PROJECT: cannot make change to container annotation cnrm.cloud.google.com/folder-id

[tdigangi]

Describe the bug
When trying to change the folder number in the cnrm.cloud.google.com/folder-id annotation of the already deployed project. I receive the following message.

Step #1: Error: UPGRADE FAILED: cannot patch "ui-tst-lpi-zn-972" with kind Project: admission webhook "deny-immutable-field-updates.cnrm.cloud.google.com" denied the request: error validating container annotations: cannot make change to container annotation cnrm.cloud.google.com/folder-id

ConfigConnector Version
1.8.0

To Reproduce
Using helm install the following snippet with the initial folder number. Once deployed run an upgrade with the new folder number.

YAML snippets:

apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  name: "{{ $.Values.labels.business_entity }}-{{ $.Values.labels.team_id }}-{{ $.Values.labels.function }}-{{ $.Values.labels.environment }}-{{ $.Values.randNum }}"
  annotations:
     cnrm.cloud.google.com/auto-create-network: "false"
     cnrm.cloud.google.com/folder-id: "<this is changed after install>"
  labels:
    business_entity: {{ $.Values.labels.business_entity }}
spec:
  name: "{{ $.Values.labels.business_entity }}-{{ $.Values.labels.team_id }}-{{ $.Values.labels.function }}-{{ $.Values.labels.environment }}-{{ $.Values.randNum }}"
  billingAccountRef:
    external: "{{ $.Values.billingAccount }}"

[AlexBulankou]

@tdigangi , thanks for filing it. Folder-id annotation is currently immutable and moving projects into a different folder is not supported with Config Connector.
Changing this to type=enhancement. Can you please provide more details on the customer usage? (and please feel free to provide more details over email/file internal bug). Thanks!

[tdigangi]

In general folder structure can change for many reasons in a business this can occur as a migration effort to new IAM roles, org constraints, or to transition to a different folder structure(more nested folders or less). Often times a consumer may wish to keep the same project as well to alleviate potential project migration challenges.

[tedelwartowski-bestbuy]

@AlexBulankou regarding your comment about config connector not supporting moving projects to other folders; I believe this has been incorrectly stated as we are currently able to utilize config connector to move projects between folders. As you indicated, the annotation for folder-id is immutable, however if you abandon the project object, remove it and then apply it with an updated annotation, config connector will in fact correctly move the project to the new folder. Moving a projects does appear to be fully supported by config connector and the only limitation is based on the annotation currently being defined as immutable.

[jcanseco]

Hi all, it is now possible to update the folder-id annotation on a Project or Folder resource to move them across folders in KCC v1.34.0, removing the need for the workaround that @tedelwartowski-bestbuy mentioned above.

Also @tedelwartowski-bestbuy: yes you are correct! This was actually not behavior that had been known until recently and was more of a workaround that worked unintentionally. In any case, you shouldn't have to rely on such a workaround anymore to move projects across folders.

[tedelwartowski-bestbuy]

@jcanseco - thank you; we tested the updated version and it now works as expected.