clipboard

Published 20 hours ago verified publisher icon terraform-google-modules

Fix problem with importing caused by counts in shared_vpc_access

Open roboweaver opened this issue 2 years ago • 0 comments

TL;DR

Recently I've needed to import projects and run into an issue because TF complains about a value not being known

Robs-Mac-Pro:google-project-factory-adobe robweaver$ terraform import -var-file project_vars/InProgress/GCP0055/gcp0055.tfvars module.adobe_standard_project.module.project-factory.google_project.main adbe-gcp0055
data.vault_generic_secret.iam_aws_auth: Reading...
data.vault_generic_secret.iam_gcp_auth: Reading...
data.vault_generic_secret.iam_gcp_auth: Read complete after 0s [id=tlm/camp/prod/iam_api_gcp_auth]
data.vault_generic_secret.iam_aws_auth: Read complete after 0s [id=tlm/camp/prod/iam_api_aws_auth]
module.adobe_standard_project.module.project-factory.google_project.main: Importing from ID "adbe-gcp0055"...
module.adobe_standard_project.module.project-factory.google_project.main: Import prepared!
  Prepared google_project for import
module.adobe_standard_project.module.project-factory.google_project.main: Refreshing state... [id=projects/adbe-gcp0055]
╷
│ Error: Invalid count argument
│ 
│   on terraform-google-project-factory/modules/shared_vpc_access/main.tf line 88, in resource "google_project_iam_member" "composer_host_agent":
│   88:   count   = local.composer_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the count depends on.
╵

╷
│ Error: Invalid count argument
│ 
│   on terraform-google-project-factory/modules/shared_vpc_access/main.tf line 99, in resource "google_project_iam_member" "gke_host_agent":
│   99:   count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_network_role ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the count depends on.
╵

╷
│ Error: Invalid count argument
│ 
│   on terraform-google-project-factory/modules/shared_vpc_access/main.tf line 111, in resource "google_project_iam_member" "gke_security_admin":
│  111:   count   = local.gke_shared_vpc_enabled && var.enable_shared_vpc_service_project && var.grant_services_security_admin_role ? 1 : 0
│ 
│ The "count" value depends on resource attributes that cannot be determined until apply, so Terraform cannot predict how many instances will be created. To work around this, use the -target argument to first apply only the resources that the count depends on.
╵

To work around this, I end up modifying the files in the modules/shared_vpc_access to have the optional members commented out (see attached) Archive.zip

With that removed I can import successfully

Robs-Mac-Pro:google-project-factory-adobe robweaver$ terraform import -var-file project_vars/InProgress/GCP0055/gcp0055.tfvars module.adobe_standard_project.module.project-factory.google_project.main adbe-gcp0055
module.adobe_standard_project.module.project-factory.google_project.main: Importing from ID "adbe-gcp0055"...
module.adobe_standard_project.module.project-factory.google_project.main: Import prepared!
  Prepared google_project for import
module.adobe_standard_project.module.project-factory.google_project.main: Refreshing state... [id=projects/adbe-gcp0055]
data.vault_generic_secret.iam_aws_auth: Reading...
data.vault_generic_secret.iam_gcp_auth: Reading...
data.vault_generic_secret.iam_aws_auth: Read complete after 1s [id=tlm/camp/prod/iam_api_aws_auth]
data.vault_generic_secret.iam_gcp_auth: Read complete after 1s [id=tlm/camp/prod/iam_api_gcp_auth]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Terraform Resources

google_project_iam_member.composer_host_agent
google_project_iam_member.gke_host_agent
google_project_iam_member.gke_security_admin

All have counts that are not known - maybe there is another way to code them as optional that doesn't require resources ?

The google_project_iam_member.gke_host_agent is also required in the project_id output.

Detailed design

No response

Additional information

No response

roboweaver avatar Oct 04 '22 14:10 roboweaver