Canadian Public Sector Secure PBMM Landing Zone reference using Terraform 1.6 (for now 1.3.10) based on the PSO/TOC ready TEF V4 - Full clean organization deployment with mitigation/automation/parameterization modifications

[fmichaelobrien]

A public sector terraform based landing zone based on the TEF V4 that will be V5 ready for collaboration with GCP PSO/TOC ready overlay changes.
Key off terraform-google-modules/terraform-example-foundation#1133
Verify as-is v4 after merging #358 - done

TEF (essentially R/O synced with the foundations security blueprint) V4 is
https://github.com/terraform-google-modules/terraform-example-foundation
Fork for automated resync is
https://github.com/CloudLandingZone/terraform-example-foundation

Architecture retrofit in progress via #389

Requirements

• Both a Federal and Provincial government client need a terraform shadow of a default NIST-800-53/FedRAMP/ITSG-33 compliant landing zone. We have the latest V4 Terraform example below. The goal is to get a parameterized version of the TEF as a terraform analog to the kubernetes based LZ in this repo

Shadow or temporarily host/fork work getting the TEF up for Public Sector clients via work in terraform-google-modules/terraform-example-foundation#1133 until we can get PRs merged directly in the TEF
The goal is to get everything done directly in the TEF, this repo is only temporary for velocity as we work out the PR process with the TEF and the modules in the GCP org
https://github.com/terraform-google-modules/
like
https://github.com/terraform-google-modules/terraform-google-project-factory

Work Items

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/wiki/Work-Items

Architecture and Artifacts

• https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/wiki/Architecture

editing

Microsegmentation

There are two classifications in the LZ - restricted and base.
There are three environments - development, non-production, production.

High Level Diagram - Default

High Level Diagram - Development environment only

graph LR;
    style LZ V3 fill:#44f,stroke:#f66,stroke-width:2px,color:#fff,stroke-dasharray: 5 5
    %% mapped and documented
    bootstrap-prj-->seed-prj
    bootstrap-prj-->cicd-prj
    

Loading

mermaid - diagrams as code

Projects view

VPC view

Work items and Use Cases

Issues

• Add bootstrap project requirements / project service enablements / readme / sh scripting / super admin roles - in prep of running 0-bootstrap #362
• 3-networks-hub-and-spoke - terraform re apply causes hierarchical firewall policy rule display name collision - either delete or rename attribute - not idempotent #380
• 3-networks-hub-and-spoke - Service Usage Consumer role missing on sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com SA during tf apply shared #379

PRs

• #362 - bootstrap prereq #363

Branches

• main

Deprecates

• ER: Canadian Government Federal and Provincial Clients: Fortinet based hub-spoke Landing Zone terraform-google-modules/terraform-example-foundation#1133
• terraform core/client landing zone shadowing - for hybrid, triage or day 2 deployments pubsec-declarative-toolkit#870
• gcloud core/client landing zone shadowing - for hybrid, triage or day 2 deployments pubsec-declarative-toolkit#824
• Landing Zone V2 alignment to V1 or TEF V4 pubsec-declarative-toolkit#621
• Introduce 2024 light - a secondary Landing Zone based on the GCP Enterprise Setup with Fortigate IaaS NGFW overlay - both in terraform #351

[fmichaelobrien]

20240407: clean org as-is deployment example - before modifications

• post 20240408 merge from #357 - retrofit repo to TEF V4 levels from V1+ via 4.0.0 copy as of 20240406 #358

in ol.xyz clean org with billing quota set

• billing quota increase of 30 + 15 granted = total of 50
• project quota increase of 30 - pending

pull lastest code and branch

michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ git clone https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding.git
Cloning into 'pbmm-on-gcp-onboarding'...
remote: Enumerating objects: 6193, done.
remote: Counting objects: 100% (2380/2380), done.
remote: Compressing objects: 100% (840/840), done.
remote: Total 6193 (delta 1574), reused 2183 (delta 1510), pack-reused 3813
Receiving objects: 100% (6193/6193), 31.76 MiB | 36.62 MiB/s, done.
Resolving deltas: 100% (3768/3768), done.
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd pbmm-on-gcp-onboarding/
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding (tef-olxyz)$ cd 0-bootstrap/
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ 

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ git checkout gh360-day0-deploy-example
Branch 'gh360-day0-deploy-example' set up to track remote branch 'gh360-day0-deploy-example' from 'origin'.
Switched to a new branch 'gh360-day0-deploy-example'

super admin roles set

bootstrap project services enabled

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ gcloud services list | grep NAME
NAME: accesscontextmanager.googleapis.com
NAME: analyticshub.googleapis.com
NAME: appengine.googleapis.com
NAME: artifactregistry.googleapis.com
NAME: assuredworkloads.googleapis.com
NAME: bigquery.googleapis.com
NAME: bigqueryconnection.googleapis.com
NAME: bigquerydatapolicy.googleapis.com
NAME: bigquerymigration.googleapis.com
NAME: bigqueryreservation.googleapis.com
NAME: bigquerystorage.googleapis.com
NAME: billingbudgets.googleapis.com
NAME: cloudapis.googleapis.com
NAME: cloudasset.googleapis.com
NAME: cloudbilling.googleapis.com
NAME: cloudbuild.googleapis.com
NAME: cloudidentity.googleapis.com
NAME: cloudkms.googleapis.com
NAME: cloudresourcemanager.googleapis.com
NAME: cloudtrace.googleapis.com
NAME: containerregistry.googleapis.com
NAME: dataform.googleapis.com
NAME: dataplex.googleapis.com
NAME: datastore.googleapis.com
NAME: essentialcontacts.googleapis.com
NAME: iam.googleapis.com
NAME: iamcredentials.googleapis.com
NAME: logging.googleapis.com
NAME: monitoring.googleapis.com
NAME: pubsub.googleapis.com
NAME: securitycenter.googleapis.com
NAME: securitycentermanagement.googleapis.com
NAME: servicemanagement.googleapis.com
NAME: servicenetworking.googleapis.com
NAME: serviceusage.googleapis.com
NAME: sql-component.googleapis.com
NAME: storage-api.googleapis.com
NAME: storage-component.googleapis.com
NAME: storage.googleapis.com

20240409:1020

copy tfvars before modifying for group creation

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/0-bootstrap/README.md#deploying-with-cloud-build

Missing tfvars files because of .gitignore filter - fixed in https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/pull/366/files for #365

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ git mv terraform.example.tfvars terraform.tfvars

replace
get org via https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/gh766-script/solutions/setup.sh#L101

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ BOOT_PROJECT_ID=tef-olxyz
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ORG_ID=$(gcloud projects get-ancestors $BOOT_PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ BILLING_FORMAT="--format=value(billingAccountName)"
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ BILLING_ID=$(gcloud billing projects describe $BOOT_PROJECT_ID $BILLING_FORMAT | sed 's/.*\///')
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')



terraform.tfvars

org_id = "10...5" # format "000000000000"
billing_account = "01...C8" # format "000000-000000-000000"
// For enabling the automatic groups creation, uncoment the
// variables and update the values with the group names
groups = {
  create_required_groups = false # Change to true to create the required_groups
  create_optional_groups = false # Change to true to create the optional_groups
  billing_project        = "tef-olxyz"  # Fill to create required or optional groups
  required_groups = {
    group_org_admins           = "gcp-organization-admins@o..yz" # example "gcp-organization-admins@example.com"
    group_billing_admins       = "gcp-billing-admins@o..yz" # example "gcp-billing-admins@example.com"
    billing_data_users         = "gcp-billing-data@o..yz" # example "gcp-billing-data@example.com"
    audit_data_users           = "gcp-audit-data@o..yz" # example "gcp-audit-data@example.com"
    monitoring_workspace_users = "gcp-monitoring-workspace@o..yz" # example "gcp-monitoring-workspace@example.com"
  }
   optional_groups = {
     gcp_security_reviewer      = "gcp_security_reviewer_local_test@o..yz" #"gcp_security_reviewer_local_test@example.com"
     gcp_network_viewer         = "gcp_network_viewer_local_test@o..yz" #"gcp_network_viewer_local_test@example.com"
     gcp_scc_admin              = "gcp_scc_admin_local_test@o..yz" #"gcp_scc_admin_local_test@example.com"
     gcp_global_secrets_admin   = "gcp_global_secrets_admin_local_test@o..yz" #"gcp_global_secrets_admin_local_test@example.com"
     gcp_kms_admin              = "gcp_kms_admin_local_test@o..yz" #"gcp_kms_admin_local_test@example.com"
   }
}

# 20240409 leave for now until we fix regionalization for northamerica-northeast1/2
default_region = "us-central1"

# Optional - for an organization with existing projects or for development/validation.
# Uncomment this variable to place all the example foundation resources under
# the provided folder instead of the root organization.
# The variable value is the numeric folder ID
# The folder must already exist.
parent_folder = "7..7"

with fix #367

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ../scripts/validate-requirements.sh -o $ORG_ID -b $BILLING_ID -u $EMAIL
Validating required utility tools...
Validating Terraform installation...
Validating Google Cloud SDK installation...
Validating Git installation...
  git default branch must be configured as main.
  See the instructions at https://github.com/terraform-google-modules/terraform-example-foundation/blob/master/docs/TROUBLESHOOTING.md#default-branch-setting .
Validating local gcloud configuration...
Validating roles assignment for current end user credential...
Validating 0-bootstrap configuration...
.......................................
Validation failed!
Errors found:
  git default branch must be configured as main.

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ../scripts/validate-requirements.sh -o $ORG_ID -b $BILLING_ID -u $EMAIL
Validating required utility tools...
Validating Terraform installation...
Validating Google Cloud SDK installation...
Validating Git installation...
Validating local gcloud configuration...
Validating roles assignment for current end user credential...
Validating 0-bootstrap configuration...
.......................................
Validation successful!
No errors found.

prereq - automated group creation

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/0-bootstrap/README.md#prerequisites
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/0-bootstrap/README.md#optional---automatic-creation-of-google-cloud-identity-groups

already set
NAME: cloudidentity.googleapis.com

already set on super admin
Service Usage Admin

terraform init - do 1.3 downgrade first

We will eventually need a later pbr friendly 1.6 version
to avoid TF state file errors during 1-org transition from 1.7 to 1.3 - terraform-google-modules/terraform-example-foundation#1151
https://releases.hashicorp.com/terraform/
Current version is 1.8.0 in RC, in gcloud we are running 1.7.5

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ terraform --version
Terraform v1.7.5
on linux_amd64

Installing local terraform 1.3.10

https://releases.hashicorp.com/terraform/1.3.10/
https://releases.hashicorp.com/terraform/1.3.10/terraform_1.3.10_linux_amd64.zip

wget https://releases.hashicorp.com/terraform/1.3.10/terraform_1.3.10_linux_amd64.zip
--2024-04-09 15:34:34--  https://releases.hashicorp.com/terraform/1.3.10/terraform_1.3.10_linux_amd64.zip
Resolving releases.hashicorp.com (releases.hashicorp.com)... 18.239.225.114, 18.239.225.27, 18.239.225.39, ...
Connecting to releases.hashicorp.com (releases.hashicorp.com)|18.239.225.114|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19989918 (19M) [application/zip]
Saving to: ‘terraform_1.3.10_linux_amd64.zip’

terraform_1.3.10_linux_amd64.zip               100%[=================================================================================================>]  19.06M  80.1MB/s    in 0.2s    

2024-04-09 15:34:35 (80.1 MB/s) - ‘terraform_1.3.10_linux_amd64.zip’ saved [19989918/19989918]


michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ unzip terraform_1.3.10_linux_amd64.zip 
Archive:  terraform_1.3.10_linux_amd64.zip
  inflating: terraform               

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform --version
Terraform v1.3.10
on linux_amd64

Terraform init

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform init
Initializing modules...
Downloading registry.terraform.io/terraform-google-modules/gcloud/google 3.4.0 for bootstrap_csr_repo...
- bootstrap_csr_repo in .terraform/modules/bootstrap_csr_repo
- bootstrap_projects_remove_editor in modules/parent-iam-remove-role
Downloading registry.terraform.io/terraform-google-modules/gcloud/google 3.4.0 for build_terraform_image...
- build_terraform_image in .terraform/modules/build_terraform_image
- cicd_project_iam_member in modules/parent-iam-member
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for gcp_projects_state_bucket...
- gcp_projects_state_bucket in .terraform/modules/gcp_projects_state_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/group/google 0.6.1 for optional_group...
- optional_group in .terraform/modules/optional_group
- org_iam_member in modules/parent-iam-member
- parent_iam_member in modules/parent-iam-member
Downloading registry.terraform.io/terraform-google-modules/group/google 0.6.1 for required_group...
- required_group in .terraform/modules/required_group
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.1.0 for seed_bootstrap...
- seed_bootstrap in .terraform/modules/seed_bootstrap
Downloading registry.terraform.io/terraform-google-modules/org-policy/google 5.3.0 for seed_bootstrap.enable_cross_project_service_account_usage...
- seed_bootstrap.enable_cross_project_service_account_usage in .terraform/modules/seed_bootstrap.enable_cross_project_service_account_usage
Downloading registry.terraform.io/terraform-google-modules/kms/google 2.3.0 for seed_bootstrap.kms...
- seed_bootstrap.kms in .terraform/modules/seed_bootstrap.kms
Downloading registry.terraform.io/terraform-google-modules/project-factory/google 14.5.0 for seed_bootstrap.seed_project...
- seed_bootstrap.seed_project in .terraform/modules/seed_bootstrap.seed_project
- seed_bootstrap.seed_project.budget in .terraform/modules/seed_bootstrap.seed_project/modules/budget
- seed_bootstrap.seed_project.essential_contacts in .terraform/modules/seed_bootstrap.seed_project/modules/essential_contacts
- seed_bootstrap.seed_project.gsuite_group in .terraform/modules/seed_bootstrap.seed_project/modules/gsuite_group
- seed_bootstrap.seed_project.project-factory in .terraform/modules/seed_bootstrap.seed_project/modules/core_project_factory
- seed_bootstrap.seed_project.project-factory.project_services in .terraform/modules/seed_bootstrap.seed_project/modules/project_services
- seed_bootstrap.seed_project.quotas in .terraform/modules/seed_bootstrap.seed_project/modules/quota_manager
- seed_bootstrap.seed_project.shared_vpc_access in .terraform/modules/seed_bootstrap.seed_project/modules/shared_vpc_access
- seed_project_iam_member in modules/parent-iam-member
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.1.0 for tf_cloud_builder...
- tf_cloud_builder in .terraform/modules/tf_cloud_builder/modules/tf_cloudbuild_builder
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_cloud_builder.bucket...
- tf_cloud_builder.bucket in .terraform/modules/tf_cloud_builder.bucket/modules/simple_bucket
- tf_private_pool in modules/cb-private-pool
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for tf_private_pool.firewall_rules...
- tf_private_pool.firewall_rules in .terraform/modules/tf_private_pool.firewall_rules/modules/firewall-rules
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for tf_private_pool.peered_network...
- tf_private_pool.peered_network in .terraform/modules/tf_private_pool.peered_network
- tf_private_pool.peered_network.firewall_rules in .terraform/modules/tf_private_pool.peered_network/modules/firewall-rules
- tf_private_pool.peered_network.routes in .terraform/modules/tf_private_pool.peered_network/modules/routes
- tf_private_pool.peered_network.subnets in .terraform/modules/tf_private_pool.peered_network/modules/subnets
- tf_private_pool.peered_network.vpc in .terraform/modules/tf_private_pool.peered_network/modules/vpc
Downloading registry.terraform.io/terraform-google-modules/vpn/google 4.0.0 for tf_private_pool.vpn_ha_cb_to_onprem...
- tf_private_pool.vpn_ha_cb_to_onprem in .terraform/modules/tf_private_pool.vpn_ha_cb_to_onprem/modules/vpn_ha
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.1.0 for tf_source...
- tf_source in .terraform/modules/tf_source/modules/tf_cloudbuild_source
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_source.cloudbuild_bucket...
- tf_source.cloudbuild_bucket in .terraform/modules/tf_source.cloudbuild_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/project-factory/google 14.5.0 for tf_source.cloudbuild_project...
- tf_source.cloudbuild_project in .terraform/modules/tf_source.cloudbuild_project
- tf_source.cloudbuild_project.budget in .terraform/modules/tf_source.cloudbuild_project/modules/budget
- tf_source.cloudbuild_project.essential_contacts in .terraform/modules/tf_source.cloudbuild_project/modules/essential_contacts
- tf_source.cloudbuild_project.gsuite_group in .terraform/modules/tf_source.cloudbuild_project/modules/gsuite_group
- tf_source.cloudbuild_project.project-factory in .terraform/modules/tf_source.cloudbuild_project/modules/core_project_factory
- tf_source.cloudbuild_project.project-factory.project_services in .terraform/modules/tf_source.cloudbuild_project/modules/project_services
- tf_source.cloudbuild_project.quotas in .terraform/modules/tf_source.cloudbuild_project/modules/quota_manager
- tf_source.cloudbuild_project.shared_vpc_access in .terraform/modules/tf_source.cloudbuild_project/modules/shared_vpc_access
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.1.0 for tf_workspace...
- tf_workspace in .terraform/modules/tf_workspace/modules/tf_cloudbuild_workspace
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_workspace.artifacts_bucket...
- tf_workspace.artifacts_bucket in .terraform/modules/tf_workspace.artifacts_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_workspace.log_bucket...
- tf_workspace.log_bucket in .terraform/modules/tf_workspace.log_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_workspace.state_bucket...
- tf_workspace.state_bucket in .terraform/modules/tf_workspace.state_bucket/modules/simple_bucket

Initializing the backend...

Initializing provider plugins...
- Finding hashicorp/null versions matching ">= 2.1.0"...
- Finding hashicorp/external versions matching ">= 2.2.2"...
- Finding hashicorp/google versions matching ">= 3.33.0, >= 3.43.0, >= 3.50.0, >= 3.53.0, >= 3.64.0, >= 3.67.0, >= 3.77.0, >= 3.83.0, >= 4.17.0, >= 4.25.0, >= 4.28.0, != 4.31.0, >= 4.46.0, >= 4.64.0, >= 5.7.0, < 6.0.0"...
- Finding hashicorp/random versions matching ">= 2.1.0, >= 2.2.0, >= 3.1.0, ~> 3.4"...
- Finding hashicorp/time versions matching ">= 0.5.0"...
- Finding hashicorp/google-beta versions matching ">= 3.43.0, >= 3.50.0, >= 3.64.0, >= 3.67.0, >= 3.77.0, >= 4.11.0, >= 4.17.0, >= 4.28.0, != 4.31.0, >= 4.64.0, >= 5.7.0, < 6.0.0"...
- Installing hashicorp/external v2.3.3...
- Installed hashicorp/external v2.3.3 (signed by HashiCorp)
- Installing hashicorp/google v5.24.0...
- Installed hashicorp/google v5.24.0 (signed by HashiCorp)
- Installing hashicorp/random v3.6.0...
- Installed hashicorp/random v3.6.0 (signed by HashiCorp)
- Installing hashicorp/time v0.11.1...
- Installed hashicorp/time v0.11.1 (signed by HashiCorp)
- Installing hashicorp/google-beta v5.24.0...
- Installed hashicorp/google-beta v5.24.0 (signed by HashiCorp)
- Installing hashicorp/null v3.2.2...
- Installed hashicorp/null v3.2.2 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

terraform plan

1137

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform plan -input=false -out bootstrap.tfplan
  + seed_project_id                                   = (known after apply)

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: bootstrap.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "bootstrap.tfplan"

terraform vet - skip - need a local shell

terraform apply

1140
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform apply bootstrap.tfplan

odule.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/billing.user"]: Creating...
module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0]: Creating...
╷
│ Error: Error creating folder 'fldr-bootstrap' in 'folders/736660879367': googleapi: Error 401: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "metadata": {
│       "method": "google.cloud.resourcemanager.v3.Folders.CreateFolder",
│       "service": "cloudresourcemanager.googleapis.com"
│     },
│     "reason": "ACCESS_TOKEN_EXPIRED"
│   }
│ ]
│ 
│ More details:
│ Reason: authError, Message: Invalid Credentials

relogin - rerun plan
  + gcs_bucket_tfstate                                = "bkt-prj-b-seed-tfstate-7120"
  + networks_step_terraform_service_account_email     = (known after apply)
  + organization_step_terraform_service_account_email = (known after apply)
  + projects_gcs_bucket_tfstate                       = "bkt-prj-b-seed-8919-gcp-projects-tfstate"
  + projects_step_terraform_service_account_email     = (known after apply)
  + seed_project_id                                   = "prj-b-seed-8919"

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: bootstrap.tfplan

To perform exactly these actions, run the following command to apply:

terraform apply

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform apply bootstrap.tfplan

module.seed_bootstrap.google_organization_iam_binding.billing_creator: Creating...
module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/resourcemanager.organizationAdmin"]: Creating...
module.seed_bootstrap.google_folder_iam_member.org_admin_service_account_user[0]: Creating...
module.seed_bootstrap.google_organization_iam_member.org_billing_admin: Creating...
module.seed_bootstrap.google_folder_iam_member.org_admin_serviceusage_consumer[0]: Creating...
module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/billing.user"]: Creating...
module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0]: Creating...
google_folder.bootstrap: Creating...
google_folder.bootstrap: Still creating... [10s elapsed]
google_folder.bootstrap: Creation complete after 11s [id=folders/173484768969]
╷
│ Error: Error applying IAM policy for folder "folders/736660879367": Error setting IAM policy for folder "folders/736660879367": googleapi: Error 400: Group gcp-organization-admins@obrienlabs.xyz does not exist., badRequest
│ 
│   with module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0],
│   on .terraform/modules/seed_bootstrap/main.tf line 47, in resource "google_folder_iam_member" "tmp_project_creator":
│   47: resource "google_folder_iam_member" "tmp_project_creator" {
│ 
╵
╷
│ Error: Error applying IAM policy for organization "1064386348915": Error setting IAM policy for organization "1064386348915": googleapi: Error 400: Group gcp-billing-admins@obrienlabs.xyz does not exist., badRequest
│ 
│   with module.seed_bootstrap.google_organization_iam_binding.billing_creator,
│   on .terraform/modules/seed_bootstrap/main.tf line 156, in resource "google_organization_iam_binding" "billing_creator":
│  156: resource "google_organization_iam_binding" "billing_creator" {
│ 
╵
╷
│ Error: Error applying IAM policy for organization "1064386348915": Error setting IAM policy for organization "1064386348915": googleapi: Error 400: Group gcp-organization-admins@obrienlabs.xyz does not exist., badRequest
│ 
│   with module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/resourcemanager.organizationAdmin"],
│   on .terraform/modules/seed_bootstrap/main.tf line 184, in resource "google_organization_iam_member" "org_admins_group":
│  184: resource "google_organization_iam_member" "org_admins_group" {
│ 
╵
╷
│ Error: Error applying IAM policy for organization "1064386348915": Error setting IAM policy for organization "1064386348915": googleapi: Error 400: Group gcp-organization-admins@obrienlabs.xyz does not exist., badRequest
│ 
│   with module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/billing.user"],
│   on .terraform/modules/seed_bootstrap/main.tf line 184, in resource "google_organization_iam_member" "org_admins_group":
│  184: resource "google_organization_iam_member" "org_admins_group" {
│ 
╵
╷
│ Error: Error applying IAM policy for organization "1064386348915": Error setting IAM policy for organization "1064386348915": googleapi: Error 400: Group gcp-billing-admins@obrienlabs.xyz does not exist., badRequest
│ 
│   with module.seed_bootstrap.google_organization_iam_member.org_billing_admin,
│   on .terraform/modules/seed_bootstrap/main.tf line 196, in resource "google_organization_iam_member" "org_billing_admin":
│  196: resource "google_organization_iam_member" "org_billing_admin" {
│ 
╵
╷
│ Error: Error applying IAM policy for folder "folders/736660879367": Error setting IAM policy for folder "folders/736660879367": googleapi: Error 400: Group gcp-organization-admins@obrienlabs.xyz does not exist., badRequest
│ 
│   with module.seed_bootstrap.google_folder_iam_member.org_admin_service_account_user[0],
│   on .terraform/modules/seed_bootstrap/main.tf line 259, in resource "google_folder_iam_member" "org_admin_service_account_user":
│  259: resource "google_folder_iam_member" "org_admin_service_account_user" {
│ 
╵
╷
│ Error: Error applying IAM policy for folder "folders/736660879367": Error setting IAM policy for folder "folders/736660879367": googleapi: Error 400: Group gcp-organization-admins@obrienlabs.xyz does not exist., badRequest
│ 
│   with module.seed_bootstrap.google_folder_iam_member.org_admin_serviceusage_consumer[0],
│   on .terraform/modules/seed_bootstrap/main.tf line 267, in resource "google_folder_iam_member" "org_admin_serviceusage_consumer":
│  267: resource "google_folder_iam_member" "org_admin_serviceusage_consumer" {

group creation needs flags set

groups are not created - forgot the flag flips to true

  create_required_groups = true # Change to true to create the required_groups
  create_optional_groups = true # Change to true to create the optional_groups

terraform init, plan, apply

1145

ichael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform apply bootstrap.tfplan
module.seed_bootstrap.google_organization_iam_binding.billing_creator: Creating...
module.seed_bootstrap.google_organization_iam_member.org_billing_admin: Creating...
module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/billing.user"]: Creating...
module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0]: Creating...
module.seed_bootstrap.google_folder_iam_member.org_admin_service_account_user[0]: Creating...
module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/resourcemanager.organizationAdmin"]: Creating...
module.seed_bootstrap.google_folder_iam_member.org_admin_serviceusage_consumer[0]: Creating...
module.required_group["group_org_admins"].google_cloud_identity_group.group: Creating...
module.required_group["audit_data_users"].google_cloud_identity_group.group: Creating...
module.optional_group["gcp_global_secrets_admin"].google_cloud_identity_group.group: Creating...
module.required_group["billing_data_users"].google_cloud_identity_group.group: Creating...
module.optional_group["gcp_kms_admin"].google_cloud_identity_group.group: Creating...
module.required_group["monitoring_workspace_users"].google_cloud_identity_group.group: Creating...
module.seed_bootstrap.google_folder_iam_member.org_admin_service_account_user[0]: Creation complete after 5s [id=folders/736660879367/roles/iam.serviceAccountUser/group:gcp-organization-admins@obrienlabs.xyz]
module.optional_group["gcp_network_viewer"].google_cloud_identity_group.group: Creating...

module.optional_group["gcp_security_reviewer"].google_cloud_identity_group.group: Creation complete after 8s [id=groups/00lnxbz93t65t5i]
╷
│ Error: Error applying IAM policy for folder "folders/736660879367": Error setting IAM policy for folder "folders/736660879367": googleapi: Error 400: Group gcp-organization-admins@obrienlabs.xyz does not exist., badRequest
│ 
│   with module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0],
│   on .terraform/modules/seed_bootstrap/main.tf line 47, in resource "google_folder_iam_member" "tmp_project_creator":
│   47: resource "google_folder_iam_member" "tmp_project_creator" {
│ 

group and groups exist - checking eventually consistent timing

terraform plan/apply 4 - after wait state

1151

ichael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform apply bootstrap.tfplan
module.seed_bootstrap.google_organization_iam_binding.billing_creator: Creating...
module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0]: Creating...
module.seed_bootstrap.google_organization_iam_member.org_billing_admin: Creating...
module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0]: Creation complete after 5s [id=folders/736660879367/roles/resourcemanager.projectCreator/group:gcp-organization-admins@obrienlabs.xyz]
module.seed_bootstrap.google_organization_iam_binding.billing_creator: Creation complete after 5s [id=1064386348915/roles/billing.creator]
module.seed_bootstrap.module.seed_project.module.project-factory.google_project.main: Creating...
module.seed_bootstrap.google_organization_iam_member.org_billing_admin: Creation complete after 9s [id=1064386348915/roles/billing.admin/group:gcp-billing-admins@obrienlabs.xyz]


module.seed_bootstrap.module.seed_project.module.project-factory.google_project.main: Creation complete after 3m24s [id=projects/prj-b-seed-8919]
module.seed_bootstrap.module.seed_project.module.project-factory.google_resource_manager_lien.lien[0]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["compute.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["assuredworkloads.googleapis.com"]: Creating...


odule.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["assuredworkloads.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["storage-api.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["securitycenter.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["pubsub.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.google_resource_manager_lien.lien[0]: Creation complete after 1s [id=p437626936473-l42f64df3-a0f1-4de5-b8bc-39d20274d516]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["essentialcontacts.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["compute.googleapis.com"]: Creation complete after 3s [id=prj-b-seed-8919/compute.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbilling.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["assuredworkloads.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["storage-api.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["pubsub.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["securitycenter.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["essentialcontacts.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbilling.googleapis.com"]: Still creating... [10s elapsed]

module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["assuredworkloads.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["storage-api.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["securitycenter.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["pubsub.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["essentialcontacts.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["storage-api.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/storage-api.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/iam.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["assuredworkloads.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/assuredworkloads.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/cloudkms.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["pubsub.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/pubsub.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["serviceusage.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["essentialcontacts.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/essentialcontacts.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Creation complete after 22s [id=prj-b-seed-8919/cloudresourcemanager.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["accesscontextmanager.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["admin.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["securitycenter.googleapis.com"]: Creation complete after 22s [id=prj-b-seed-8919/securitycenter.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creation complete after 22s [id=prj-b-seed-8919/logging.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["monitoring.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["appengine.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["servicenetworking.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbilling.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbilling.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/cloudbilling.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbilling.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/cloudbilling.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["iamcredentials.googleapis.com"]: Creation complete after 3s [id=prj-b-seed-8919/iamcredentials.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["serviceusage.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["admin.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["accesscontextmanager.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["monitoring.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["appengine.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["servicenetworking.googleapis.com"]: Still creating... [10s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Still creating... [10s elapsed]
odule.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["admin.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["accesscontextmanager.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["monitoring.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["appengine.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["servicenetworking.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Still creating... [20s elapsed]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/cloudbuild.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["appengine.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/appengine.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/billingbudgets.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["admin.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/admin.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["serviceusage.googleapis.com"]: Creation complete after 22s [id=prj-b-seed-8919/serviceusage.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["servicenetworking.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/servicenetworking.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/bigquery.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["accesscontextmanager.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/accesscontextmanager.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["monitoring.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/monitoring.googleapis.com]
module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Still creating... [20s elapsed]

module.seed_bootstrap.module.seed_project.module.project-factory.module.project_services.google_project_service.project_services["cloudasset.googleapis.com"]: Creation complete after 21s [id=prj-b-seed-8919/cloudasset.googleapis.com]
module.seed_bootstrap.data.google_storage_project_service_account.gcs_account: Reading...
module.seed_bootstrap.module.seed_project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creating...
google_service_account.terraform-env-sa["proj"]: Creating...
google_service_account.terraform-env-sa["org"]: Creating...
google_service_account.terraform-env-sa["net"]: Creating...
google_service_account.terraform-env-sa["bootstrap"]: Creating...
module.seed_bootstrap.module.kms[0].google_kms_key_ring.key_ring: Creating...
google_service_account.terraform-env-sa["env"]: Creating...
module.seed_bootstrap.module.enable_cross_project_service_account_usage.google_project_organization_policy.project_policy_boolean[0]: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 0s [id=projects/prj-b-seed-8919]
module.seed_bootstrap.module.kms[0].google_kms_key_ring.key_ring: Creation complete after 1s [id=projects/prj-b-seed-8919/locations/us-central1/keyRings/prj-keyring]
module.seed_bootstrap.module.kms[0].google_kms_crypto_key.key[0]: Creating...
module.seed_bootstrap.module.kms[0].google_kms_crypto_key.key[0]: Creation complete after 0s [id=projects/prj-b-seed-8919/locations/us-central1/keyRings/prj-keyring/cryptoKeys/prj-key]
module.seed_bootstrap.data.google_storage_project_service_account.gcs_account: Read complete after 1s [id=service-437626936473@gs-project-accounts.iam.gserviceaccount.com]
module.seed_bootstrap.module.kms[0].google_kms_crypto_key_iam_binding.decrypters[0]: Creating...
module.seed_bootstrap.module.kms[0].google_kms_crypto_key_iam_binding.encrypters[0]: Creating...
google_service_account.terraform-env-sa["net"]: Creation complete after 1s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.seed_bootstrap.module.enable_cross_project_service_account_usage.google_project_organization_policy.project_policy_boolean[0]: Creation complete after 1s [id=prj-b-seed-8919:constraints/iam.disableCrossProjectServiceAccountUsage]
google_service_account.terraform-env-sa["bootstrap"]: Creation complete after 1s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
google_service_account.terraform-env-sa["proj"]: Creation complete after 2s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
google_service_account.terraform-env-sa["org"]: Creation complete after 2s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_account_sink: Creating...
google_service_account.terraform-env-sa["env"]: Creation complete after 5s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.tf_billing_user["org"]: Creating...
google_billing_account_iam_member.tf_billing_user["env"]: Creating...
google_billing_account_iam_member.tf_billing_user["bootstrap"]: Creating...
module.seed_bootstrap.google_folder_iam_binding.project_creator[0]: Creating...
google_billing_account_iam_member.tf_billing_user["net"]: Creating...
google_billing_account_iam_member.tf_billing_user["proj"]: Creating...
module.seed_project_iam_member["net"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Creating...
google_billing_account_iam_member.billing_account_sink: Creation complete after 4s [id=01BCCE-4EC0EE-DC58C8/roles/logging.configWriter/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.seed_project_iam_member["proj"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Creating...
module.seed_bootstrap.module.kms[0].google_kms_crypto_key_iam_binding.decrypters[0]: Creation complete after 8s [id=projects/prj-b-seed-8919/locations/us-central1/keyRings/prj-keyring/cryptoKeys/prj-key/roles/cloudkms.cryptoKeyDecrypter]
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/iam.serviceAccountAdmin"]: Creating...
module.seed_bootstrap.module.kms[0].google_kms_crypto_key_iam_binding.encrypters[0]: Creation complete after 8s [id=projects/prj-b-seed-8919/locations/us-central1/keyRings/prj-keyring/cryptoKeys/prj-key/roles/cloudkms.cryptoKeyEncrypter]
module.seed_project_iam_member["org"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Creating...
module.seed_bootstrap.google_folder_iam_binding.project_creator[0]: Creation complete after 5s [id=folders/736660879367/roles/resourcemanager.projectCreator]
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/cloudkms.admin"]: Creating...

google_billing_account_iam_member.tf_billing_user["org"]: Still creating... [10s elapsed]
google_billing_account_iam_member.tf_billing_user["env"]: Still creating... [10s elapsed]
google_billing_account_iam_member.tf_billing_user["bootstrap"]: Still creating... [10s elapsed]
google_billing_account_iam_member.tf_billing_user["net"]: Still creating... [10s elapsed]
google_billing_account_iam_member.tf_billing_user["proj"]: Still creating... [10s elapsed]
module.seed_project_iam_member["net"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Still creating... [10s elapsed]
module.seed_project_iam_member["proj"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Creation complete after 10s [id=prj-b-seed-8919/roles/storage.objectAdmin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/storage.admin"]: Creating...
module.seed_project_iam_member["net"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Creation complete after 11s [id=prj-b-seed-8919/roles/storage.objectAdmin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/resourcemanager.projectDeleter"]: Creating...
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/cloudkms.admin"]: Creation complete after 7s [id=prj-b-seed-8919/roles/cloudkms.admin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.seed_project_iam_member["env"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Creating...
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/iam.serviceAccountAdmin"]: Creation complete after 8s [id=prj-b-seed-8919/roles/iam.serviceAccountAdmin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.securityAdmin"]: Creating...
module.seed_project_iam_member["org"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Creation complete after 8s [id=prj-b-seed-8919/roles/storage.objectAdmin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderViewer"]: Creating...
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.securityAdmin"]: Creation complete after 4s [id=folders/736660879367/roles/compute.securityAdmin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["bootstrap"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Creating...
module.seed_project_iam_member["env"].google_project_iam_member.project_parent_iam["roles/storage.objectAdmin"]: Creation complete after 7s [id=prj-b-seed-8919/roles/storage.objectAdmin/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.networkAdmin"]: Creating...
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/storage.admin"]: Creation complete after 8s [id=prj-b-seed-8919/roles/storage.admin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/dns.admin"]: Creating...
module.seed_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/resourcemanager.projectDeleter"]: Creation complete after 8s [id=prj-b-seed-8919/roles/resourcemanager.projectDeleter/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityPolicyAdmin"]: Creating...
google_billing_account_iam_member.tf_billing_user["org"]: Still creating... [20s elapsed]
google_billing_account_iam_member.tf_billing_user["env"]: Still creating... [20s elapsed]
google_billing_account_iam_member.tf_billing_user["bootstrap"]: Still creating... [20s elapsed]
google_billing_account_iam_member.tf_billing_user["net"]: Still creating... [20s elapsed]
google_billing_account_iam_member.tf_billing_user["proj"]: Still creating... [20s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderViewer"]: Creation complete after 9s [id=folders/736660879367/roles/resourcemanager.folderViewer/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["env"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Creating...
google_billing_account_iam_member.tf_billing_user["org"]: Creation complete after 22s [id=01BCCE-4EC0EE-DC58C8/roles/billing.user/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityResourceAdmin"]: Creating...
google_billing_account_iam_member.tf_billing_user["env"]: Creation complete after 23s [id=01BCCE-4EC0EE-DC58C8/roles/billing.user/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Creating...
google_billing_account_iam_member.tf_billing_user["bootstrap"]: Creation complete after 23s [id=01BCCE-4EC0EE-DC58C8/roles/billing.user/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["org"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Creating...
google_billing_account_iam_member.tf_billing_user["net"]: Creation complete after 23s [id=01BCCE-4EC0EE-DC58C8/roles/billing.user/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.xpnAdmin"]: Creating...
google_billing_account_iam_member.tf_billing_user["proj"]: Creation complete after 23s [id=01BCCE-4EC0EE-DC58C8/roles/billing.user/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/artifactregistry.admin"]: Creating...
module.parent_iam_member["bootstrap"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["bootstrap"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.networkAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/dns.admin"]: Still creating... [10s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityPolicyAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["env"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityResourceAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["org"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.xpnAdmin"]: Still creating... [10s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/artifactregistry.admin"]: Still creating... [10s elapsed]
module.parent_iam_member["bootstrap"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [20s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.networkAdmin"]: Still creating... [20s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/dns.admin"]: Still creating... [20s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityPolicyAdmin"]: Still creating... [20s elapsed]
module.parent_iam_member["env"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [20s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityResourceAdmin"]: Still creating... [20s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [20s elapsed]
module.parent_iam_member["org"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [20s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.xpnAdmin"]: Still creating... [20s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/artifactregistry.admin"]: Still creating... [20s elapsed]
module.parent_iam_member["bootstrap"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [30s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.networkAdmin"]: Still creating... [30s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/dns.admin"]: Still creating... [30s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityPolicyAdmin"]: Still creating... [30s elapsed]
module.parent_iam_member["env"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [30s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityResourceAdmin"]: Still creating... [30s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [30s elapsed]
module.parent_iam_member["org"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [30s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.xpnAdmin"]: Still creating... [30s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/artifactregistry.admin"]: Still creating... [30s elapsed]

odule.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityPolicyAdmin"]: Still creating... [40s elapsed]
module.parent_iam_member["env"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [40s elapsed]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityResourceAdmin"]: Still creating... [40s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [40s elapsed]
module.parent_iam_member["org"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Still creating... [40s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.xpnAdmin"]: Still creating... [40s elapsed]
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/artifactregistry.admin"]: Still creating... [40s elapsed]
module.parent_iam_member["bootstrap"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Creation complete after 49s [id=folders/736660879367/roles/resourcemanager.folderAdmin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.networkAdmin"]: Creating...
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.networkAdmin"]: Creation complete after 47s [id=folders/736660879367/roles/compute.networkAdmin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/logging.configWriter"]: Creating...
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/dns.admin"]: Creation complete after 47s [id=folders/736660879367/roles/dns.admin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creating...
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityPolicyAdmin"]: Creation complete after 47s [id=folders/736660879367/roles/compute.orgSecurityPolicyAdmin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creating...
module.parent_iam_member["env"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Creation complete after 45s [id=folders/736660879367/roles/resourcemanager.folderAdmin/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Creating...
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.orgSecurityResourceAdmin"]: Creation complete after 43s [id=folders/736660879367/roles/compute.orgSecurityResourceAdmin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creating...
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Creation complete after 44s [id=folders/736660879367/roles/resourcemanager.folderAdmin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/essentialcontacts.admin"]: Creating...
module.parent_iam_member["org"].google_folder_iam_member.folder_parent_iam["roles/resourcemanager.folderAdmin"]: Creation complete after 44s [id=folders/736660879367/roles/resourcemanager.folderAdmin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Creating...
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/compute.xpnAdmin"]: Creation complete after 44s [id=folders/736660879367/roles/compute.xpnAdmin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creating...
module.parent_iam_member["proj"].google_folder_iam_member.folder_parent_iam["roles/artifactregistry.admin"]: Creation complete after 44s [id=folders/736660879367/roles/artifactregistry.admin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagAdmin"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/logging.configWriter"]: Creation complete after 4s [id=1064386348915/roles/logging.configWriter/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/serviceusage.serviceUsageConsumer"]: Creating...
module.parent_iam_member["net"].google_folder_iam_member.folder_parent_iam["roles/compute.networkAdmin"]: Creation complete after 6s [id=folders/736660879367/roles/compute.networkAdmin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/cloudasset.owner"]: Creating...

module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [10s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [10s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [10s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/essentialcontacts.admin"]: Still creating... [10s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [10s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [10s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagAdmin"]: Still creating... [10s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/serviceusage.serviceUsageConsumer"]: Still creating... [10s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/cloudasset.owner"]: Still creating... [10s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [20s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [20s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [20s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/essentialcontacts.admin"]: Still creating... [20s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagAdmin"]: Still creating... [20s elapsed]

odule.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/serviceusage.serviceUsageConsumer"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/cloudasset.owner"]: Still creating... [20s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [30s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [30s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [30s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/essentialcontacts.admin"]: Still creating... [30s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/serviceusage.serviceUsageConsumer"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/cloudasset.owner"]: Still creating... [30s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [40s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [40s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [40s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/essentialcontacts.admin"]: Still creating... [40s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagAdmin"]: Still creating... [40s elapsed]
odule.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/serviceusage.serviceUsageConsumer"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/cloudasset.owner"]: Still creating... [40s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creation complete after 46s [id=1064386348915/roles/browser/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Creating...
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creation complete after 46s [id=1064386348915/roles/browser/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Creating...
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Creation complete after 46s [id=1064386348915/roles/resourcemanager.tagUser/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creating...
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creation complete after 46s [id=1064386348915/roles/accesscontextmanager.policyAdmin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/essentialcontacts.admin"]: Creation complete after 45s [id=1064386348915/roles/essentialcontacts.admin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Creating...
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Creation complete after 46s [id=1064386348915/roles/resourcemanager.organizationAdmin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creation complete after 46s [id=1064386348915/roles/accesscontextmanager.policyAdmin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagAdmin"]: Creation complete after 46s [id=1064386348915/roles/resourcemanager.tagAdmin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Creating...
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/serviceusage.serviceUsageConsumer"]: Creation complete after 43s [id=1064386348915/roles/serviceusage.serviceUsageConsumer/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/cloudasset.owner"]: Creation complete after 42s [id=1064386348915/roles/cloudasset.owner/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [10s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [10s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [10s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [10s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Still creating... [10s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Still creating... [10s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [10s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Still creating... [10s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [10s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [10s elapsed]
odule.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [20s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [20s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Still creating... [20s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [30s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [30s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [30s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Still creating... [30s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [40s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [40s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [40s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Still creating... [40s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Creation complete after 42s [id=1064386348915/roles/resourcemanager.tagUser/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/orgpolicy.policyAdmin"]: Creating...
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Creation complete after 42s [id=1064386348915/roles/resourcemanager.organizationAdmin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationViewer"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creation complete after 43s [id=1064386348915/roles/browser/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.notificationConfigEditor"]: Creating...
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creation complete after 43s [id=1064386348915/roles/browser/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creating...
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Creation complete after 43s [id=1064386348915/roles/compute.xpnAdmin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/serviceusage.serviceUsageConsumer"]: Creating...
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Creation complete after 42s [id=1064386348915/roles/assuredworkloads.admin/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["env"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Creation complete after 42s [id=1064386348915/roles/resourcemanager.organizationAdmin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["org"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Creation complete after 42s [id=1064386348915/roles/securitycenter.sourcesEditor/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["proj"]: Creating...
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creation complete after 43s [id=1064386348915/roles/accesscontextmanager.policyAdmin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["bootstrap"]: Creating...
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creation complete after 43s [id=1064386348915/roles/browser/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["net"]: Creating...


odule.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [20s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [20s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Still creating... [20s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [20s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [20s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [30s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [30s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [30s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Still creating... [30s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [30s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [30s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Still creating... [40s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [40s elapsed]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [40s elapsed]
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Still creating... [40s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Still creating... [40s elapsed]
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Still creating... [40s elapsed]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.tagUser"]: Creation complete after 42s [id=1064386348915/roles/resourcemanager.tagUser/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/orgpolicy.policyAdmin"]: Creating...
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Creation complete after 42s [id=1064386348915/roles/resourcemanager.organizationAdmin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationViewer"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creation complete after 43s [id=1064386348915/roles/browser/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.notificationConfigEditor"]: Creating...
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creation complete after 43s [id=1064386348915/roles/browser/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creating...
module.org_iam_member["net"].google_organization_iam_member.org_parent_iam["roles/compute.xpnAdmin"]: Creation complete after 43s [id=1064386348915/roles/compute.xpnAdmin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.org_iam_member["bootstrap"].google_organization_iam_member.org_parent_iam["roles/serviceusage.serviceUsageConsumer"]: Creating...
module.org_iam_member["env"].google_organization_iam_member.org_parent_iam["roles/assuredworkloads.admin"]: Creation complete after 42s [id=1064386348915/roles/assuredworkloads.admin/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["env"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/resourcemanager.organizationAdmin"]: Creation complete after 42s [id=1064386348915/roles/resourcemanager.organizationAdmin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["org"]: Creating...
module.org_iam_member["org"].google_organization_iam_member.org_parent_iam["roles/securitycenter.sourcesEditor"]: Creation complete after 42s [id=1064386348915/roles/securitycenter.sourcesEditor/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["proj"]: Creating...
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/accesscontextmanager.policyAdmin"]: Creation complete after 43s [id=1064386348915/roles/accesscontextmanager.policyAdmin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["bootstrap"]: Creating...
module.org_iam_member["proj"].google_organization_iam_member.org_parent_iam["roles/browser"]: Creation complete after 43s [id=1064386348915/roles/browser/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
google_billing_account_iam_member.billing_admin_user["net"]: Creating...


module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [30s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [40s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [50s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [1m0s elapsed]

module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [1m10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [1m20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [1m30s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [1m40s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [1m50s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [2m0s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [2m10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [2m20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [2m30s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [2m40s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [2m50s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [3m0s elapsed]

odule.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [3m0s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [3m10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Still creating... [3m20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.google_project.main: Creation complete after 3m24s [id=projects/prj-b-cicd-82vv]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["serviceusage.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.google_service_account.default_service_account[0]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["compute.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudscheduler.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["workflows.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["appengine.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["servicenetworking.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/serviceAccounts/project-service-account@prj-b-cicd-82vv.iam.gserviceaccount.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["compute.googleapis.com"]: Creation complete after 3s [id=prj-b-cicd-82vv/compute.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudscheduler.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["appengine.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["workflows.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["serviceusage.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["servicenetworking.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Still creating... [10s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Still creating... [10s elapsed]

module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["appengine.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudscheduler.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["workflows.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["serviceusage.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["servicenetworking.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["serviceusage.googleapis.com"]: Creation complete after 21s [id=prj-b-cicd-82vv/serviceusage.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["appengine.googleapis.com"]: Creation complete after 22s [id=prj-b-cicd-82vv/appengine.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudscheduler.googleapis.com"]: Creation complete after 22s [id=prj-b-cicd-82vv/cloudscheduler.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbilling.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Creation complete after 22s [id=prj-b-cicd-82vv/cloudbuild.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["workflows.googleapis.com"]: Creation complete after 22s [id=prj-b-cicd-82vv/workflows.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Creation complete after 21s [id=prj-b-cicd-82vv/sourcerepo.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["bigquery.googleapis.com"]: Creation complete after 22s [id=prj-b-cicd-82vv/bigquery.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Creation complete after 22s [id=prj-b-cicd-82vv/iam.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["servicenetworking.googleapis.com"]: Creation complete after 22s [id=prj-b-cicd-82vv/servicenetworking.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["dns.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["storage-api.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["admin.googleapis.com"]: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Still creating... [20s elapsed]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["storage-api.googleapis.com"]: Creation complete after 2s [id=prj-b-cicd-82vv/storage-api.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creation complete after 3s [id=prj-b-cicd-82vv/logging.googleapis.com]
module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Creation complete after 22s [id=prj-b-cicd-82vv/artifactregistry.googleapis.com]


odule.tf_source.module.cloudbuild_bucket.google_storage_bucket.bucket: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-networks"]: Creating...
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-environments"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-environments]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-bootstrap"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-bootstrap]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-org"]: Creating...
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-networks"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-networks]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-projects"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-projects]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-policies"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-policies]
module.tf_source.module.cloudbuild_bucket.google_storage_bucket.bucket: Creation complete after 1s [id=prj-b-cicd-82vv_cloudbuild]
module.tf_source.google_storage_bucket_iam_member.cloudbuild_iam: Creating...
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-org"]: Creation complete after 0s [id=projects/prj-b-cicd-82vv/repos/gcp-org]
module.tf_source.google_sourcerepo_repository.gcp_repo["tf-cloudbuilder"]: Creation complete after 2s [id=projects/prj-b-cicd-82vv/repos/tf-cloudbuilder]
module.tf_source.google_storage_bucket_iam_member.cloudbuild_iam: Creation complete after 4s [id=b/prj-b-cicd-82vv_cloudbuild/roles/storage.admin/serviceAccount:785189507742@cloudbuild.gserviceaccount.com]
module.tf_source.google_project_iam_member.org_admins_cloudbuild_editor: Creation complete after 7s [id=prj-b-cicd-82vv/roles/cloudbuild.builds.editor/group:gcp-organization-admins@obrienlabs.xyz]
module.tf_source.google_project_iam_member.org_admins_cloudbuild_viewer: Creation complete after 7s [id=prj-b-cicd-82vv/roles/viewer/group:gcp-organization-admins@obrienlabs.xyz]
module.tf_source.google_project_iam_member.org_admins_source_repo_admin[0]: Creation complete after 7s [id=prj-b-cicd-82vv/roles/source.admin/group:gcp-organization-admins@obrienlabs.xyz]
module.bootstrap_csr_repo.null_resource.run_command[0]: Creating...
module.tf_private_pool.module.peered_network[0].module.vpc.google_compute_network.network: Creating...
google_sourcerepo_repository_iam_member.member["org"]: Creating...
module.tf_cloud_builder.google_service_account.cb_sa[0]: Creating...
module.tf_cloud_builder.google_artifact_registry_repository.tf-image-repo: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0]: Provisioning with 'local-exec'...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Executing: ["/bin/sh" "-c" "PATH=/google-cloud-sdk/bin:$PATH\n./scripts/push-to-repo.sh prj-b-cicd-82vv tf-cloudbuilder ./Dockerfile\n"]
google_sourcerepo_repository_iam_member.member["proj"]: Creating...
module.tf_cloud_builder.google_service_account.workflow_sa[0]: Creating...
google_sourcerepo_repository_iam_member.member["env"]: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + '[' 3 -lt 3 ']'
module.tf_cloud_builder.module.bucket.google_storage_bucket.bucket: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + CSR_PROJECT_ID=prj-b-cicd-82vv
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + CSR_NAME=tf-cloudbuilder
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + DOCKERFILE_PATH=./Dockerfile
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): ++ mktemp -d
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + tmp_dir=/tmp/tmp.xMNfsxhn6Q
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + gcloud source repos clone tf-cloudbuilder /tmp/tmp.xMNfsxhn6Q --project prj-b-cicd-82vv
google_sourcerepo_repository_iam_member.member["net"]: Creating...
module.tf_cloud_builder.module.bucket.google_storage_bucket.bucket: Creation complete after 0s [id=bkt-prj-b-cicd-82vv-tf-cloudbuilder-build-logs]
google_sourcerepo_repository_iam_member.member["bootstrap"]: Creating...
module.tf_cloud_builder.google_service_account.cb_sa[0]: Creation complete after 0s [id=projects/prj-b-cicd-82vv/serviceAccounts/tf-cb-builder-sa@prj-b-cicd-82vv.iam.gserviceaccount.com]
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/source.admin"]: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): ERROR: (gcloud.source.repos.clone) UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/cloudbuild.builds.editor"]: Creating...
module.tf_cloud_builder.google_service_account.workflow_sa[0]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/serviceAccounts/terraform-runner-workflow-sa@prj-b-cicd-82vv.iam.gserviceaccount.com]
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/iam.workloadIdentityPoolAdmin"]: Creating...
google_sourcerepo_repository_iam_member.member["org"]: Creation complete after 4s [id=projects/prj-b-cicd-82vv/repos/gcp-policies/roles/viewer/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/cloudscheduler.admin"]: Creating...



odule.tf_source.module.cloudbuild_bucket.google_storage_bucket.bucket: Creating...
module.tf_source.module.cloudbuild_project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-networks"]: Creating...
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-environments"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-environments]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-bootstrap"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-bootstrap]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-org"]: Creating...
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-networks"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-networks]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-projects"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-projects]
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-policies"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/repos/gcp-policies]
module.tf_source.module.cloudbuild_bucket.google_storage_bucket.bucket: Creation complete after 1s [id=prj-b-cicd-82vv_cloudbuild]
module.tf_source.google_storage_bucket_iam_member.cloudbuild_iam: Creating...
module.tf_source.google_sourcerepo_repository.gcp_repo["gcp-org"]: Creation complete after 0s [id=projects/prj-b-cicd-82vv/repos/gcp-org]
module.tf_source.google_sourcerepo_repository.gcp_repo["tf-cloudbuilder"]: Creation complete after 2s [id=projects/prj-b-cicd-82vv/repos/tf-cloudbuilder]
module.tf_source.google_storage_bucket_iam_member.cloudbuild_iam: Creation complete after 4s [id=b/prj-b-cicd-82vv_cloudbuild/roles/storage.admin/serviceAccount:785189507742@cloudbuild.gserviceaccount.com]
module.tf_source.google_project_iam_member.org_admins_cloudbuild_editor: Creation complete after 7s [id=prj-b-cicd-82vv/roles/cloudbuild.builds.editor/group:gcp-organization-admins@obrienlabs.xyz]
module.tf_source.google_project_iam_member.org_admins_cloudbuild_viewer: Creation complete after 7s [id=prj-b-cicd-82vv/roles/viewer/group:gcp-organization-admins@obrienlabs.xyz]
module.tf_source.google_project_iam_member.org_admins_source_repo_admin[0]: Creation complete after 7s [id=prj-b-cicd-82vv/roles/source.admin/group:gcp-organization-admins@obrienlabs.xyz]
module.bootstrap_csr_repo.null_resource.run_command[0]: Creating...
module.tf_private_pool.module.peered_network[0].module.vpc.google_compute_network.network: Creating...
google_sourcerepo_repository_iam_member.member["org"]: Creating...
module.tf_cloud_builder.google_service_account.cb_sa[0]: Creating...
module.tf_cloud_builder.google_artifact_registry_repository.tf-image-repo: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0]: Provisioning with 'local-exec'...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Executing: ["/bin/sh" "-c" "PATH=/google-cloud-sdk/bin:$PATH\n./scripts/push-to-repo.sh prj-b-cicd-82vv tf-cloudbuilder ./Dockerfile\n"]
google_sourcerepo_repository_iam_member.member["proj"]: Creating...
module.tf_cloud_builder.google_service_account.workflow_sa[0]: Creating...
google_sourcerepo_repository_iam_member.member["env"]: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + '[' 3 -lt 3 ']'
module.tf_cloud_builder.module.bucket.google_storage_bucket.bucket: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + CSR_PROJECT_ID=prj-b-cicd-82vv
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + CSR_NAME=tf-cloudbuilder
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + DOCKERFILE_PATH=./Dockerfile
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): ++ mktemp -d
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + tmp_dir=/tmp/tmp.xMNfsxhn6Q
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + gcloud source repos clone tf-cloudbuilder /tmp/tmp.xMNfsxhn6Q --project prj-b-cicd-82vv
google_sourcerepo_repository_iam_member.member["net"]: Creating...
module.tf_cloud_builder.module.bucket.google_storage_bucket.bucket: Creation complete after 0s [id=bkt-prj-b-cicd-82vv-tf-cloudbuilder-build-logs]
google_sourcerepo_repository_iam_member.member["bootstrap"]: Creating...
module.tf_cloud_builder.google_service_account.cb_sa[0]: Creation complete after 0s [id=projects/prj-b-cicd-82vv/serviceAccounts/tf-cb-builder-sa@prj-b-cicd-82vv.iam.gserviceaccount.com]
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/source.admin"]: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): ERROR: (gcloud.source.repos.clone) UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/cloudbuild.builds.editor"]: Creating...
module.tf_cloud_builder.google_service_account.workflow_sa[0]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/serviceAccounts/terraform-runner-workflow-sa@prj-b-cicd-82vv.iam.gserviceaccount.com]
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/iam.workloadIdentityPoolAdmin"]: Creating...
google_sourcerepo_repository_iam_member.member["org"]: Creation complete after 4s [id=projects/prj-b-cicd-82vv/repos/gcp-policies/roles/viewer/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/cloudscheduler.admin"]: Creating...


module.tf_cloud_builder.google_project_iam_member.logs_writer: Creation complete after 8s [id=prj-b-cicd-82vv/roles/logging.logWriter/serviceAccount:tf-cb-builder-sa@prj-b-cicd-82vv.iam.gserviceaccount.com]
module.tf_cloud_builder.google_cloud_scheduler_job.trigger_workflow: Creation complete after 8s [id=projects/prj-b-cicd-82vv/locations/us-central1/jobs/trigger-terraform-runner-workflow]
module.bootstrap_projects_remove_editor["seed"].google_project_iam_binding.iam_remove["roles/editor"]: Creation complete after 7s [id=prj-b-seed-8919/roles/editor]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["env"]: Still creating... [10s elapsed]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["proj"]: Still creating... [10s elapsed]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["org"]: Still creating... [10s elapsed]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["net"]: Still creating... [10s elapsed]
module.tf_private_pool.module.peered_network[0].module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-b-cbpools-us-central1"]: Still creating... [10s elapsed]
module.bootstrap_projects_remove_editor["cicd"].google_project_iam_binding.iam_remove["roles/editor"]: Creation complete after 7s [id=prj-b-cicd-82vv/roles/editor]
module.tf_private_pool.google_compute_global_address.worker_pool_range[0]: Still creating... [10s elapsed]
module.tf_private_pool.google_compute_global_address.worker_pool_range[0]: Creation complete after 11s [id=projects/prj-b-cicd-82vv/global/addresses/ga-b-cbpools-worker-pool-range]
module.tf_private_pool.google_service_networking_connection.worker_pool_conn[0]: Creating...
module.tf_private_pool.module.firewall_rules[0].google_compute_firewall.rules["fw-b-cbpools-100-i-a-all-all-all-service-networking"]: Creating...

google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["env"]: Still creating... [20s elapsed]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["proj"]: Still creating... [20s elapsed]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["org"]: Still creating... [20s elapsed]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["net"]: Still creating... [20s elapsed]
module.tf_private_pool.module.peered_network[0].module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-b-cbpools-us-central1"]: Still creating... [20s elapsed]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["env"]: Creation complete after 22s [id=projects/prj-b-cicd-82vv/locations/us-central1/repositories/tf-runners/roles/artifactregistry.reader/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["proj"]: Creation complete after 22s [id=projects/prj-b-cicd-82vv/locations/us-central1/repositories/tf-runners/roles/artifactregistry.reader/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["org"]: Creation complete after 22s [id=projects/prj-b-cicd-82vv/locations/us-central1/repositories/tf-runners/roles/artifactregistry.reader/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
google_artifact_registry_repository_iam_member.terraform_sa_artifact_registry_reader["net"]: Creation complete after 22s [id=projects/prj-b-cicd-82vv/locations/us-central1/repositories/tf-runners/roles/artifactregistry.reader/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_private_pool.module.peered_network[0].module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-b-cbpools-us-central1"]: Creation complete after 22s [id=projects/prj-b-cicd-82vv/regions/us-central1/subnetworks/sb-b-cbpools-us-central1]
module.tf_private_pool.google_service_networking_connection.worker_pool_conn[0]: Still creating... [10s elapsed]
module.tf_private_pool.module.firewall_rules[0].google_compute_firewall.rules["fw-b-cbpools-100-i-a-all-all-all-service-networking"]: Still creating... [10s elapsed]

odule.tf_private_pool.module.firewall_rules[0].google_compute_firewall.rules["fw-b-cbpools-100-i-a-all-all-all-service-networking"]: Creation complete after 11s [id=projects/prj-b-cicd-82vv/global/firewalls/fw-b-cbpools-100-i-a-all-all-all-service-networking]
module.tf_private_pool.google_service_networking_connection.worker_pool_conn[0]: Still creating... [20s elapsed]
module.tf_private_pool.google_service_networking_connection.worker_pool_conn[0]: Still creating... [30s elapsed]

module.tf_private_pool.google_service_networking_connection.worker_pool_conn[0]: Still creating... [40s elapsed]
module.tf_private_pool.google_service_networking_connection.worker_pool_conn[0]: Still creating... [50s elapsed]
module.tf_private_pool.google_service_networking_connection.worker_pool_conn[0]: Still creating... [1m0s elapsed]
module.tf_private_pool.google_service_networking_connection.worker_pool_conn[0]: Creation complete after 1m2s [id=projects%2Fprj-b-cicd-82vv%2Fglobal%2Fnetworks%2Fvpc-b-cbpools:servicenetworking.googleapis.com]
module.tf_private_pool.google_compute_network_peering_routes_config.peering_routes[0]: Creating...
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Creating...


module.tf_private_pool.google_compute_network_peering_routes_config.peering_routes[0]: Creating...
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Creating...
module.tf_private_pool.google_compute_network_peering_routes_config.peering_routes[0]: Still creating... [10s elapsed]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [10s elapsed]
module.tf_private_pool.google_compute_network_peering_routes_config.peering_routes[0]: Creation complete after 11s [id=projects/prj-b-cicd-82vv/global/networks/vpc-b-cbpools/networkPeerings/servicenetworking-googleapis-com]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [20s elapsed]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [30s elapsed]

module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [40s elapsed]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [50s elapsed]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [1m0s elapsed]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Creation complete after 1m2s [id=projects/prj-b-cicd-82vv/locations/us-central1/workerPools/private-pool-yqvb]
module.tf_cloud_builder.google_cloudbuild_trigger.build_trigger: Creating...
module.tf_cloud_builder.google_cloudbuild_trigger.build_trigger: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/29a34ab9-e42f-4f02-9d42-614d7be613c9]
module.tf_workspace["proj"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["org"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["env"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["bootstrap"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["net"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["bootstrap"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["proj"].google_project_iam_member.cb_sa_logging: Creating...
module.tf_workspace["org"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.tf_workspace["net"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["env"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.tf_workspace["proj"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["org"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["bootstrap"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["net"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["env"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["org"].google_project_iam_member.cb_sa_logging: Creating...
module.tf_workspace["env"].google_project_iam_member.cb_sa_logging: Creating...
module.tf_workspace["org"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["env"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["net"].google_project_iam_member.cb_sa_logging: Creating...
module.tf_workspace["bootstrap"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creation complete after 4s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com/roles/iam.serviceAccountUser/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["proj"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.tf_workspace["env"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creation complete after 4s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["org"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creation complete after 4s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["proj"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["net"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.tf_workspace["net"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creation complete after 4s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com/roles/iam.serviceAccountUser/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["bootstrap"].google_project_iam_member.cb_sa_logging: Creating...


module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [40s elapsed]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [50s elapsed]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Still creating... [1m0s elapsed]
module.tf_private_pool.google_cloudbuild_worker_pool.private_pool: Creation complete after 1m2s [id=projects/prj-b-cicd-82vv/locations/us-central1/workerPools/private-pool-yqvb]
module.tf_cloud_builder.google_cloudbuild_trigger.build_trigger: Creating...
module.tf_cloud_builder.google_cloudbuild_trigger.build_trigger: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/29a34ab9-e42f-4f02-9d42-614d7be613c9]
module.tf_workspace["proj"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["org"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["env"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["bootstrap"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["net"].data.google_project.cloudbuild_project[0]: Reading...
module.tf_workspace["bootstrap"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["proj"].google_project_iam_member.cb_sa_logging: Creating...
module.tf_workspace["org"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.tf_workspace["net"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["env"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.tf_workspace["proj"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["org"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["bootstrap"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["net"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["env"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-b-cicd-82vv]
module.tf_workspace["org"].google_project_iam_member.cb_sa_logging: Creating...
module.tf_workspace["env"].google_project_iam_member.cb_sa_logging: Creating...
module.tf_workspace["org"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["env"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["net"].google_project_iam_member.cb_sa_logging: Creating...
module.tf_workspace["bootstrap"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creation complete after 4s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com/roles/iam.serviceAccountUser/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["proj"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.tf_workspace["env"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creation complete after 4s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["org"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creation complete after 4s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["proj"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.tf_workspace["net"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.tf_workspace["net"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creation complete after 4s [id=projects/prj-b-seed-8919/serviceAccounts/sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com/roles/iam.serviceAccountUser/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["bootstrap"].google_project_iam_member.cb_sa_logging: Creating...


module.tf_workspace["org"].google_storage_bucket_iam_member.artifacts_admin: Creating...
module.tf_workspace["env"].google_project_iam_member.pool_user[0]: Creation complete after 8s [id=prj-b-cicd-82vv/roles/cloudbuild.workerPoolUser/serviceAccount:785189507742@cloudbuild.gserviceaccount.com]
module.tf_workspace["proj"].google_storage_bucket_iam_member.artifacts_admin: Creating...
module.tf_workspace["env"].google_storage_bucket_iam_member.log_admin: Creation complete after 3s [id=b/bkt-prj-b-cicd-82vv-gcp-environments-build-logs/roles/storage.admin/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["proj"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-projects-build-logs/roles/storage.admin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["bootstrap"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-bootstrap-build-logs/roles/storage.admin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["bootstrap"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-bootstrap-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["env"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["net"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-networks-build-logs/roles/storage.admin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["env"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["net"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["org"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["env"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["org"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["net"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["org"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-org-build-logs/roles/storage.admin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["net"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["env"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/0f5f779e-3136-4ad4-a007-32647b7ceee0]
module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/fdf96156-f457-47aa-824d-dba69d6812ce]
module.tf_workspace["org"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/61fd9472-bf8e-4146-9c4e-64c3b05cacb3]
module.tf_workspace["env"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/070191ee-edba-4a6d-8382-2a41fe4463da]
module.tf_workspace["org"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/343ac1be-ff42-4c5b-9a8d-8a751ff02767]
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["net"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/b3a3f024-03f4-4164-bbcf-2b1ef2ba74f0]
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["net"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/045135b5-29a2-4066-8818-09c32890aaab]
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/3c1f05c0-0850-414d-9dee-6bd7bd3e1af2]
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/a1129dc9-c1e6-47d5-9a20-7518c82fe900]
module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/70966480-5d2c-4aa4-a7aa-1e0aaeb711f1]
module.tf_workspace["proj"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["org"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-org-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
╷
│ Error: local-exec provisioner error
│ 
│   with module.bootstrap_csr_repo.null_resource.run_command[0],
│   on .terraform/modules/bootstrap_csr_repo/main.tf line 232, in resource "null_resource" "run_command":
│  232:   provisioner "local-exec" {
│ 
│ Error running command 'PATH=/google-cloud-sdk/bin:$PATH
│ ./scripts/push-to-repo.sh prj-b-cicd-82vv tf-cloudbuilder ./Dockerfile
│ ': exit status 1. Output: + '[' 3 -lt 3 ']'
│ + CSR_PROJECT_ID=prj-b-cicd-82vv
│ + CSR_NAME=tf-cloudbuilder
│ + DOCKERFILE_PATH=./Dockerfile
│ ++ mktemp -d
│ + tmp_dir=/tmp/tmp.xMNfsxhn6Q
│ + gcloud source repos clone tf-cloudbuilder /tmp/tmp.xMNfsxhn6Q --project prj-b-cicd-82vv
│ ERROR: (gcloud.source.repos.clone) UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication
│ credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
│ 

1210
timed out again, relogging in

TODO

• modify links in https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/scripts/validate-requirements.sh

[obriensystems]

After session refresh - terraform apply 5

module.tf_workspace["org"].google_storage_bucket_iam_member.artifacts_admin: Creating...
module.tf_workspace["env"].google_project_iam_member.pool_user[0]: Creation complete after 8s [id=prj-b-cicd-82vv/roles/cloudbuild.workerPoolUser/serviceAccount:785189507742@cloudbuild.gserviceaccount.com]
module.tf_workspace["proj"].google_storage_bucket_iam_member.artifacts_admin: Creating...
module.tf_workspace["env"].google_storage_bucket_iam_member.log_admin: Creation complete after 3s [id=b/bkt-prj-b-cicd-82vv-gcp-environments-build-logs/roles/storage.admin/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["proj"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-projects-build-logs/roles/storage.admin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["bootstrap"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-bootstrap-build-logs/roles/storage.admin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["bootstrap"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-bootstrap-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["env"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["net"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-networks-build-logs/roles/storage.admin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["env"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["net"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["org"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["env"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["org"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["net"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["org"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-org-build-logs/roles/storage.admin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["net"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["env"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/0f5f779e-3136-4ad4-a007-32647b7ceee0]
module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/fdf96156-f457-47aa-824d-dba69d6812ce]
module.tf_workspace["org"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/61fd9472-bf8e-4146-9c4e-64c3b05cacb3]
module.tf_workspace["env"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/070191ee-edba-4a6d-8382-2a41fe4463da]
module.tf_workspace["org"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/343ac1be-ff42-4c5b-9a8d-8a751ff02767]
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["net"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/b3a3f024-03f4-4164-bbcf-2b1ef2ba74f0]
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.tf_workspace["net"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/045135b5-29a2-4066-8818-09c32890aaab]
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/3c1f05c0-0850-414d-9dee-6bd7bd3e1af2]
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/a1129dc9-c1e6-47d5-9a20-7518c82fe900]
module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/70966480-5d2c-4aa4-a7aa-1e0aaeb711f1]
module.tf_workspace["proj"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com]
module.tf_workspace["org"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-org-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com]
╷
│ Error: local-exec provisioner error
│ 
│   with module.bootstrap_csr_repo.null_resource.run_command[0],
│   on .terraform/modules/bootstrap_csr_repo/main.tf line 232, in resource "null_resource" "run_command":
│  232:   provisioner "local-exec" {
│ 
│ Error running command 'PATH=/google-cloud-sdk/bin:$PATH
│ ./scripts/push-to-repo.sh prj-b-cicd-82vv tf-cloudbuilder ./Dockerfile
│ ': exit status 1. Output: + '[' 3 -lt 3 ']'
│ + CSR_PROJECT_ID=prj-b-cicd-82vv
│ + CSR_NAME=tf-cloudbuilder
│ + DOCKERFILE_PATH=./Dockerfile
│ ++ mktemp -d
│ + tmp_dir=/tmp/tmp.xMNfsxhn6Q
│ + gcloud source repos clone tf-cloudbuilder /tmp/tmp.xMNfsxhn6Q --project prj-b-cicd-82vv
│ ERROR: (gcloud.source.repos.clone) UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication
│ credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
│ 

terraform apply

1213

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform apply bootstrap.tfplan
Acquiring state lock. This may take a few moments...
module.bootstrap_csr_repo.null_resource.run_command[0]: Destroying... [id=7230674911796820867]
module.bootstrap_csr_repo.null_resource.run_command[0]: Destruction complete after 0s
module.bootstrap_csr_repo.null_resource.run_command[0]: Creating...
module.bootstrap_csr_repo.null_resource.run_command[0]: Provisioning with 'local-exec'...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Executing: ["/bin/sh" "-c" "PATH=/google-cloud-sdk/bin:$PATH\n./scripts/push-to-repo.sh prj-b-cicd-82vv tf-cloudbuilder ./Dockerfile\n"]
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + '[' 3 -lt 3 ']'
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + CSR_PROJECT_ID=prj-b-cicd-82vv
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + CSR_NAME=tf-cloudbuilder
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + DOCKERFILE_PATH=./Dockerfile
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): ++ mktemp -d
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + tmp_dir=/tmp/tmp.bWjiGVGdcp
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + gcloud source repos clone tf-cloudbuilder /tmp/tmp.bWjiGVGdcp --project prj-b-cicd-82vv
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Cloning into '/tmp/tmp.bWjiGVGdcp'...
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): warning: You appear to have cloned an empty repository.
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Project [prj-b-cicd-82vv] repository [tf-cloudbuilder] was cloned to [/tmp/tmp.bWjiGVGdcp].
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + cp ./Dockerfile /tmp/tmp.bWjiGVGdcp
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + pushd /tmp/tmp.bWjiGVGdcp
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): /tmp/tmp.bWjiGVGdcp ~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git config credential.helper gcloud.sh
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git config init.defaultBranch main
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git config user.email terraform-robot@example.com
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git config user.name 'TF Robot'
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git checkout main
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): error: pathspec 'main' did not match any file(s) known to git
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git checkout -b main
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Switched to a new branch 'main'
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git add Dockerfile
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git commit -m 'Initialize tf dockerfile repo'
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): [main (root-commit) 6ccc20f] Initialize tf dockerfile repo
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec):  1 file changed, 39 insertions(+)
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec):  create mode 100644 Dockerfile
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git push origin main -f
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): remote: Waiting for private key checker: 1/1 objects left
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): To https://source.developers.google.com/p/prj-b-cicd-82vv/r/tf-cloudbuilder
module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec):  * [new branch]      main -> main
module.bootstrap_csr_repo.null_resource.run_command[0]: Creation complete after 9s [id=7949777391628366700]
time_sleep.cloud_builder: Creating...
time_sleep.cloud_builder: Still creating... [10s elapsed]
time_sleep.cloud_builder: Still creating... [20s elapsed]
time_sleep.cloud_builder: Still creating... [30s elapsed]
time_sleep.cloud_builder: Creation complete after 30s [id=2024-04-09T16:14:51Z]
module.build_terraform_image.null_resource.module_depends_on[0]: Creating...
module.build_terraform_image.null_resource.module_depends_on[0]: Creation complete after 0s [id=5076526115309788801]
module.build_terraform_image.null_resource.run_command[0]: Creating...
module.build_terraform_image.null_resource.run_destroy_command[0]: Creating...
module.build_terraform_image.null_resource.run_destroy_command[0]: Creation complete after 1s [id=1744504265272094841]
module.build_terraform_image.null_resource.run_command[0]: Provisioning with 'local-exec'...
module.build_terraform_image.null_resource.run_command[0] (local-exec): Executing: ["/bin/sh" "-c" "PATH=/google-cloud-sdk/bin:$PATH\ngcloud beta builds triggers run  29a34ab9-e42f-4f02-9d42-614d7be613c9 --branch main --region us-central1 --project prj-b-cicd-82vv\n"]
module.build_terraform_image.null_resource.run_command[0] (local-exec): metadata:
module.build_terraform_image.null_resource.run_command[0] (local-exec):   '@type': type.googleapis.com/google.devtools.cloudbuild.v1.BuildOperationMetadata
module.build_terraform_image.null_resource.run_command[0] (local-exec):   build:
module.build_terraform_image.null_resource.run_command[0] (local-exec):     artifacts:
module.build_terraform_image.null_resource.run_command[0] (local-exec):       images:
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1.3.0
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1.3
module.build_terraform_image.null_resource.run_command[0] (local-exec):     buildTriggerId: 29a34ab9-e42f-4f02-9d42-614d7be613c9
module.build_terraform_image.null_resource.run_command[0] (local-exec):     createTime: '2024-04-09T16:14:54.392322Z'
module.build_terraform_image.null_resource.run_command[0] (local-exec):     id: 511923ec-4dba-43a7-b883-df81d934543b
module.build_terraform_image.null_resource.run_command[0] (local-exec):     images:
module.build_terraform_image.null_resource.run_command[0] (local-exec):     - us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1.3.0
module.build_terraform_image.null_resource.run_command[0] (local-exec):     - us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1
module.build_terraform_image.null_resource.run_command[0] (local-exec):     - us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1.3
module.build_terraform_image.null_resource.run_command[0] (local-exec):     logUrl: https://console.cloud.google.com/cloud-build/builds;region=us-central1/511923ec-4dba-43a7-b883-df81d934543b?project=785189507742
module.build_terraform_image.null_resource.run_command[0] (local-exec):     logsBucket: gs://bkt-prj-b-cicd-82vv-tf-cloudbuilder-build-logs
module.build_terraform_image.null_resource.run_command[0] (local-exec):     name: projects/785189507742/locations/us-central1/builds/511923ec-4dba-43a7-b883-df81d934543b
module.build_terraform_image.null_resource.run_command[0] (local-exec):     options:
module.build_terraform_image.null_resource.run_command[0] (local-exec):       dynamicSubstitutions: true
module.build_terraform_image.null_resource.run_command[0] (local-exec):       logging: LEGACY
module.build_terraform_image.null_resource.run_command[0] (local-exec):       pool:
module.build_terraform_image.null_resource.run_command[0] (local-exec):         name: projects/prj-b-cicd-82vv/locations/us-central1/workerPools/private-pool-yqvb
module.build_terraform_image.null_resource.run_command[0] (local-exec):       substitutionOption: ALLOW_LOOSE
module.build_terraform_image.null_resource.run_command[0] (local-exec):     projectId: prj-b-cicd-82vv
module.build_terraform_image.null_resource.run_command[0] (local-exec):     queueTtl: 3600s
module.build_terraform_image.null_resource.run_command[0] (local-exec):     serviceAccount: projects/prj-b-cicd-82vv/serviceAccounts/tf-cb-builder-sa@prj-b-cicd-82vv.iam.gserviceaccount.com
module.build_terraform_image.null_resource.run_command[0] (local-exec):     source:
module.build_terraform_image.null_resource.run_command[0] (local-exec):       repoSource:
module.build_terraform_image.null_resource.run_command[0] (local-exec):         commitSha: 6ccc20f932ba6f63365302298980f9b1077fd164
module.build_terraform_image.null_resource.run_command[0] (local-exec):         projectId: prj-b-cicd-82vv
module.build_terraform_image.null_resource.run_command[0] (local-exec):         repoName: tf-cloudbuilder
module.build_terraform_image.null_resource.run_command[0] (local-exec):     sourceProvenance:
module.build_terraform_image.null_resource.run_command[0] (local-exec):       resolvedRepoSource:
module.build_terraform_image.null_resource.run_command[0] (local-exec):         commitSha: 6ccc20f932ba6f63365302298980f9b1077fd164
module.build_terraform_image.null_resource.run_command[0] (local-exec):         projectId: prj-b-cicd-82vv
module.build_terraform_image.null_resource.run_command[0] (local-exec):         repoName: tf-cloudbuilder
module.build_terraform_image.null_resource.run_command[0] (local-exec):     status: QUEUED
module.build_terraform_image.null_resource.run_command[0] (local-exec):     steps:
module.build_terraform_image.null_resource.run_command[0] (local-exec):     - args:
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - build
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - --tag=us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1.3.0
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - --tag=us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - --tag=us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1.3
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - --build-arg=TERRAFORM_VERSION=1.3.0
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - .
module.build_terraform_image.null_resource.run_command[0] (local-exec):       name: gcr.io/cloud-builders/docker
module.build_terraform_image.null_resource.run_command[0] (local-exec):     - args:
module.build_terraform_image.null_resource.run_command[0] (local-exec):       - version
module.build_terraform_image.null_resource.run_command[0] (local-exec):       name: us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1.3.0
module.build_terraform_image.null_resource.run_command[0] (local-exec):     substitutions:
module.build_terraform_image.null_resource.run_command[0] (local-exec):       BRANCH_NAME: main
module.build_terraform_image.null_resource.run_command[0] (local-exec):       COMMIT_SHA: 6ccc20f932ba6f63365302298980f9b1077fd164
module.build_terraform_image.null_resource.run_command[0] (local-exec):       REF_NAME: main
module.build_terraform_image.null_resource.run_command[0] (local-exec):       REPO_NAME: tf-cloudbuilder
module.build_terraform_image.null_resource.run_command[0] (local-exec):       REVISION_ID: 6ccc20f932ba6f63365302298980f9b1077fd164
module.build_terraform_image.null_resource.run_command[0] (local-exec):       SHORT_SHA: 6ccc20f
module.build_terraform_image.null_resource.run_command[0] (local-exec):       TRIGGER_BUILD_CONFIG_PATH: ''
module.build_terraform_image.null_resource.run_command[0] (local-exec):       TRIGGER_NAME: tf-cloud-builder-build
module.build_terraform_image.null_resource.run_command[0] (local-exec):       _TERRAFORM_FULL_VERSION: 1.3.0
module.build_terraform_image.null_resource.run_command[0] (local-exec):       _TERRAFORM_MAJOR_VERSION: '1'
module.build_terraform_image.null_resource.run_command[0] (local-exec):       _TERRAFORM_MINOR_VERSION: '1.3'
module.build_terraform_image.null_resource.run_command[0] (local-exec):     tags:
module.build_terraform_image.null_resource.run_command[0] (local-exec):     - trigger-29a34ab9-e42f-4f02-9d42-614d7be613c9
module.build_terraform_image.null_resource.run_command[0] (local-exec):     timeout: 1200s
module.build_terraform_image.null_resource.run_command[0] (local-exec): name: operations/build/prj-b-cicd-82vv/NTExOTIzZWMtNGRiYS00M2E3LWI4ODMtZGY4MWQ5MzQ1NDNi
module.build_terraform_image.null_resource.run_command[0]: Creation complete after 3s [id=80237499979993840]

Apply complete! Resources: 5 added, 0 changed, 1 destroyed.

Outputs:

bootstrap_step_terraform_service_account_email = "sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com"
cloud_build_peered_network_id = "projects/prj-b-cicd-82vv/global/networks/vpc-b-cbpools"
cloud_build_private_worker_pool_id = "projects/prj-b-cicd-82vv/locations/us-central1/workerPools/private-pool-yqvb"
cloud_build_worker_peered_ip_range = "192.168.0.0/24"
cloud_build_worker_range_id = "projects/prj-b-cicd-82vv/global/addresses/ga-b-cbpools-worker-pool-range"
cloud_builder_artifact_repo = "projects/prj-b-cicd-82vv/locations/us-central1/repositories/tf-runners"
cloudbuild_project_id = "prj-b-cicd-82vv"
common_config = {
  "billing_account" = "01BCCE-4EC0EE-DC58C8"
  "bootstrap_folder_name" = "folders/173484768969"
  "default_region" = "us-central1"
  "folder_prefix" = "fldr"
  "org_id" = "1064386348915"
  "parent_folder" = "736660879367"
  "parent_id" = "folders/736660879367"
  "project_prefix" = "prj"
}
csr_repos = {
  "gcp-bootstrap" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-bootstrap"
    "name" = "gcp-bootstrap"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-bootstrap"
  }
  "gcp-environments" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-environments"
    "name" = "gcp-environments"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments"
  }
  "gcp-networks" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-networks"
    "name" = "gcp-networks"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-networks"
  }
  "gcp-org" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-org"
    "name" = "gcp-org"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-org"
  }
  "gcp-policies" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-policies"
    "name" = "gcp-policies"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-policies"
  }
  "gcp-projects" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-projects"
    "name" = "gcp-projects"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-projects"
  }
  "tf-cloudbuilder" = {
    "id" = "projects/prj-b-cicd-82vv/repos/tf-cloudbuilder"
    "name" = "tf-cloudbuilder"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/tf-cloudbuilder"
  }
}
environment_step_terraform_service_account_email = "sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com"
gcs_bucket_cloudbuild_artifacts = {
  "bootstrap" = "bkt-prj-b-cicd-82vv-gcp-bootstrap-build-artifacts"
  "env" = "bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts"
  "net" = "bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts"
  "org" = "bkt-prj-b-cicd-82vv-gcp-org-build-artifacts"
  "proj" = "bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts"
}
gcs_bucket_cloudbuild_logs = {
  "bootstrap" = "bkt-prj-b-cicd-82vv-gcp-bootstrap-build-logs"
  "env" = "bkt-prj-b-cicd-82vv-gcp-environments-build-logs"
  "net" = "bkt-prj-b-cicd-82vv-gcp-networks-build-logs"
  "org" = "bkt-prj-b-cicd-82vv-gcp-org-build-logs"
  "proj" = "bkt-prj-b-cicd-82vv-gcp-projects-build-logs"
}
gcs_bucket_tfstate = "bkt-prj-b-seed-tfstate-7120"
networks_step_terraform_service_account_email = "sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com"
optional_groups = tomap({
  "gcp_global_secrets_admin" = "gcp_global_secrets_admin_local_test@obrienlabs.xyz"
  "gcp_kms_admin" = "gcp_kms_admin_local_test@obrienlabs.xyz"
  "gcp_network_viewer" = "gcp_network_viewer_local_test@obrienlabs.xyz"
  "gcp_scc_admin" = "gcp_scc_admin_local_test@obrienlabs.xyz"
  "gcp_security_reviewer" = "gcp_security_reviewer_local_test@obrienlabs.xyz"
})
organization_step_terraform_service_account_email = "sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com"
projects_gcs_bucket_tfstate = "bkt-prj-b-seed-8919-gcp-projects-tfstate"
projects_step_terraform_service_account_email = "sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com"
required_groups = tomap({
  "audit_data_users" = "gcp-audit-data@obrienlabs.xyz"
  "billing_data_users" = "gcp-billing-data@obrienlabs.xyz"
  "group_billing_admins" = "gcp-billing-admins@obrienlabs.xyz"
  "group_org_admins" = "gcp-organization-admins@obrienlabs.xyz"
  "monitoring_workspace_users" = "gcp-monitoring-workspace@obrienlabs.xyz"
})
seed_project_id = "prj-b-seed-8919"
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ 

1215

[obriensystems]

0-bootstrap inventory

• project: prj-b-cicd-82vv
• project: prj-b-seed-8919
• 7 CSR repos under prj-b-cicd-82vv
• 1 artifact registry tf-runners terraform 1.3 image

step 8 of 0-bootstrap - service accounts

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ export network_step_sa=$(./terraform output -raw networks_step_terraform_service_account_email)
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ echo "network step service account = ${network_step_sa}"
network step service account = sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ export projects_step_sa=$(./terraform output -raw projects_step_terraform_service_account_email)
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ echo "projects step service account = ${projects_step_sa}"
projects step service account = sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ export projects_gcs_bucket_tfstate=$(./terraform output -raw projects_gcs_bucket_tfstate)
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ echo "projects gcs bucket tfstate = ${projects_gcs_bucket_tfstate}"
projects gcs bucket tfstate = bkt-prj-b-seed-8919-gcp-projects-tfstate


michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ cp backend.tf.example backend.tf
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ cd ..
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding (tef-olxyz)$ for i in `find . -name 'backend.tf'`; do sed -i'' -e "s/UPDATE_ME/${backend_bucket}/" $i; done
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding (tef-olxyz)$ for i in `find . -name 'backend.tf'`; do sed -i'' -e "s/UPDATE_PROJECTS_BACKEND/${backend_bucket_projects}/" $i; done

cd 0-bootstrap
michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ cat backend.tf

terraform {
  backend "gcs" {
    bucket = "bkt-prj-b-seed-tfstate-7120"
    prefix = "terraform/bootstrap/state"
  }
}

skip 2nd update of step 10 of 0-bootstrap
#368

11 - update backend bucket state - terraform init/plan/

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ ./terraform init
Initializing modules...

Initializing the backend...
Acquiring state lock. This may take a few moments...
Do you want to copy existing state to the new backend?
  Pre-existing state was found while migrating the previous "local" backend to the
  newly configured "gcs" backend. No existing state was found in the newly
  configured "gcs" backend. Do you want to copy this state to the new "gcs"
  backend? Enter "yes" to copy and "no" to start with an empty state.

  Enter a value: yes


Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Reusing previous version of hashicorp/random from the dependency lock file
- Reusing previous version of hashicorp/time from the dependency lock file
- Reusing previous version of hashicorp/google-beta from the dependency lock file
- Reusing previous version of hashicorp/null from the dependency lock file
- Reusing previous version of hashicorp/external from the dependency lock file
- Reusing previous version of hashicorp/google from the dependency lock file
- Using previously-installed hashicorp/random v3.6.0
- Using previously-installed hashicorp/time v0.11.1
- Using previously-installed hashicorp/google-beta v5.24.0
- Using previously-installed hashicorp/null v3.2.2
- Using previously-installed hashicorp/external v2.3.3
- Using previously-installed hashicorp/google v5.24.0

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

13 - clone policy repo

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ cd ../..
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ gcloud source repos clone gcp-policies --project=${cloudbuild_project_id}
Cloning into '/home/michael/tef-olxyz/github/gcp-policies'...
warning: You appear to have cloned an empty repository.
Project [prj-b-cicd-82vv] repository [gcp-policies] was cloned to [/home/michael/tef-olxyz/github/gcp-policies].

michael@cloudshell:~/tef-olxyz/github/gcp-policies (tef-olxyz)$ git checkout -b main
Switched to a new branch 'main'
michael@cloudshell:~/tef-olxyz/github/gcp-policies (tef-olxyz)$ cp -RT ../pbmm-on-gcp-onboarding/policy-library/ .
michael@cloudshell:~/tef-olxyz/github/gcp-policies (tef-olxyz)$ ls
lib  policies
michael@cloudshell:~/tef-olxyz/github/gcp-policies (tef-olxyz)$ git add .
michael@cloudshell:~/tef-olxyz/github/gcp-policies (tef-olxyz)$ git commit -m 'Initialize policy library repo'
[main (root-commit) f4f1736] Initialize policy library repo
 112 files changed, 9682 insertions(+)
 create mode 100644 lib/constraints.rego
 create mode 100644 lib/util.rego
 create mode 100644 lib/util_test.rego
 create mode 100644 policies/constraints/appengine_versions.yaml
 create mode 100644 policies/constraints/bigquery_world_readable.yaml
 create mode 100644 policies/constraints/dnssec_prevent_rsasha1_ksk.yaml
 create mode 100644 policies/constraints/dnssec_prevent_rsasha1_zsk.yaml
 create mode 100644 policies/constraints/gke_allow_only_private_cluster.yaml
 create mode 100644 policies/constraints/gke_allowed_node_sa_scope.yaml
 create mode 100644 policies/constraints/gke_container_optimized_os.yaml
 create mode 100644 policies/constraints/gke_dashboard_disable.yaml
 create mode 100644 policies/constraints/gke_disable_default_service_account.yaml
 create mode 100644 policies/constraints/gke_disable_legacy_endpoints.yaml
 create mode 100644 policies/constraints/gke_enable_alias_ip_ranges.yaml
 create mode 100644 policies/constraints/gke_legacy_abac.yaml
 create mode 100644 policies/constraints/gke_master_authorized_networks_enabled.yaml
 create mode 100644 policies/constraints/gke_node_pool_auto_repair.yaml
 create mode 100644 policies/constraints/gke_node_pool_auto_upgrade.yaml
 create mode 100644 policies/constraints/gke_restrict_client_auth_methods.yaml
 create mode 100644 policies/constraints/gke_restrict_pod_traffic.yaml
 create mode 100644 policies/constraints/iam_deny_public.yaml
 create mode 100644 policies/constraints/network_enable_flow_logs.yaml
 create mode 100644 policies/constraints/network_enable_private_google_access.yaml
 create mode 100644 policies/constraints/restrict_fw_rules_rdp_world_open.yaml
 create mode 100644 policies/constraints/restrict_fw_rules_ssh_world_open.yaml
 create mode 100644 policies/constraints/restrict_fw_rules_world_open.yaml
 create mode 100644 policies/constraints/serviceusage_allow_basic_apis.yaml
 create mode 100644 policies/constraints/sql_public_ip.yaml
 create mode 100644 policies/constraints/sql_ssl.yaml
 create mode 100644 policies/constraints/storage_bucket_policy_only.yaml
 create mode 100644 policies/constraints/storage_denylist_public.yaml
 create mode 100644 policies/templates/gcp_allowed_resource_types.yaml
 create mode 100644 policies/templates/gcp_always_violates_v1.yaml
 create mode 100644 policies/templates/gcp_app_service_versions.yaml
 create mode 100644 policies/templates/gcp_appengine_location_v1.yaml
 create mode 100644 policies/templates/gcp_bigquery_cmek_encryption_v1.yaml
 create mode 100644 policies/templates/gcp_bigquery_dataset_world_readable_v1.yaml
 create mode 100644 policies/templates/gcp_bigquery_table_retention_v1.yaml
 create mode 100644 policies/templates/gcp_bq_dataset_location_v1.yaml
 create mode 100644 policies/templates/gcp_cmek_rotation_v1.yaml
 create mode 100644 policies/templates/gcp_cmek_settings_v1.yaml
 create mode 100644 policies/templates/gcp_compute_allowed_networks.yaml
 create mode 100644 policies/templates/gcp_compute_disk_resource_policies_v1.yaml
 create mode 100644 policies/templates/gcp_compute_external_ip_address.yaml
 create mode 100644 policies/templates/gcp_compute_ip_forward.yaml
 create mode 100644 policies/templates/gcp_compute_zone_v1.yaml
 create mode 100644 policies/templates/gcp_dataproc_location_v1.yaml
 create mode 100644 policies/templates/gcp_dnssec_prevent_rsasha1_v1.yaml
 create mode 100644 policies/templates/gcp_dnssec_v1.yaml
 create mode 100644 policies/templates/gcp_enforce_labels_v1.yaml
 create mode 100644 policies/templates/gcp_enforce_naming_v1.yaml
 create mode 100644 policies/templates/gcp_gke_allowed_node_sa_v1.yaml
 create mode 100644 policies/templates/gcp_gke_cluster_location.yaml
 create mode 100644 policies/templates/gcp_gke_cluster_version_v1.yaml
 create mode 100644 policies/templates/gcp_gke_container_optimized_os.yaml
 create mode 100644 policies/templates/gcp_gke_dashboard_v1.yaml
 create mode 100644 policies/templates/gcp_gke_disable_default_service_account_v1.yaml
 create mode 100644 policies/templates/gcp_gke_disable_legacy_endpoints_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_alias_ip_ranges.yaml
 create mode 100644 policies/templates/gcp_gke_enable_private_endpoint.yaml
 create mode 100644 policies/templates/gcp_gke_enable_shielded_nodes_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_stackdriver_kubernetes_engine_monitoring_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_stackdriver_logging_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_stackdriver_monitoring_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_workload_identity_v1.yaml
 create mode 100644 policies/templates/gcp_gke_legacy_abac_v1.yaml
 create mode 100644 policies/templates/gcp_gke_master_authorized_networks_enabled_v1.yaml
 create mode 100644 policies/templates/gcp_gke_node_auto_repair_v1.yaml
 create mode 100644 policies/templates/gcp_gke_node_auto_upgrade_v1.yaml
 create mode 100644 policies/templates/gcp_gke_private_cluster_v1.yaml
 create mode 100644 policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml
 create mode 100644 policies/templates/gcp_gke_restrict_pod_traffic_v1.yaml
 create mode 100644 policies/templates/gcp_glb_external_ip_access_constraint_v1.yaml
 create mode 100644 policies/templates/gcp_iam_allow_ban_roles_v1.yaml
 create mode 100644 policies/templates/gcp_iam_allowed_bindings.yaml
 create mode 100644 policies/templates/gcp_iam_allowed_policy_member_domains.yaml
 create mode 100644 policies/templates/gcp_iam_audit_log.yaml
 create mode 100644 policies/templates/gcp_iam_custom_role_permissions_v1.yaml
 create mode 100644 policies/templates/gcp_iam_required_bindings_v1.yaml
 create mode 100644 policies/templates/gcp_iam_restrict_service_account_creation_v1.yaml
 create mode 100644 policies/templates/gcp_iam_restrict_service_account_key_age_v1.yaml
 create mode 100644 policies/templates/gcp_iam_restrict_service_account_key_type_v1.yaml
 create mode 100644 policies/templates/gcp_lb_forwarding_rules.yaml
 create mode 100644 policies/templates/gcp_network_enable_firewall_logs_v1.yaml
 create mode 100644 policies/templates/gcp_network_enable_flow_logs_v1.yaml
 create mode 100644 policies/templates/gcp_network_enable_private_google_access_v1.yaml
 create mode 100644 policies/templates/gcp_network_restrict_default_v1.yaml
 create mode 100644 policies/templates/gcp_network_routing_v1.yaml
 create mode 100644 policies/templates/gcp_resource_value_pattern_v1.yaml
 create mode 100644 policies/templates/gcp_restricted_firewall_rules_v1.yaml
 create mode 100644 policies/templates/gcp_serviceusage_allowed_services_v1.yaml
 create mode 100644 policies/templates/gcp_spanner_location_v1.yaml
 create mode 100644 policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml
 create mode 100644 policies/templates/gcp_sql_backup_v1.yaml
 create mode 100644 policies/templates/gcp_sql_instance_type_v1.yaml
 create mode 100644 policies/templates/gcp_sql_location_v1.yaml
 create mode 100644 policies/templates/gcp_sql_maintenance_window_v1.yaml
 create mode 100644 policies/templates/gcp_sql_public_ip_v1.yaml
 create mode 100644 policies/templates/gcp_sql_ssl_v1.yaml
 create mode 100644 policies/templates/gcp_sql_world_readable_v1.yaml
 create mode 100644 policies/templates/gcp_storage_bucket_policy_only_v1.yaml
 create mode 100644 policies/templates/gcp_storage_bucket_retention_v1.yaml
 create mode 100644 policies/templates/gcp_storage_bucket_world_readable_v1.yaml
 create mode 100644 policies/templates/gcp_storage_cmek_encryption_v1.yaml
 create mode 100644 policies/templates/gcp_storage_location_v1.yaml
 create mode 100644 policies/templates/gcp_storage_logging_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_allowed_regions.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_ensure_access_levels_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_ensure_project_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_ensure_services_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_ip_range_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_project_perimeter.yaml
michael@cloudshell:~/tef-olxyz/github/gcp-policies (tef-olxyz)$ git push --set-upstream origin main
Enumerating objects: 118, done.
Counting objects: 100% (118/118), done.
Delta compression using up to 4 threads
Compressing objects: 100% (118/118), done.
Writing objects: 100% (118/118), 72.63 KiB | 2.69 MiB/s, done.
Total 118 (delta 87), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (87/87)
remote: Waiting for private key checker: 94/112 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-policies
 * [new branch]      main -> main
Branch 'main' set up to track remote branch 'main' from 'origin'.

michael@cloudshell:~/tef-olxyz/github/gcp-policies (tef-olxyz)$ cd ..
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ gcloud source repos clone gcp-bootstrap --project=${cloudbuild_project_id}
Cloning into '/home/michael/tef-olxyz/github/gcp-bootstrap'...
warning: You appear to have cloned an empty repository.
Project [prj-b-cicd-82vv] repository [gcp-bootstrap] was cloned to [/home/michael/tef-olxyz/github/gcp-bootstrap].
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd gcp-bootstrap/
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$  git checkout -b plan
Switched to a new branch 'plan'
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ mkdir -p envs/shared
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$  cp -RT ../pbmm-on-gcp-onboarding/0-bootstrap/ ./envs/shared
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/cloudbuild-tf-* .
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/tf-wrapper.sh .
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ chmod 755 ./tf-wrapper.sh

michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$  git add .
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git commit -m 'Initialize bootstrap repo'
[plan (root-commit) e8bdf0f] Initialize bootstrap repo
 64 files changed, 10044 insertions(+)
 create mode 100644 cloudbuild-tf-apply.yaml
 create mode 100644 cloudbuild-tf-plan.yaml
 create mode 100644 envs/shared/.gitignore
 create mode 100644 envs/shared/.terraform.lock.hcl
 create mode 100644 envs/shared/Dockerfile
 create mode 100644 envs/shared/README-GitHub.md
 create mode 100644 envs/shared/README-GitLab.md
 create mode 100644 envs/shared/README-Jenkins.md
 create mode 100644 envs/shared/README-Terraform-Cloud.md
 create mode 100644 envs/shared/README.md
 create mode 100644 envs/shared/backend.tf
 create mode 100644 envs/shared/backend.tf.cloud.example
 create mode 100644 envs/shared/backend.tf.example
 create mode 100644 envs/shared/bootstrap.tfplan
 create mode 100644 envs/shared/cb.tf
 create mode 100644 envs/shared/files/private_key_example.png
 create mode 100644 envs/shared/github.tf.example
 create mode 100644 envs/shared/gitlab.tf.example
 create mode 100644 envs/shared/groups.tf
 create mode 100644 envs/shared/jenkins.tf.example
 create mode 100644 envs/shared/main.tf
 create mode 100644 envs/shared/modules/cb-private-pool/README.md
 create mode 100644 envs/shared/modules/cb-private-pool/main.tf
 create mode 100644 envs/shared/modules/cb-private-pool/network.tf
 create mode 100644 envs/shared/modules/cb-private-pool/outputs.tf
 create mode 100644 envs/shared/modules/cb-private-pool/variables.tf
 create mode 100644 envs/shared/modules/cb-private-pool/versions.tf
 create mode 100644 envs/shared/modules/cb-private-pool/vpn_ha.tf
 create mode 100644 envs/shared/modules/gitlab-oidc/main.tf
 create mode 100644 envs/shared/modules/gitlab-oidc/outputs.tf
 create mode 100644 envs/shared/modules/gitlab-oidc/variables.tf
 create mode 100644 envs/shared/modules/gitlab-oidc/versions.tf
 create mode 100644 envs/shared/modules/jenkins-agent/README.md
 create mode 100755 envs/shared/modules/jenkins-agent/files/jenkins_gce_startup_script.sh
 create mode 100644 envs/shared/modules/jenkins-agent/main.tf
 create mode 100644 envs/shared/modules/jenkins-agent/outputs.tf
 create mode 100644 envs/shared/modules/jenkins-agent/variables.tf
 create mode 100644 envs/shared/modules/jenkins-agent/versions.tf
 create mode 100644 envs/shared/modules/jenkins-agent/vpn_ha.tf
 create mode 100644 envs/shared/modules/parent-iam-member/main.tf
 create mode 100644 envs/shared/modules/parent-iam-member/variables.tf
 create mode 100644 envs/shared/modules/parent-iam-member/versions.tf
 create mode 100644 envs/shared/modules/parent-iam-remove-role/main.tf
 create mode 100644 envs/shared/modules/parent-iam-remove-role/variables.tf
 create mode 100644 envs/shared/modules/parent-iam-remove-role/versions.tf
 create mode 100644 envs/shared/modules/tfc-agent-gke/README.md
 create mode 100644 envs/shared/modules/tfc-agent-gke/main.tf
 create mode 100644 envs/shared/modules/tfc-agent-gke/outputs.tf
 create mode 100644 envs/shared/modules/tfc-agent-gke/variables.tf
 create mode 100644 envs/shared/modules/tfc-agent-gke/versions.tf
 create mode 100644 envs/shared/onprem.md
 create mode 100644 envs/shared/outputs.tf
 create mode 100644 envs/shared/provider.tf
 create mode 100644 envs/shared/sa.tf
 create mode 100755 envs/shared/scripts/git_create_branches_helper.sh
 create mode 100755 envs/shared/scripts/push-to-repo.sh
 create mode 100755 envs/shared/terraform
 create mode 100644 envs/shared/terraform.example.tfvars
 create mode 100644 envs/shared/terraform.tfvars
 create mode 100644 envs/shared/terraform_1.3.10_linux_amd64.zip
 create mode 100644 envs/shared/terraform_cloud.tf.example
 create mode 100644 envs/shared/variables.tf
 create mode 100644 envs/shared/versions.tf
 create mode 100755 tf-wrapper.sh
michael@cloudshell:~/tef-olxyz/github/gcp-bootstrap (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 78, done.
Counting objects: 100% (78/78), done.
Delta compression using up to 4 threads
Compressing objects: 100% (77/77), done.
Writing objects: 100% (78/78), 37.93 MiB | 5.91 MiB/s, done.
Total 78 (delta 23), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (23/23)
remote: Waiting for private key checker: 25/62 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-bootstrap
 * [new branch]      plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.

repos

[obriensystems]

1-org

setup default security command center

Standard pricing is free
https://cloud.google.com/security-command-center/pricing?hl=en&_gl=1*1h2n4gf*_ga*MTg1NzU4NjUzMi4xNzEwOTUyNTUz*_ga_WH2QY8WWF5*MTcxMjY4NzcwNC4xNi4xLjE3MTI2ODc4OTkuMC4wLjA.&_ga=2.92452125.-1857586532.1710952553#security-command-center-pricing

grant SCC roles/sa

securitycenter.serviceAgent
service-org-1064386348915@security-center-api.iam.gserviceaccount.com

moving to usage
https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/tree/main/1-org#usage

prepare for hub-and-spoke

• see https://cloud.google.com/architecture/security-foundations/networking#hub-and-spoke
• validate https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/1-org/envs/shared/terraform.example.tfvars

cp terraform 1.3 while still not in docker

michael@cloudshell:~/tef-olxyz/github/pbmm-on-gcp-onboarding/0-bootstrap (tef-olxyz)$ cd ../..
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cp pbmm-on-gcp-onboarding/0-bootstrap/terraform pbmm-on-gcp-onboarding/1-org/
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ 

1-org step 1 - clone gcp-org

michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="pbmm-on-gcp-onboarding/0-bootstrap/" output -raw cloudbuild_project_id)
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ echo ${CLOUD_BUILD_PROJECT_ID}
prj-b-cicd-82vv
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ gcloud source repos clone gcp-org --project=${CLOUD_BUILD_PROJECT_ID}
Cloning into '/home/michael/tef-olxyz/github/gcp-org'...
warning: You appear to have cloned an empty repository.
Project [prj-b-cicd-82vv] repository [gcp-org] was cloned to [/home/michael/tef-olxyz/github/gcp-org].
ichael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd gcp-org/
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ git checkout -b plan
Switched to a new branch 'plan'
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ cp -RT ../pbmm-on-gcp-onboarding/1-org/ .
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/cloudbuild-tf-* .
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/tf-wrapper.sh .
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ chmod 755 ./tf-wrapper.sh

check SCC

michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ mv ./envs/shared/terraform.example.tfvars ./envs/shared/terraform.tfvars
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ export ORGANIZATION_ID=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -json common_config | jq '.org_id' --raw-output)
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ gcloud scc notifications describe "scc-notify" --organization=${ORGANIZATION_ID}
ERROR: (gcloud.scc.notifications.describe) NOT_FOUND: Requested entity was not found.

check ACM policy

michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}"
access_context_manager_policy_id = 

update bucket

ichael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ export backend_bucket=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -raw gcs_bucket_tfstate)
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ echo "remote_state_bucket = ${backend_bucket}"
remote_state_bucket = bkt-prj-b-seed-tfstate-7120
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./envs/shared/terraform.tfvars
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ if [ ! -z "${ACCESS_CONTEXT_MANAGER_ID}" ]; then sed -i'' -e "s=//create_access_context_manager_access_policy=create_access_context_manager_access_policy=" ./envs/shared/terraform.tfvars; fi

1-org step 7/8 commit/push - trigger cloud build

michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ git diff
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ git add .
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ git commit -m 'Initialize org repo'
[plan (root-commit) d21b4fd] Initialize org repo
 44 files changed, 4805 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 cloudbuild-tf-apply.yaml
 create mode 100644 cloudbuild-tf-plan.yaml
 create mode 100644 envs/shared/README.md
 create mode 100644 envs/shared/backend.tf
 create mode 100644 envs/shared/backend.tf.cloud.example
 create mode 100644 envs/shared/cai_monitoring.tf
 create mode 100644 envs/shared/essential_contacts.tf
 create mode 100644 envs/shared/folders.tf
 create mode 100644 envs/shared/iam.tf
 create mode 100644 envs/shared/log_sinks.tf
 create mode 100644 envs/shared/org_policy.tf
 create mode 100644 envs/shared/outputs.tf
 create mode 100644 envs/shared/projects.tf
 create mode 100644 envs/shared/providers.tf
 create mode 100644 envs/shared/remote.tf
 create mode 100644 envs/shared/remote.tf.cloud.example
 create mode 100644 envs/shared/scc_notification.tf
 create mode 100644 envs/shared/tags.tf
 create mode 100644 envs/shared/terraform.tfvars
 create mode 100644 envs/shared/variables.tf
 create mode 100644 envs/shared/versions.tf
 create mode 100644 modules/cai-monitoring/README.md
 create mode 100644 modules/cai-monitoring/function-source/index.js
 create mode 100644 modules/cai-monitoring/function-source/package-lock.json
 create mode 100644 modules/cai-monitoring/function-source/package.json
 create mode 100644 modules/cai-monitoring/iam.tf
 create mode 100644 modules/cai-monitoring/main.tf
 create mode 100644 modules/cai-monitoring/outputs.tf
 create mode 100644 modules/cai-monitoring/providers.tf
 create mode 100644 modules/cai-monitoring/variables.tf
 create mode 100644 modules/cai-monitoring/versions.tf
 create mode 100644 modules/centralized-logging/README.md
 create mode 100644 modules/centralized-logging/main.tf
 create mode 100644 modules/centralized-logging/outputs.tf
 create mode 100644 modules/centralized-logging/variables.tf
 create mode 100644 modules/centralized-logging/versions.tf
 create mode 100644 modules/network/main.tf
 create mode 100644 modules/network/outputs.tf
 create mode 100644 modules/network/variables.tf
 create mode 100644 modules/network/versions.tf
 create mode 100755 terraform
 create mode 100755 tf-wrapper.sh
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 53, done.
Counting objects: 100% (53/53), done.
Delta compression using up to 4 threads
Compressing objects: 100% (52/52), done.
Writing objects: 100% (53/53), 18.59 MiB | 3.53 MiB/s, done.
Total 53 (delta 10), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (10/10)
remote: Waiting for private key checker: 11/43 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-org
 * [new branch]      plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.

check cloud build failures on the region - for bootstrap

module.tf_workspace["org"].google_cloudbuild_trigger.triggers["apply"]: Refreshing state... [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/343ac1be-ff42-4c5b-9a8d-8a751ff02767]

Error: Error when reading or editing CloudIdentityGroup "groups/00lnxbz93t65t5i": googleapi: Error 403: Error(2028): Permission denied for resource groups/00lnxbz93t65t5i (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/00lnxbz93t65t5i (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/00lnxbz93t65t5i",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.optional_group["gcp_security_reviewer"].google_cloud_identity_group.group,
  on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/00qsh70q0qfhim5": googleapi: Error 403: Error(2028): Permission denied for resource groups/00qsh70q0qfhim5 (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/00qsh70q0qfhim5 (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/00qsh70q0qfhim5",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.optional_group["gcp_global_secrets_admin"].google_cloud_identity_group.group,
  on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/01302m9230sowha": googleapi: Error 403: Error(2028): Permission denied for resource groups/01302m9230sowha (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/01302m9230sowha (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/01302m9230sowha",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.optional_group["gcp_network_viewer"].google_cloud_identity_group.group,
  on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/026in1rg44cfho5": googleapi: Error 403: Error(2028): Permission denied for resource groups/026in1rg44cfho5 (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/026in1rg44cfho5 (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/026in1rg44cfho5",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.optional_group["gcp_kms_admin"].google_cloud_identity_group.group,
  on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/00gjdgxs1x7221w": googleapi: Error 403: Error(2028): Permission denied for resource groups/00gjdgxs1x7221w (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/00gjdgxs1x7221w (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/00gjdgxs1x7221w",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.optional_group["gcp_scc_admin"].google_cloud_identity_group.group,
  on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/01664s551a7c2b7": googleapi: Error 403: Error(2028): Permission denied for resource groups/01664s551a7c2b7 (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/01664s551a7c2b7 (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/01664s551a7c2b7",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.required_group["audit_data_users"].google_cloud_identity_group.group,
  on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/035nkun24jo9ze2": googleapi: Error 403: Error(2028): Permission denied for resource groups/035nkun24jo9ze2 (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/035nkun24jo9ze2 (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/035nkun24jo9ze2",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.required_group["monitoring_workspace_users"].google_cloud_identity_group.group,
  on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/030j0zll0t6edxb": googleapi: Error 403: Error(2028): Permission denied for resource groups/030j0zll0t6edxb (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/030j0zll0t6edxb (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/030j0zll0t6edxb",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.required_group["group_billing_admins"].google_cloud_identity_group.group,
  on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/00vx12274fe8dqj": googleapi: Error 403: Error(2028): Permission denied for resource groups/00vx12274fe8dqj (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/00vx12274fe8dqj (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/00vx12274fe8dqj",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.required_group["billing_data_users"].google_cloud_identity_group.group,
  on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {


Error: Error when reading or editing CloudIdentityGroup "groups/02pta16n30qltk1": googleapi: Error 403: Error(2028): Permission denied for resource groups/02pta16n30qltk1 (or it may not exist).
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2028): Permission denied for resource groups/02pta16n30qltk1 (or it may not exist).",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceName": "groups/02pta16n30qltk1",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  with module.required_group["group_org_admins"].google_cloud_identity_group.group,
  on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
  35: resource "google_cloud_identity_group" "group" {

step 6 not fully complete - missed manual configs like domains

https://source.cloud.google.com/prj-b-cicd-82vv/gcp-org/+/plan:envs/shared/terraform.tfvars?hl=en

domains_to_allow = ["example.com"]
essential_contacts_domains_to_allow = ["@example.com"]
billing_data_users = "gcp-billing-data-users@example.com"
audit_data_users = "gcp-security-admins@example.com"
scc_notification_name = "scc-notify"
remote_state_bucket = "bkt-prj-b-seed-tfstate-7120"
//scc_notification_filter = "state=\\\"ACTIVE\\\""
//enable_hub_and_spoke = true
//create_access_context_manager_access_policy = false
// Optional - If you are deploying Foundation Example in a parent folder
// consider using below create_unique_tag_key var because as Tag Keys are
// unique organization-wide it will add a random suffix at each tag key
//create_unique_tag_key = true

should be
domains_to_allow = ["obrienlabs.xyz"]
essential_contacts_domains_to_allow = ["@obrienlabs.xyz"]
billing_data_users = "gcp-billing-data-users@obrienlabs.xyz"
audit_data_users = "gcp-security-admins@obrienlabs.xyz"
scc_notification_name = "scc-notify"
remote_state_bucket = "bkt-prj-b-seed-tfstate-7120"
//scc_notification_filter = "state=\\\"ACTIVE\\\""
enable_hub_and_spoke = true
//create_access_context_manager_access_policy = false
// Optional - If you are deploying Foundation Example in a parent folder
// consider using below create_unique_tag_key var because as Tag Keys are
// unique organization-wide it will add a random suffix at each tag key
//create_unique_tag_key = true



michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ git diff
diff --git a/envs/shared/terraform.tfvars b/envs/shared/terraform.tfvars
index d8009f8..8879740 100644
--- a/envs/shared/terraform.tfvars
+++ b/envs/shared/terraform.tfvars
@@ -15,13 +15,13 @@
  */
 
 # Must include the domain of the organization you are deploying the foundation.
-domains_to_allow = ["example.com"]
+domains_to_allow = ["obrienlabs.xyz"]
 
-essential_contacts_domains_to_allow = ["@example.com"]
+essential_contacts_domains_to_allow = ["@obrienlabs.xyz"]
 
-billing_data_users = "gcp-billing-data-users@example.com"
+billing_data_users = "gcp-billing-data-users@obrienlabs.xyz"
 
-audit_data_users = "gcp-security-admins@example.com"
+audit_data_users = "gcp-security-admins@obrienlabs.xyz"
 
 scc_notification_name = "scc-notify"
 
@@ -29,7 +29,7 @@ remote_state_bucket = "bkt-prj-b-seed-tfstate-7120"
 
 //scc_notification_filter = "state=\\\"ACTIVE\\\""
 
-//enable_hub_and_spoke = true
+enable_hub_and_spoke = true
 
 //create_access_context_manager_access_policy = false
 
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ 

fix 0-bootstrap build first

moving to #370

[obriensystems]

1-org continued - terraform apply with terraform 1.3 on bootstrap as well as cloud build

• added dns/users and hub-spoke enablement to envs/shared/terraform.tfvars
• run plan
• ok

1-org step 9 - terraform apply via production branch

michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ git checkout -b production
Switched to a new branch 'production'
michael@cloudshell:~/tef-olxyz/github/gcp-org (tef-olxyz)$ git push origin production
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-org
 * [new branch]      production -> production

Build OK

Step #2 - "tf plan": Plan: 288 to add, 0 to change, 0 to destroy.

Step #4 - "tf apply": Apply complete! Resources: 288 added, 0 changed, 0 destroyed.
Step #4 - "tf apply": 
Step #4 - "tf apply": Outputs:
Step #4 - "tf apply": 
Step #4 - "tf apply": base_net_hub_project_id = "prj-c-base-net-hub-5y8h"
Step #4 - "tf apply": billing_sink_names = {
Step #4 - "tf apply":   "prj" = "sk-c-logging-prj-billing-wh58"
Step #4 - "tf apply":   "pub" = "sk-c-logging-pub-billing-wh58"
Step #4 - "tf apply":   "sto" = "sk-c-logging-bkt-billing-wh58"
Step #4 - "tf apply": }
Step #4 - "tf apply": cai_monitoring_artifact_registry = "ar-cai-monitoring-4241"
Step #4 - "tf apply": cai_monitoring_asset_feed = "organizations/1064386348915/feeds/fd-cai-monitoring-4241"
Step #4 - "tf apply": cai_monitoring_bucket = "bkt-cai-monitoring-4241-sources-726972909649-us-central1"
Step #4 - "tf apply": cai_monitoring_topic = "top-cai-monitoring-4241-event"
Step #4 - "tf apply": common_folder_name = "folders/96486704059"
Step #4 - "tf apply": dns_hub_project_id = "prj-c-dns-hub-6f4b"
Step #4 - "tf apply": domains_to_allow = tolist([
Step #4 - "tf apply":   "obrienlabs.xyz",
Step #4 - "tf apply": ])
Step #4 - "tf apply": interconnect_project_id = "prj-c-interconnect-s2zg"
Step #4 - "tf apply": interconnect_project_number = "671048289254"
Step #4 - "tf apply": logs_export_project_linked_dataset_name = "projects/prj-c-logging-fn0h/locations/us-central1/buckets/AggregatedLogs/links/ds_c_prj_aggregated_logs_analytics"
Step #4 - "tf apply": logs_export_project_logbucket_name = "AggregatedLogs"
Step #4 - "tf apply": logs_export_pubsub_topic = "tp-org-logs-o9q2"
Step #4 - "tf apply": logs_export_storage_bucket_name = "bkt-prj-c-logging-fn0h-org-logs-o9q2"
Step #4 - "tf apply": network_folder_name = "folders/652472417643"
Step #4 - "tf apply": org_audit_logs_project_id = "prj-c-logging-fn0h"
Step #4 - "tf apply": org_billing_logs_project_id = "prj-c-billing-logs-ve1w"
Step #4 - "tf apply": org_id = "1064386348915"
Step #4 - "tf apply": org_kms_project_id = "prj-c-kms-eeg3"
Step #4 - "tf apply": org_secrets_project_id = "prj-c-secrets-2lxo"
Step #4 - "tf apply": parent_resource_id = "736660879367"
Step #4 - "tf apply": parent_resource_type = "folder"
Step #4 - "tf apply": restricted_net_hub_project_id = "prj-c-restricted-net-hub-a8d5"
Step #4 - "tf apply": restricted_net_hub_project_number = "127928059862"
Step #4 - "tf apply": scc_notification_name = "scc-notify"
Step #4 - "tf apply": scc_notifications_project_id = "prj-c-scc-8zsj"
Step #4 - "tf apply": shared_vpc_projects = {
Step #4 - "tf apply":   "development" = {
Step #4 - "tf apply":     "base_shared_vpc_project_id" = "prj-d-shared-base-nlqs"
Step #4 - "tf apply":     "base_shared_vpc_project_number" = "101627147505"
Step #4 - "tf apply":     "restricted_shared_vpc_project_id" = "prj-d-shared-restricted-j004"
Step #4 - "tf apply":     "restricted_shared_vpc_project_number" = "1045069971921"
Step #4 - "tf apply":   }
Step #4 - "tf apply":   "non-production" = {
Step #4 - "tf apply":     "base_shared_vpc_project_id" = "prj-n-shared-base-b12y"
Step #4 - "tf apply":     "base_shared_vpc_project_number" = "607634801735"
Step #4 - "tf apply":     "restricted_shared_vpc_project_id" = "prj-n-shared-restricted-qnv6"
Step #4 - "tf apply":     "restricted_shared_vpc_project_number" = "856556999326"
Step #4 - "tf apply":   }
Step #4 - "tf apply":   "production" = {
Step #4 - "tf apply":     "base_shared_vpc_project_id" = "prj-p-shared-base-oae0"
Step #4 - "tf apply":     "base_shared_vpc_project_number" = "17819846901"
Step #4 - "tf apply":     "restricted_shared_vpc_project_id" = "prj-p-shared-restricted-2pqc"
Step #4 - "tf apply":     "restricted_shared_vpc_project_number" = "98452292868"
Step #4 - "tf apply":   }
Step #4 - "tf apply": }
Step #4 - "tf apply": tags = {
Step #4 - "tf apply":   "environment_bootstrap" = "tagValues/281484537587812"
Step #4 - "tf apply":   "environment_development" = "tagValues/281483791828482"
Step #4 - "tf apply":   "environment_non-production" = "tagValues/281484388371311"
Step #4 - "tf apply":   "environment_production" = "tagValues/281483304603502"
Step #4 - "tf apply": }
Step #4 - "tf apply": policy-library/policies  doesn't match production; skipping
Step #4 - "tf apply": policy-library/lib  doesn't match production; skipping
Step #4 - "tf apply": policy-library/.git  doesn't match production; skipping
Finished Step #4 - "tf apply"

15 more projects - total of 18 so far

[obriensystems]

2-environments

Advisory mail first

New Advisory Notification: Sensitive actions taken in your Google Cloud organization
Dear Google Cloud customer,

You've received an important Google Cloud notification affecting your organization ob...s Google Cloud service(s).

Notification Title: Sensitive actions taken in your Google Cloud organization

2-environments step 1 - csr clone

ichael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="pbmm-on-gcp-onboarding/0-bootstrap/" output -raw cloudbuild_project_id)
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ echo ${CLOUD_BUILD_PROJECT_ID}
prj-b-cicd-82vv
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ gcloud source repos clone gcp-environments --project=${CLOUD_BUILD_PROJECT_ID}
Cloning into '/home/michael/tef-olxyz/github/gcp-environments'...
warning: You appear to have cloned an empty repository.
Project [prj-b-cicd-82vv] repository [gcp-environments] was cloned to [/home/michael/tef-olxyz/github/gcp-environments].
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ 

michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd gcp-environments/
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git checkout -b plan
Switched to a new branch 'plan'
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ cp -RT ../pbmm-on-gcp-onboarding/2-environments/ .
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/cloudbuild-tf-* .
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/tf-wrapper.sh .
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ chmod 755 ./tf-wrapper.sh

2-env - do modifications to disable dev - quota reduction

• disable dev https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/2-environments/envs/development/main.tf

2-env step 3 rename tfvars (copy back to main repo)

ichael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ mv terraform.example.tfvars terraform.tfvars

michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ export backend_bucket=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -raw gcs_bucket_tfstate)
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ echo "remote_state_bucket = ${backend_bucket}"
remote_state_bucket = bkt-prj-b-seed-tfstate-7120
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" terraform.tfvars
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ cat terraform.tfvars 

2-env step 5 commit for plan

ichael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git add .
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ cp terraform.tfvars ../pbmm-on-gcp-onboarding/2-environments/
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git commit -m 'Initialize environments repo'
[plan (root-commit) 2bd201b] Initialize environments repo
 39 files changed, 1830 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 cloudbuild-tf-apply.yaml
 create mode 100644 cloudbuild-tf-plan.yaml
 create mode 100644 envs/development/README.md
 create mode 100644 envs/development/backend.tf
 create mode 100644 envs/development/backend.tf.cloud.example
 create mode 100644 envs/development/main.tf
 create mode 100644 envs/development/outputs.tf
 create mode 120000 envs/development/terraform.tfvars
 create mode 100644 envs/development/variables.tf
 create mode 100644 envs/non-production/README.md
 create mode 100644 envs/non-production/backend.tf
 create mode 100644 envs/non-production/backend.tf.cloud.example
 create mode 100644 envs/non-production/main.tf
 create mode 100644 envs/non-production/outputs.tf
 create mode 120000 envs/non-production/terraform.tfvars
 create mode 100644 envs/non-production/variables.tf
 create mode 100644 envs/production/README.md
 create mode 100644 envs/production/backend.tf
 create mode 100644 envs/production/backend.tf.cloud.example
 create mode 100644 envs/production/main.tf
 create mode 100644 envs/production/outputs.tf
 create mode 120000 envs/production/terraform.tfvars
 create mode 100644 envs/production/variables.tf
 create mode 100644 modules/env_baseline/README.md
 create mode 100644 modules/env_baseline/assured_workload.tf
 create mode 100644 modules/env_baseline/folders.tf
 create mode 100644 modules/env_baseline/iam.tf
 create mode 100644 modules/env_baseline/kms.tf
 create mode 100644 modules/env_baseline/monitoring.tf
 create mode 100644 modules/env_baseline/outputs.tf
 create mode 100644 modules/env_baseline/remote.tf
 create mode 100644 modules/env_baseline/remote.tf.cloud.example
 create mode 100644 modules/env_baseline/secrets.tf
 create mode 100644 modules/env_baseline/variables.tf
 create mode 100644 modules/env_baseline/versions.tf
 create mode 100644 terraform.tfvars
 create mode 100755 tf-wrapper.sh
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 42, done.
Counting objects: 100% (42/42), done.
Delta compression using up to 4 threads
Compressing objects: 100% (40/40), done.
Writing objects: 100% (42/42), 19.07 KiB | 1.59 MiB/s, done.
Total 42 (delta 21), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (21/21)
remote: Waiting for private key checker: 13/34 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments
 * [new branch]      plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.

2-env step 7 review plan

Step #1 - "tf plan validate all": Error: Reference to undeclared module
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all":   on outputs.tf line 19, in output "env_folder":
Step #1 - "tf plan validate all":   19:   value       = module.env.env_folder
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": No module call named "env" is declared in the root module.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Error: Reference to undeclared module
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all":   on outputs.tf line 24, in output "monitoring_project_id":
Step #1 - "tf plan validate all":   24:   value       = module.env.monitoring_project_id
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": No module call named "env" is declared in the root module.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Error: Reference to undeclared module
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all":   on outputs.tf line 29, in output "env_secrets_project_id":
Step #1 - "tf plan validate all":   29:   value       = module.env.env_secrets_project_id
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": No module call named "env" is declared in the root module.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Error: Reference to undeclared module
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all":   on outputs.tf line 34, in output "env_kms_project_id":
Step #1 - "tf plan validate all":   34:   value       = module.env.env_kms_project_id
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": No module call named "env" is declared in the root module.
Finished Step #1 - "tf plan validate all"

need to fix also outputs.tf

/*
output "env_folder" {
  description = "Environment folder created under parent."
  value       = module.env.env_folder
}

output "monitoring_project_id" {
  description = "Project for monitoring infra."
  value       = module.env.monitoring_project_id
}

output "env_secrets_project_id" {
  description = "Project for environment related secrets."
  value       = module.env.env_secrets_project_id
}

output "env_kms_project_id" {
  description = "Project for environment Cloud Key Management Service (KMS)."
  value       = module.env.env_kms_project_id
}*/

rerun

michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/2-environments/envs/development/outputs.tf envs/development/
ichael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git add envs/development/
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git commit -m 'disable development'
[plan 1731828] disable development
 1 file changed, 2 insertions(+), 2 deletions(-)
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 9, done.
Counting objects: 100% (9/9), done.
Delta compression using up to 4 threads
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 479 bytes | 479.00 KiB/s, done.
Total 5 (delta 3), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (3/3)
remote: Waiting for private key checker: 1/1 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments
   2bd201b..1731828  plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'

Step #1 - "tf plan validate all": Plan: 30 to add, 0 to change, 0 to destroy.


Step #1 - "tf plan validate all": Warning: Value for undeclared variable
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": The root module does not declare a variable named
Step #1 - "tf plan validate all": "monitoring_workspace_users" but a value was found in file
Step #1 - "tf plan validate all": "terraform.tfvars". If you meant to use this value, add a "variable" block to
Step #1 - "tf plan validate all": the configuration.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": To silence these warnings, use TF_VAR_... environment variables to provide
Step #1 - "tf plan validate all": certain "global" settings to all configurations in your organization. To
Step #1 - "tf plan validate all": reduce the verbosity of these warnings, use the -compact-warnings option.
Step #1 - "tf plan validate all": *************** TERRAFORM VALIDATE ******************
Step #1 - "tf plan validate all":       At environment: envs/development 
Step #1 - "tf plan validate all":       Using policy from: /workspace/policy-library 
Step #1 - "tf plan validate all": *****************************************************
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": Validating resources...
Step #1 - "tf plan validate all": .......done.
Step #1 - "tf plan validate all": ERROR: [Terraform plan json does not contain resource_changes key]. Additional details: [terraform-validator-internal.git.corp.google.com/terraform-tools.git/cmd.Execute
Step #1 - "tf plan validate all": 	/tmpfs/src/git/terraform-tools/cmd/root.go:93
Step #1 - "tf plan validate all": main.main
Step #1 - "tf plan validate all": 	/tmpfs/src/git/terraform-tools/main.go:16
Step #1 - "tf plan validate all": runtime.main
Step #1 - "tf plan validate all": 	/usr/local/go/src/runtime/proc.go:250]
Finished Step #1 - "tf plan validate all"
ERROR
ERROR: build step 1 "us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1" failed: step exited with non-zero status: 33


also comment backend.tf
/*
terraform {
  backend "gcs" {
    bucket = "bkt-prj-b-seed-tfstate-7120"
    prefix = "terraform/environments/development"
  }
}*/

michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/2-environments/envs/development/backend.tf envs/development/
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git status
On branch plan
Your branch is up to date with 'origin/plan'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   envs/development/backend.tf

no changes added to commit (use "git add" and/or "git commit -a")
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git diff
diff --git a/envs/development/backend.tf b/envs/development/backend.tf
index 50d9623..f517fe1 100644
--- a/envs/development/backend.tf
+++ b/envs/development/backend.tf
@@ -13,10 +13,10 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
+/*
 terraform {
   backend "gcs" {
     bucket = "bkt-prj-b-seed-tfstate-7120"
     prefix = "terraform/environments/development"
   }
-}
+}*/
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git add envs/development/
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git commit -m 'disable development - backend.tf'
[plan 3334a44] disable development - backend.tf
 1 file changed, 2 insertions(+), 2 deletions(-)
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 9, done.
Counting objects: 100% (9/9), done.
Delta compression using up to 4 threads
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 487 bytes | 487.00 KiB/s, done.
Total 5 (delta 3), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (3/3)
remote: Waiting for private key checker: 1/1 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments
   1731828..3334a44  plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.

Step #1 - "tf plan validate all": Plan: 30 to add, 0 to change, 0 to destroy.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Changes to Outputs:
Step #1 - "tf plan validate all":   + env_folder             = (known after apply)
Step #1 - "tf plan validate all":   + env_kms_project_id     = (known after apply)
Step #1 - "tf plan validate all":   + env_secrets_project_id = (known after apply)
Step #1 - "tf plan validate all":   + monitoring_project_id  = (known after apply)
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Warning: Value for undeclared variable
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": The root module does not declare a variable named
Step #1 - "tf plan validate all": "monitoring_workspace_users" but a value was found in file
Step #1 - "tf plan validate all": "terraform.tfvars". If you meant to use this value, add a "variable" block to
Step #1 - "tf plan validate all": the configuration.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": To silence these warnings, use TF_VAR_... environment variables to provide
Step #1 - "tf plan validate all": certain "global" settings to all configurations in your organization. To
Step #1 - "tf plan validate all": reduce the verbosity of these warnings, use the -compact-warnings option.
Step #1 - "tf plan validate all": *************** TERRAFORM VALIDATE ******************
Step #1 - "tf plan validate all":       At environment: envs/non-production 
Step #1 - "tf plan validate all":       Using policy from: /workspace/policy-library 
Step #1 - "tf plan validate all": *****************************************************
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": Cloning into '/workspace/policy-library'...
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": warning: remote HEAD refers to nonexistent ref, unable to checkout
Step #1 - "tf plan validate all": Project [prj-b-cicd-82vv] repository [gcp-policies] was cloned to [/workspace/policy-library].
Step #1 - "tf plan validate all": /workspace/envs/non-production /workspace/envs/non-production
Step #1 - "tf plan validate all": current gcp-policies branch master
Step #1 - "tf plan validate all": Switched to a new branch 'main'
Step #1 - "tf plan validate all": branch 'main' set up to track 'origin/main'.
Step #1 - "tf plan validate all": /workspace/envs/non-production
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": Validating resources...
Step #1 - "tf plan validate all": ...............done.
Step #1 - "tf plan validate all": *************** TERRAFORM INIT *******************
Step #1 - "tf plan validate all":       At environment: envs/development 
Step #1 - "tf plan validate all": **************************************************
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Initializing the backend...
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Initializing provider plugins...
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Terraform has been successfully initialized!
Step #1 - "tf plan validate all": *************** TERRAFORM PLAN *******************
Step #1 - "tf plan validate all":       At environment: envs/development 
Step #1 - "tf plan validate all": **************************************************
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": No changes. Your infrastructure matches the configuration.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Terraform has compared your real infrastructure against your configuration
Step #1 - "tf plan validate all": and found no differences, so no changes are needed.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Warning: Value for undeclared variable
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": The root module does not declare a variable named
Step #1 - "tf plan validate all": "monitoring_workspace_users" but a value was found in file
Step #1 - "tf plan validate all": "terraform.tfvars". If you meant to use this value, add a "variable" block to
Step #1 - "tf plan validate all": the configuration.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": To silence these warnings, use TF_VAR_... environment variables to provide
Step #1 - "tf plan validate all": certain "global" settings to all configurations in your organization. To
Step #1 - "tf plan validate all": reduce the verbosity of these warnings, use the -compact-warnings option.
Step #1 - "tf plan validate all": *************** TERRAFORM VALIDATE ******************
Step #1 - "tf plan validate all":       At environment: envs/development 
Step #1 - "tf plan validate all":       Using policy from: /workspace/policy-library 
Step #1 - "tf plan validate all": *****************************************************
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": Validating resources...
Step #1 - "tf plan validate all": ........done.
Step #1 - "tf plan validate all": ERROR: [Terraform plan json does not contain resource_changes key]. Additional details: [terraform-validator-internal.git.corp.google.com/terraform-tools.git/cmd.Execute
Step #1 - "tf plan validate all": 	/tmpfs/src/git/terraform-tools/cmd/root.go:93
Step #1 - "tf plan validate all": main.main
Step #1 - "tf plan validate all": 	/tmpfs/src/git/terraform-tools/main.go:16
Step #1 - "tf plan validate all": runtime.main
Step #1 - "tf plan validate all": 	/usr/local/go/src/runtime/proc.go:250]
Finished Step #1 - "tf plan validate all"

Enable all development

michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git status
On branch plan
Your branch is up to date with 'origin/plan'.

Changes not staged for commit:
  (use "git add <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        modified:   envs/development/backend.tf
        modified:   envs/development/main.tf
        modified:   envs/development/outputs.tf

no changes added to commit (use "git add" and/or "git commit -a")
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git add envs/development/
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git commit -m 'enable development'
[plan f0a7937] enable development
 3 files changed, 6 insertions(+), 6 deletions(-)
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 4 threads
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 618 bytes | 618.00 KiB/s, done.
Total 7 (delta 5), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (5/5)
remote: Waiting for private key checker: 3/3 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments
   3334a44..f0a7937  plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.

Step #1 - "tf plan validate all": Plan: 30 to add, 0 to change, 0 to destroy.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Changes to Outputs:
Step #1 - "tf plan validate all":   + assured_workload_resources = []
Step #1 - "tf plan validate all":   + env_folder                 = (known after apply)
Step #1 - "tf plan validate all":   + env_kms_project_id         = (known after apply)
Step #1 - "tf plan validate all":   + env_secrets_project_id     = (known after apply)
Step #1 - "tf plan validate all":   + monitoring_project_id      = (known after apply)
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Warning: Value for undeclared variable
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": The root module does not declare a variable named
Step #1 - "tf plan validate all": "monitoring_workspace_users" but a value was found in file
Step #1 - "tf plan validate all": "terraform.tfvars". If you meant to use this value, add a "variable" block to
Step #1 - "tf plan validate all": the configuration.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": To silence these warnings, use TF_VAR_... environment variables to provide
Step #1 - "tf plan validate all": certain "global" settings to all configurations in your organization. To
Step #1 - "tf plan validate all": reduce the verbosity of these warnings, use the -compact-warnings option.
Step #1 - "tf plan validate all": *************** TERRAFORM VALIDATE ******************
Step #1 - "tf plan validate all":       At environment: envs/production 
Step #1 - "tf plan validate all":       Using policy from: /workspace/policy-library 
Step #1 - "tf plan validate all": *****************************************************
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": Validating resources...
Step #1 - "tf plan validate all": ................done.
Finished Step #1 - "tf plan validate all"
PUSH
Artifacts will be uploaded to gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts using gsutil cp
cloudbuild-tf-plan.yaml: Uploading path....
Copying file://cloudbuild-tf-plan.yaml [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/  2.0 KiB]   0% Done                                    
/ [1/1 files][  2.0 KiB/  2.0 KiB] 100% Done                                    
Operation completed over 1 objects/2.0 KiB.                                      
cloudbuild-tf-plan.yaml: 1 matching files uploaded
tmp_plan/*.tfplan: Uploading path....
Copying file://tmp_plan/envs-development.tfplan [Content-Type=application/octet-stream]...
/ [0/3 files][    0.0 B/382.4 KiB]   0% Done                                    
Copying file://tmp_plan/envs-non-production.tfplan [Content-Type=application/octet-stream]...
/ [0/3 files][    0.0 B/382.4 KiB]   0% Done                                    
Copying file://tmp_plan/envs-production.tfplan [Content-Type=application/octet-stream]...
/ [0/3 files][    0.0 B/382.4 KiB]   0% Done                                    
/ [1/3 files][382.4 KiB/382.4 KiB]  99% Done                                    
/ [2/3 files][382.4 KiB/382.4 KiB]  99% Done                                    
/ [3/3 files][382.4 KiB/382.4 KiB] 100% Done                                    
Operation completed over 3 objects/382.4 KiB.                                    
tmp_plan/*.tfplan: 3 matching files uploaded
4 total artifacts uploaded to gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/terraform/cloudbuild/plan/892bb3fa-81c9-423d-86b4-30798029f80f/
Uploading manifest artifacts-892bb3fa-81c9-423d-86b4-30798029f80f.json
Artifact manifest located at gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/terraform/cloudbuild/plan/892bb3fa-81c9-423d-86b4-30798029f80f/artifacts-892bb3fa-81c9-423d-86b4-30798029f80f.json
DONE

2-environments - 10 production - non-production

ichael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git checkout -b non-production
Switched to a new branch 'non-production'
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git push origin non-production
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments
 * [new branch]      non-production -> non-production


Step #4 - "tf apply": Apply complete! Resources: 30 added, 0 changed, 0 destroyed.
Step #4 - "tf apply": 
Step #4 - "tf apply": Outputs:
Step #4 - "tf apply": 
Step #4 - "tf apply": env_folder = "folders/358902749545"
Step #4 - "tf apply": env_kms_project_id = "prj-n-kms-bin5"
Step #4 - "tf apply": env_secrets_project_id = "prj-n-secrets-2jq5"
Step #4 - "tf apply": monitoring_project_id = "prj-n-monitoring-gnw9"
Step #4 - "tf apply": envs/development  doesn't match non-production; skipping
Step #4 - "tf apply": policy-library/policies  doesn't match non-production; skipping
Step #4 - "tf apply": policy-library/lib  doesn't match non-production; skipping
Step #4 - "tf apply": policy-library/.git  doesn't match non-production; skipping
Finished Step #4 - "tf apply"
PUSH
Artifacts will be uploaded to gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts using gsutil cp
cloudbuild-tf-apply.yaml: Uploading path....
Copying file://cloudbuild-tf-apply.yaml [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/  2.6 KiB]   0% Done                                    
/ [1/1 files][  2.6 KiB/  2.6 KiB] 100% Done                                    
Operation completed over 1 objects/2.6 KiB.                                      
cloudbuild-tf-apply.yaml: 1 matching files uploaded
tmp_plan/*.tfplan: Uploading path....
Copying file://tmp_plan/envs-non-production.tfplan [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/127.4 KiB]   0% Done                                    
/ [1/1 files][127.4 KiB/127.4 KiB] 100% Done                                    
Operation completed over 1 objects/127.4 KiB.                                    
tmp_plan/*.tfplan: 1 matching files uploaded
2 total artifacts uploaded to gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/terraform/cloudbuild/apply/ee26d5a6-c57f-4f25-87ac-f64789526f7f/
Uploading manifest artifacts-ee26d5a6-c57f-4f25-87ac-f64789526f7f.json
Artifact manifest located at gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/terraform/cloudbuild/apply/ee26d5a6-c57f-4f25-87ac-f64789526f7f/artifacts-ee26d5a6-c57f-4f25-87ac-f64789526f7f.json
DONE

fldr-non-production up with 3 projects

2-environments - bring up production - leave development off

michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git checkout -b production
Switched to a new branch 'production'
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git push origin production
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments
 * [new branch]      production -> production

2-environments - total 6 more projects - total of 24

Step #4 - "tf apply": Apply complete! Resources: 30 added, 0 changed, 0 destroyed.
Step #4 - "tf apply": 
Step #4 - "tf apply": Outputs:
Step #4 - "tf apply": 
Step #4 - "tf apply": assured_workload_id = ""
Step #4 - "tf apply": assured_workload_resources = []
Step #4 - "tf apply": env_folder = "folders/206926817949"
Step #4 - "tf apply": env_kms_project_id = "prj-p-kms-ggrt"
Step #4 - "tf apply": env_secrets_project_id = "prj-p-secrets-j2uk"
Step #4 - "tf apply": monitoring_project_id = "prj-p-monitoring-u4p2"
Step #4 - "tf apply": envs/non-production  doesn't match production; skipping
Step #4 - "tf apply": envs/development  doesn't match production; skipping
Step #4 - "tf apply": policy-library/policies  doesn't match production; skipping
Step #4 - "tf apply": policy-library/lib  doesn't match production; skipping
Step #4 - "tf apply": policy-library/.git  doesn't match production; skipping
Finished Step #4 - "tf apply"
PUSH
Artifacts will be uploaded to gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts using gsutil cp
cloudbuild-tf-apply.yaml: Uploading path....
Copying file://cloudbuild-tf-apply.yaml [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/  2.6 KiB]   0% Done                                    
/ [1/1 files][  2.6 KiB/  2.6 KiB] 100% Done                                    
Operation completed over 1 objects/2.6 KiB.                                      
cloudbuild-tf-apply.yaml: 1 matching files uploaded
tmp_plan/*.tfplan: Uploading path....
Copying file://tmp_plan/envs-production.tfplan [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/127.6 KiB]   0% Done                                    
/ [1/1 files][127.6 KiB/127.6 KiB] 100% Done                                    
Operation completed over 1 objects/127.6 KiB.                                    
tmp_plan/*.tfplan: 1 matching files uploaded
2 total artifacts uploaded to gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/terraform/cloudbuild/apply/041fd9b4-4a1f-47a6-a2f2-636dfcce4136/
Uploading manifest artifacts-041fd9b4-4a1f-47a6-a2f2-636dfcce4136.json
Artifact manifest located at gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/terraform/cloudbuild/apply/041fd9b4-4a1f-47a6-a2f2-636dfcce4136/artifacts-041fd9b4-4a1f-47a6-a2f2-636dfcce4136.json
DONE

20240410:1300

[obriensystems]

3-networks-hub-and-spoke

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/3-networks-hub-and-spoke/README.md#prerequisites

20240411
fully install terraform 1.3 - fixing ./terraform entries

michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ which terraform
/usr/bin/terraform
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ sudo cp terraform /usr/bin/terraform

michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ sudo chmod 777 terraform /usr/bin/terraform
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ rm -rf terraform 
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ terraform --version
Terraform v1.3.10
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html

michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ terraform --version
Terraform v1.3.10
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ export ORGANIZATION_ID=$(terraform -chdir="pbmm-on-gcp-onboarding/0-bootstrap/" output -json common_config | jq '.org_id' --raw-output)
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ xport ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")
-bash: xport: command not found
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value
(name)")
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}"
access_context_manager_policy_id = 807865857747

clone repo

michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="pbmm-on-gcp-onboarding/0-bootstrap/" output -raw cloudbuild_project_id)
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ echo ${CLOUD_BUILD_PROJECT_ID}
prj-b-cicd-82vv
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ ls
gcp-bootstrap  gcp-environments  gcp-org  gcp-policies  _pbmm-gh360-day0-deploy-example  pbmm-on-gcp-onboarding
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ gcloud source repos clone gcp-networks --project=${CLOUD_BUILD_PROJECT_ID}
Cloning into '/home/michael/tef-olxyz/github/gcp-networks'...
warning: You appear to have cloned an empty repository.
Project [prj-b-cicd-82vv] repository [gcp-networks] was cloned to [/home/michael/tef-olxyz/github/gcp-networks].

configure

michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd gcp-networks/
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git checkout -b plan
Switched to a new branch 'plan'
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ cp -RT ../pbmm-on-gcp-onboarding/3-networks-hub-and-spoke/ .
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/cloudbuild-tf-* .
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/tf-wrapper.sh .
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ chmod 755 ./tf-wrapper.sh
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ mv common.auto.example.tfvars common.auto.tfvars
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ mv shared.auto.example.tfvars shared.auto.tfvars
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ mv access_context.auto.example.tfvars access_context.auto.tfvars

update tfvars
common.auto.tfvars

domain = "obrie...yz."
perimeter_additional_members = ["user:mic..yz"]

auto update

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$  export ORGANIZATION_ID=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -json common_config | jq '.org_id' --raw-output)
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ export ACCESS_CONTEXT_MANAGER_ID=$(gcloud access-context-manager policies list --organization ${ORGANIZATION_ID} --format="value(name)")
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ echo "access_context_manager_policy_id = ${ACCESS_CONTEXT_MANAGER_ID}"
access_context_manager_policy_id = 807865857747
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ sed -i'' -e "s/ACCESS_CONTEXT_MANAGER_ID/${ACCESS_CONTEXT_MANAGER_ID}/" ./access_context.auto.tfvars
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ export backend_bucket=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -raw gcs_bucket_tfstate)
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ echo "remote_state_bucket = ${backend_bucket}"
remote_state_bucket = bkt-prj-b-seed-tfstate-7120
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ sed -i'' -e "s/REMOTE_STATE_BUCKET/${backend_bucket}/" ./common.auto.tfvars


michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git status
On branch plan

No commits yet

Untracked files:
  (use "git add <file>..." to include in what will be committed)
        .gitignore
        README.md
        access_context.auto.tfvars
        cloudbuild-tf-apply.yaml
        cloudbuild-tf-plan.yaml
        common.auto.tfvars
        envs/
        modules/
        shared.auto.tfvars
        tf-wrapper.sh

nothing added to commit but untracked files present (use "git add" to track)
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git diff
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git add .
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git commit -m 'Initialize networks repo'
[plan (root-commit) 1ed27dd] Initialize networks repo
 109 files changed, 8288 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 access_context.auto.tfvars
 create mode 100644 cloudbuild-tf-apply.yaml
 create mode 100644 cloudbuild-tf-plan.yaml
 create mode 100644 common.auto.tfvars
 create mode 100644 envs/development/README.md
 create mode 120000 envs/development/access_context.auto.tfvars
 create mode 100644 envs/development/backend.tf
 create mode 100644 envs/development/backend.tf.cloud.example
 create mode 120000 envs/development/common.auto.tfvars
 create mode 100644 envs/development/main.tf
 create mode 100644 envs/development/outputs.tf
 create mode 100644 envs/development/providers.tf
 create mode 100644 envs/development/variables.tf
 create mode 100644 envs/development/versions.tf
 create mode 100644 envs/non-production/README.md
 create mode 120000 envs/non-production/access_context.auto.tfvars
 create mode 100644 envs/non-production/backend.tf
 create mode 100644 envs/non-production/backend.tf.cloud.example
 create mode 120000 envs/non-production/common.auto.tfvars
 create mode 100644 envs/non-production/main.tf
 create mode 100644 envs/non-production/outputs.tf
 create mode 100644 envs/non-production/providers.tf
 create mode 100644 envs/non-production/variables.tf
 create mode 100644 envs/non-production/versions.tf
 create mode 100644 envs/production/README.md
 create mode 120000 envs/production/access_context.auto.tfvars
 create mode 100644 envs/production/backend.tf
 create mode 100644 envs/production/backend.tf.cloud.example
 create mode 120000 envs/production/common.auto.tfvars
 create mode 100644 envs/production/main.tf
 create mode 100644 envs/production/outputs.tf
 create mode 100644 envs/production/providers.tf
 create mode 100644 envs/production/variables.tf
 create mode 100644 envs/production/versions.tf
 create mode 100644 envs/shared/README.md
 create mode 120000 envs/shared/access_context.auto.tfvars
 create mode 100644 envs/shared/backend.tf
 create mode 100644 envs/shared/backend.tf.cloud.example
 create mode 120000 envs/shared/common.auto.tfvars
 create mode 100644 envs/shared/dns-hub.tf
 create mode 100644 envs/shared/hierarchical_firewall.tf
 create mode 100644 envs/shared/interconnect.auto.tfvars.example
 create mode 100644 envs/shared/interconnect.tf.example
 create mode 100644 envs/shared/main.tf
 create mode 100644 envs/shared/net-hubs-transitivity.tf
 create mode 100644 envs/shared/net-hubs.tf
 create mode 100644 envs/shared/outputs.tf
 create mode 100644 envs/shared/partner_interconnect.auto.tfvars.example
 create mode 100644 envs/shared/partner_interconnect.tf.example
 create mode 100644 envs/shared/providers.tf
 create mode 100644 envs/shared/remote.tf
 create mode 100644 envs/shared/remote.tf.cloud.example
 create mode 120000 envs/shared/shared.auto.tfvars
 create mode 100644 envs/shared/variables.tf
 create mode 100644 envs/shared/versions.tf
 create mode 100644 modules/base_env/README.md
 create mode 100644 modules/base_env/main.tf
 create mode 100644 modules/base_env/outputs.tf
 create mode 100644 modules/base_env/remote.tf
 create mode 100644 modules/base_env/remote.tf.cloud.example
 create mode 100644 modules/base_env/variables.tf
 create mode 100644 modules/base_env/versions.tf
 create mode 100644 modules/base_env/vpn.tf.example
 create mode 100644 modules/base_shared_vpc/README.md
 create mode 100644 modules/base_shared_vpc/dns.tf
 create mode 100644 modules/base_shared_vpc/firewall.tf
 create mode 100644 modules/base_shared_vpc/main.tf
 create mode 100644 modules/base_shared_vpc/nat.tf
 create mode 100644 modules/base_shared_vpc/outputs.tf
 create mode 100644 modules/base_shared_vpc/private_service_connect.tf
 create mode 100644 modules/base_shared_vpc/variables.tf
 create mode 100644 modules/base_shared_vpc/versions.tf
 create mode 100644 modules/dedicated_interconnect/README.md
 create mode 100644 modules/dedicated_interconnect/main.tf
 create mode 100644 modules/dedicated_interconnect/outputs.tf
 create mode 100644 modules/dedicated_interconnect/variables.tf
 create mode 100644 modules/dedicated_interconnect/versions.tf
 create mode 100644 modules/hierarchical_firewall_policy/README.md
 create mode 100644 modules/hierarchical_firewall_policy/main.tf
 create mode 100644 modules/hierarchical_firewall_policy/outputs.tf
 create mode 100644 modules/hierarchical_firewall_policy/variables.tf
 create mode 100644 modules/hierarchical_firewall_policy/versions.tf
 create mode 100644 modules/partner_interconnect/README.md
 create mode 100644 modules/partner_interconnect/main.tf
 create mode 100644 modules/partner_interconnect/outputs.tf
 create mode 100644 modules/partner_interconnect/variables.tf
 create mode 100644 modules/partner_interconnect/versions.tf
 create mode 100644 modules/restricted_shared_vpc/README.md
 create mode 100644 modules/restricted_shared_vpc/dns.tf
 create mode 100644 modules/restricted_shared_vpc/firewall.tf
 create mode 100644 modules/restricted_shared_vpc/main.tf
 create mode 100644 modules/restricted_shared_vpc/nat.tf
 create mode 100644 modules/restricted_shared_vpc/outputs.tf
 create mode 100644 modules/restricted_shared_vpc/private_service_connect.tf
 create mode 100644 modules/restricted_shared_vpc/service_control.tf
 create mode 100644 modules/restricted_shared_vpc/variables.tf
 create mode 100644 modules/restricted_shared_vpc/versions.tf
 create mode 100755 modules/transitivity/README.md
 create mode 100644 modules/transitivity/assets/gw.yaml
 create mode 100644 modules/transitivity/main.tf
 create mode 100644 modules/transitivity/variables.tf
 create mode 100644 modules/transitivity/versions.tf
 create mode 100755 modules/vpn-ha/README.md
 create mode 100755 modules/vpn-ha/main.tf
 create mode 100644 modules/vpn-ha/variables.tf
 create mode 100644 shared.auto.tfvars
 create mode 100755 tf-wrapper.sh

push to shared

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ ./tf-wrapper.sh init shared
*************** TERRAFORM INIT *******************
      At environment: envs/shared 
**************************************************
Initializing modules...
- base_shared_vpc in ../../modules/base_shared_vpc
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for base_shared_vpc.firewall_rules...
- base_shared_vpc.firewall_rules in .terraform/modules/base_shared_vpc.firewall_rules/modules/network-firewall-policy
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for base_shared_vpc.main...
- base_shared_vpc.main in .terraform/modules/base_shared_vpc.main
- base_shared_vpc.main.firewall_rules in .terraform/modules/base_shared_vpc.main/modules/firewall-rules
- base_shared_vpc.main.routes in .terraform/modules/base_shared_vpc.main/modules/routes
- base_shared_vpc.main.subnets in .terraform/modules/base_shared_vpc.main/modules/subnets
- base_shared_vpc.main.vpc in .terraform/modules/base_shared_vpc.main/modules/vpc
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for base_shared_vpc.peering...
- base_shared_vpc.peering in .terraform/modules/base_shared_vpc.peering/modules/network-peering
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for base_shared_vpc.peering_zone...
- base_shared_vpc.peering_zone in .terraform/modules/base_shared_vpc.peering_zone
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for base_shared_vpc.private_service_connect...
- base_shared_vpc.private_service_connect in .terraform/modules/base_shared_vpc.private_service_connect/modules/private-service-connect
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for base_shared_vpc.private_service_connect.gcr...
- base_shared_vpc.private_service_connect.gcr in .terraform/modules/base_shared_vpc.private_service_connect.gcr
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for base_shared_vpc.private_service_connect.googleapis...
- base_shared_vpc.private_service_connect.googleapis in .terraform/modules/base_shared_vpc.private_service_connect.googleapis
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for base_shared_vpc.private_service_connect.pkg_dev...
- base_shared_vpc.private_service_connect.pkg_dev in .terraform/modules/base_shared_vpc.private_service_connect.pkg_dev
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for base_shared_vpc.region1_router1...
- base_shared_vpc.region1_router1 in .terraform/modules/base_shared_vpc.region1_router1
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for base_shared_vpc.region1_router2...
- base_shared_vpc.region1_router2 in .terraform/modules/base_shared_vpc.region1_router2
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for base_shared_vpc.region2_router1...
- base_shared_vpc.region2_router1 in .terraform/modules/base_shared_vpc.region2_router1
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for base_shared_vpc.region2_router2...
- base_shared_vpc.region2_router2 in .terraform/modules/base_shared_vpc.region2_router2
- base_transitivity in ../../modules/transitivity
Downloading registry.terraform.io/GoogleCloudPlatform/lb-internal/google 5.1.0 for base_transitivity.ilbs...
- base_transitivity.ilbs in .terraform/modules/base_transitivity.ilbs
Downloading registry.terraform.io/terraform-google-modules/vm/google 10.1.1 for base_transitivity.migs...
- base_transitivity.migs in .terraform/modules/base_transitivity.migs/modules/mig
Downloading registry.terraform.io/terraform-google-modules/service-accounts/google 4.2.2 for base_transitivity.service_account...
- base_transitivity.service_account in .terraform/modules/base_transitivity.service_account
Downloading registry.terraform.io/terraform-google-modules/vm/google 10.1.1 for base_transitivity.templates...
- base_transitivity.templates in .terraform/modules/base_transitivity.templates/modules/instance_template
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for dns-forwarding-zone...
- dns-forwarding-zone in .terraform/modules/dns-forwarding-zone
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for dns_hub_region1_router1...
- dns_hub_region1_router1 in .terraform/modules/dns_hub_region1_router1
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for dns_hub_region1_router2...
- dns_hub_region1_router2 in .terraform/modules/dns_hub_region1_router2
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for dns_hub_region2_router1...
- dns_hub_region2_router1 in .terraform/modules/dns_hub_region2_router1
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for dns_hub_region2_router2...
- dns_hub_region2_router2 in .terraform/modules/dns_hub_region2_router2
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for dns_hub_vpc...
- dns_hub_vpc in .terraform/modules/dns_hub_vpc
- dns_hub_vpc.firewall_rules in .terraform/modules/dns_hub_vpc/modules/firewall-rules
- dns_hub_vpc.routes in .terraform/modules/dns_hub_vpc/modules/routes
- dns_hub_vpc.subnets in .terraform/modules/dns_hub_vpc/modules/subnets
- dns_hub_vpc.vpc in .terraform/modules/dns_hub_vpc/modules/vpc
- hierarchical_firewall_policy in ../../modules/hierarchical_firewall_policy
- restricted_shared_vpc in ../../modules/restricted_shared_vpc
Downloading registry.terraform.io/terraform-google-modules/vpc-service-controls/google 5.2.1 for restricted_shared_vpc.access_level_members...
- restricted_shared_vpc.access_level_members in .terraform/modules/restricted_shared_vpc.access_level_members/modules/access_level
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for restricted_shared_vpc.firewall_rules...
- restricted_shared_vpc.firewall_rules in .terraform/modules/restricted_shared_vpc.firewall_rules/modules/network-firewall-policy
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for restricted_shared_vpc.main...
- restricted_shared_vpc.main in .terraform/modules/restricted_shared_vpc.main
- restricted_shared_vpc.main.firewall_rules in .terraform/modules/restricted_shared_vpc.main/modules/firewall-rules
- restricted_shared_vpc.main.routes in .terraform/modules/restricted_shared_vpc.main/modules/routes
- restricted_shared_vpc.main.subnets in .terraform/modules/restricted_shared_vpc.main/modules/subnets
- restricted_shared_vpc.main.vpc in .terraform/modules/restricted_shared_vpc.main/modules/vpc
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for restricted_shared_vpc.peering...
- restricted_shared_vpc.peering in .terraform/modules/restricted_shared_vpc.peering/modules/network-peering
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for restricted_shared_vpc.peering_zone...
- restricted_shared_vpc.peering_zone in .terraform/modules/restricted_shared_vpc.peering_zone
Downloading registry.terraform.io/terraform-google-modules/network/google 9.0.0 for restricted_shared_vpc.private_service_connect...
- restricted_shared_vpc.private_service_connect in .terraform/modules/restricted_shared_vpc.private_service_connect/modules/private-service-connect
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for restricted_shared_vpc.private_service_connect.gcr...
- restricted_shared_vpc.private_service_connect.gcr in .terraform/modules/restricted_shared_vpc.private_service_connect.gcr
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for restricted_shared_vpc.private_service_connect.googleapis...
- restricted_shared_vpc.private_service_connect.googleapis in .terraform/modules/restricted_shared_vpc.private_service_connect.googleapis
Downloading registry.terraform.io/terraform-google-modules/cloud-dns/google 5.2.0 for restricted_shared_vpc.private_service_connect.pkg_dev...
- restricted_shared_vpc.private_service_connect.pkg_dev in .terraform/modules/restricted_shared_vpc.private_service_connect.pkg_dev
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for restricted_shared_vpc.region1_router1...
- restricted_shared_vpc.region1_router1 in .terraform/modules/restricted_shared_vpc.region1_router1
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for restricted_shared_vpc.region1_router2...
- restricted_shared_vpc.region1_router2 in .terraform/modules/restricted_shared_vpc.region1_router2
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for restricted_shared_vpc.region2_router1...
- restricted_shared_vpc.region2_router1 in .terraform/modules/restricted_shared_vpc.region2_router1
Downloading registry.terraform.io/terraform-google-modules/cloud-router/google 6.0.2 for restricted_shared_vpc.region2_router2...
- restricted_shared_vpc.region2_router2 in .terraform/modules/restricted_shared_vpc.region2_router2
Downloading registry.terraform.io/terraform-google-modules/vpc-service-controls/google 5.2.1 for restricted_shared_vpc.regular_service_perimeter...
- restricted_shared_vpc.regular_service_perimeter in .terraform/modules/restricted_shared_vpc.regular_service_perimeter/modules/regular_service_perimeter
- restricted_transitivity in ../../modules/transitivity
Downloading registry.terraform.io/GoogleCloudPlatform/lb-internal/google 5.1.0 for restricted_transitivity.ilbs...
- restricted_transitivity.ilbs in .terraform/modules/restricted_transitivity.ilbs
Downloading registry.terraform.io/terraform-google-modules/vm/google 10.1.1 for restricted_transitivity.migs...
- restricted_transitivity.migs in .terraform/modules/restricted_transitivity.migs/modules/mig
Downloading registry.terraform.io/terraform-google-modules/service-accounts/google 4.2.2 for restricted_transitivity.service_account...
- restricted_transitivity.service_account in .terraform/modules/restricted_transitivity.service_account
Downloading registry.terraform.io/terraform-google-modules/vm/google 10.1.1 for restricted_transitivity.templates...
- restricted_transitivity.templates in .terraform/modules/restricted_transitivity.templates/modules/instance_template

Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding hashicorp/google versions matching ">= 3.33.0, >= 3.50.0, >= 3.53.0, >= 3.83.0, >= 4.25.0, >= 4.26.0, >= 4.40.0, >= 4.48.0, >= 4.51.0, >= 4.64.0, >= 4.65.0, >= 4.67.0, < 6.0.0"...
- Finding hashicorp/google-beta versions matching ">= 3.50.0, >= 4.26.0, >= 4.40.0, >= 4.48.0, >= 4.64.0, >= 4.65.0, < 6.0.0"...
- Finding hashicorp/random versions matching ">= 3.4.0"...
- Finding hashicorp/null versions matching ">= 3.2.0"...
- Finding latest version of hashicorp/time...
- Installing hashicorp/google v5.24.0...
- Installed hashicorp/google v5.24.0 (signed by HashiCorp)
- Installing hashicorp/google-beta v5.24.0...
- Installed hashicorp/google-beta v5.24.0 (signed by HashiCorp)
- Installing hashicorp/random v3.6.0...
- Installed hashicorp/random v3.6.0 (signed by HashiCorp)
- Installing hashicorp/null v3.2.2...
- Installed hashicorp/null v3.2.2 (signed by HashiCorp)
- Installing hashicorp/time v0.11.1...
- Installed hashicorp/time v0.11.1 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
envs/production  doesn't match shared; skipping
envs/non-production  doesn't match shared; skipping
envs/development  doesn't match shared; skipping
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ /tf-wrapper.sh plan shared


Error: Unsupported attribute

  on remote.tf line 31, in locals:
  31:   development_folder_name           = data.terraform_remote_state.env_development.outputs.env_folder
    ├────────────────
    │ data.terraform_remote_state.env_development.outputs is object with no attributes

This object does not have an attribute named "env_folder".

copy back to repo

TODO: remove hardcoded repos
3-networks-hub-and-spoke/envs/shared/main.tf

  default_region1    = "us-west1"
  default_region2    = "us-central1"

[obriensystems]

20240413:1700

3-networks-hub-and-spoke continued

• revert docker vm terraform to 1.3.10
• https://releases.hashicorp.com/terraform/1.3.10/
• https://releases.hashicorp.com/terraform/1.3.10/terraform_1.3.10_linux_amd64.zip

michael@cloudshell:~/tef-olxyz (tef-olxyz)$ wget https://releases.hashicorp.com/terraform/1.3.10/terraform_1.3.10_linux_amd64.zip
--2024-04-13 20:57:30--  https://releases.hashicorp.com/terraform/1.3.10/terraform_1.3.10_linux_amd64.zip
Resolving releases.hashicorp.com (releases.hashicorp.com)... 13.35.116.16, 13.35.116.98, 13.35.116.59, ...
Connecting to releases.hashicorp.com (releases.hashicorp.com)|13.35.116.16|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19989918 (19M) [application/zip]
Saving to: ‘terraform_1.3.10_linux_amd64.zip’

terraform_1.3.10_linux_amd64.zip         100%[==================================================================================>]  19.06M  56.2MB/s    in 0.3s    

2024-04-13 20:57:31 (56.2 MB/s) - ‘terraform_1.3.10_linux_amd64.zip’ saved [19989918/19989918]

michael@cloudshell:~/tef-olxyz (tef-olxyz)$ unzip terraform_1.3.10_linux_amd64.zip 
Archive:  terraform_1.3.10_linux_amd64.zip
  inflating: terraform               
michael@cloudshell:~/tef-olxyz (tef-olxyz)$ which terraform
/usr/bin/terraform
michael@cloudshell:~/tef-olxyz (tef-olxyz)$ sudo cp terraform /usr/bin/terraform
michael@cloudshell:~/tef-olxyz (tef-olxyz)$ terraform --version
Terraform v1.3.10
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html

in step 9 forgot step 8 cb project id and impersonation

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -raw cloudbuild_project_id)
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ echo ${CLOUD_BUILD_PROJECT_ID}
prj-b-cicd-82vv
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -raw networks_step_terraform_service_account_email)
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com

3-hub step 9

ichael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ ./tf-wrapper.sh plan shared
*************** TERRAFORM PLAN *******************
      At environment: envs/shared 
**************************************************
data.terraform_remote_state.env_development: Reading...
data.terraform_remote_state.env_non_production: Reading...
data.terraform_remote_state.env_production: Reading...
data.terraform_remote_state.bootstrap: Reading...
data.terraform_remote_state.org: Reading...
data.terraform_remote_state.env_production: Read complete after 0s
data.terraform_remote_state.env_non_production: Read complete after 1s
data.terraform_remote_state.env_development: Read complete after 1s
data.terraform_remote_state.org: Read complete after 1s
data.terraform_remote_state.bootstrap: Read complete after 2s

Error: Unsupported attribute

  on remote.tf line 31, in locals:
  31:   development_folder_name           = data.terraform_remote_state.env_development.outputs.env_folder
    ├────────────────
    │ data.terraform_remote_state.env_development.outputs is object with no attributes

This object does not have an attribute named "env_folder".

x
triage

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output
bootstrap_step_terraform_service_account_email = "sa-terraform-bootstrap@prj-b-seed-8919.iam.gserviceaccount.com"
cloud_build_peered_network_id = "projects/prj-b-cicd-82vv/global/networks/vpc-b-cbpools"
cloud_build_private_worker_pool_id = "projects/prj-b-cicd-82vv/locations/us-central1/workerPools/private-pool-yqvb"
cloud_build_worker_peered_ip_range = "192.168.0.0/24"
cloud_build_worker_range_id = "projects/prj-b-cicd-82vv/global/addresses/ga-b-cbpools-worker-pool-range"
cloud_builder_artifact_repo = "projects/prj-b-cicd-82vv/locations/us-central1/repositories/tf-runners"
cloudbuild_project_id = "prj-b-cicd-82vv"
common_config = {
  "billing_account" = "01BC..C8"
  "bootstrap_folder_name" = "folders/173484768969"
  "default_region" = "us-central1"
  "folder_prefix" = "fldr"
  "org_id" = "1064386348915"
  "parent_folder" = "736660879367"
  "parent_id" = "folders/736660879367"
  "project_prefix" = "prj"
}
csr_repos = {
  "gcp-bootstrap" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-bootstrap"
    "name" = "gcp-bootstrap"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-bootstrap"
  }
  "gcp-environments" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-environments"
    "name" = "gcp-environments"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments"
  }
  "gcp-networks" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-networks"
    "name" = "gcp-networks"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-networks"
  }
  "gcp-org" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-org"
    "name" = "gcp-org"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-org"
  }
  "gcp-policies" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-policies"
    "name" = "gcp-policies"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-policies"
  }
  "gcp-projects" = {
    "id" = "projects/prj-b-cicd-82vv/repos/gcp-projects"
    "name" = "gcp-projects"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-projects"
  }
  "tf-cloudbuilder" = {
    "id" = "projects/prj-b-cicd-82vv/repos/tf-cloudbuilder"
    "name" = "tf-cloudbuilder"
    "project" = "prj-b-cicd-82vv"
    "url" = "https://source.developers.google.com/p/prj-b-cicd-82vv/r/tf-cloudbuilder"
  }
}
environment_step_terraform_service_account_email = "sa-terraform-env@prj-b-seed-8919.iam.gserviceaccount.com"
gcs_bucket_cloudbuild_artifacts = {
  "bootstrap" = "bkt-prj-b-cicd-82vv-gcp-bootstrap-build-artifacts"
  "env" = "bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts"
  "net" = "bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts"
  "org" = "bkt-prj-b-cicd-82vv-gcp-org-build-artifacts"
  "proj" = "bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts"
}
gcs_bucket_cloudbuild_logs = {
  "bootstrap" = "bkt-prj-b-cicd-82vv-gcp-bootstrap-build-logs"
  "env" = "bkt-prj-b-cicd-82vv-gcp-environments-build-logs"
  "net" = "bkt-prj-b-cicd-82vv-gcp-networks-build-logs"
  "org" = "bkt-prj-b-cicd-82vv-gcp-org-build-logs"
  "proj" = "bkt-prj-b-cicd-82vv-gcp-projects-build-logs"
}
gcs_bucket_tfstate = "bkt-prj-b-seed-tfstate-7120"
networks_step_terraform_service_account_email = "sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com"
optional_groups = tomap({
  "gcp_global_secrets_admin" = "gcp_global_secrets_admin_local_test@obrienlabs.xyz"
  "gcp_kms_admin" = "gcp_kms_admin_local_test@obrienlabs.xyz"
  "gcp_network_viewer" = "gcp_network_viewer_local_test@obrienlabs.xyz"
  "gcp_scc_admin" = "gcp_scc_admin_local_test@obrienlabs.xyz"
  "gcp_security_reviewer" = "gcp_security_reviewer_local_test@obrienlabs.xyz"
})
organization_step_terraform_service_account_email = "sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com"
projects_gcs_bucket_tfstate = "bkt-prj-b-seed-8919-gcp-projects-tfstate"
projects_step_terraform_service_account_email = "sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com"
required_groups = tomap({
  "audit_data_users" = "gcp-audit-data@obrienlabs.xyz"
  "billing_data_users" = "gcp-billing-data@obrienlabs.xyz"
  "group_billing_admins" = "gcp-billing-admins@obrienlabs.xyz"
  "group_org_admins" = "gcp-organization-admins@obrienlabs.xyz"
  "monitoring_workspace_users" = "gcp-monitoring-workspace@obrienlabs.xyz"
})
seed_project_id = "prj-b-seed-8919"

It looks like I am missing the apply on bootstrap from cloud build - or 2-environments - where the output occurs

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/gh360-day0-deploy-example/2-environments/modules/env_baseline/outputs.tf#L17C1-L20C2

output "env_folder" {
  description = "Environment folder created under parent."
  value       = google_folder.env.name
}

https://console.cloud.google.com/cloud-build/builds;region=us-central1/041fd9b4-4a1f-47a6-a2f2-636dfcce4136;step=2?hl=en&project=prj-b-cicd-82vv&supportedpurview=project

Plan: 30 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + assured_workload_resources = []
  + env_folder                 = (known after apply)
  + env_kms_project_id         = (known after apply)


Apply complete! Resources: 30 added, 0 changed, 0 destroyed.

Outputs:

assured_workload_id = ""
assured_workload_resources = []
env_folder = "folders/206926817949"

is in the state file off cloud build - not local 0-bootstrap

solved - forgot to run development folder in 2 - I only had prod/non-prod - and was planning on skipping dev for quota - nope

2-environments apply development

el@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ cd ..
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd gcp-environments/
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git status
On branch production
nothing to commit, working tree clean
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git checkout -b development
Switched to a new branch 'development'
michael@cloudshell:~/tef-olxyz/github/gcp-environments (tef-olxyz)$ git push origin development
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-environments
 * [new branch]      development -> development

before

after

Starting Step #4 - "tf apply"
Step #4 - "tf apply": Already have image (with digest): us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1
Step #4 - "tf apply": envs/production  doesn't match development; skipping
Step #4 - "tf apply": envs/non-production  doesn't match development; skipping
Step #4 - "tf apply": *************** TERRAFORM APPLY *******************
Step #4 - "tf apply":       At environment: envs/development 
Step #4 - "tf apply": ***************************************************
Step #4 - "tf apply": module.env.google_folder.env: Creating...
Step #4 - "tf apply": module.env.google_folder.env: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.google_folder.env: Creation complete after 12s [id=folders/353249398002]
Step #4 - "tf apply": module.env.time_sleep.wait_60_seconds: Creating...
Step #4 - "tf apply": module.env.time_sleep.wait_60_seconds: Creation complete after 0s [id=2024-04-13T21:44:52Z]
Step #4 - "tf apply": module.env.google_tags_tag_binding.folder_env: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.random_string.random_project_id_suffix[0]: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.random_id.random_project_id_suffix: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.random_string.random_project_id_suffix[0]: Creation complete after 0s [id=hwfg]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.random_id.random_project_id_suffix: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.random_id.random_project_id_suffix: Creating...
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.random_id.random_project_id_suffix: Creation complete after 0s [id=NLI]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.random_id.random_project_id_suffix: Creation complete after 0s [id=kJE]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.random_id.random_project_id_suffix: Creation complete after 0s [id=OEA]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.random_string.random_project_id_suffix[0]: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.random_string.random_project_id_suffix[0]: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project.main: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.random_string.random_project_id_suffix[0]: Creation complete after 0s [id=rrkx]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.random_string.random_project_id_suffix[0]: Creation complete after 0s [id=jl08]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project.main: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_project.main: Creating...
Step #4 - "tf apply": module.env.google_tags_tag_binding.folder_env: Creation complete after 1s [id=tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Ffolders%2F353249398002/tagValues/281483791828482]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project.main: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project.main: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_project.main: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project.main: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project.main: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_project.main: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project.main: Still creating... [30s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project.main: Still creating... [30s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_project.main: Still creating... [30s elapsed]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project.main: Still creating... [40s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project.main: Still creating... [40s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_project.main: Still creating... [40s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_project.main: Creation complete after 46s [id=projects/prj-d-secrets-rrkx]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.module.project_services.google_project_service.project_services["secretmanager.googleapis.com"]: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_service_account.default_service_account[0]: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 2s [id=projects/prj-d-secrets-rrkx/serviceAccounts/project-service-account@prj-d-secrets-rrkx.iam.gserviceaccount.com]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project.main: Still creating... [50s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project.main: Still creating... [50s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.module.project_services.google_project_service.project_services["secretmanager.googleapis.com"]: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project.main: Creation complete after 56s [id=projects/prj-d-kms-jl08]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_service_account.default_service_account[0]: Creating...
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creating...
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Creating...
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project.main: Creation complete after 57s [id=projects/prj-d-monitoring-hwfg]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["monitoring.googleapis.com"]: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_service_account.default_service_account[0]: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creating...
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 2s [id=projects/prj-d-kms-jl08/serviceAccounts/project-service-account@prj-d-kms-jl08.iam.gserviceaccount.com]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 3s [id=projects/prj-d-monitoring-hwfg/serviceAccounts/project-service-account@prj-d-monitoring-hwfg.iam.gserviceaccount.com]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.module.project_services.google_project_service.project_services["secretmanager.googleapis.com"]: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["monitoring.googleapis.com"]: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [10s elapsed]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.module.project_services.google_project_service.project_services["secretmanager.googleapis.com"]: Creation complete after 22s [id=prj-d-secrets-rrkx/secretmanager.googleapis.com]
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creation complete after 22s [id=prj-d-secrets-rrkx/logging.googleapis.com]
Step #4 - "tf apply": module.env.module.env_secrets.module.budget.data.google_project.project[0]: Reading...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.budget.data.google_project.project[0]: Read complete after 0s [id=projects/prj-d-secrets-rrkx]
Step #4 - "tf apply": module.env.module.env_secrets.module.budget.google_billing_budget.budget[0]: Creating...
Step #4 - "tf apply": module.env.module.env_secrets.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 1s [id=projects/prj-d-secrets-rrkx]
Step #4 - "tf apply": module.env.module.env_secrets.module.budget.google_billing_budget.budget[0]: Creation complete after 1s [id=billingAccounts/01BCCE-4EC0EE-DC58C8/budgets/e1f74835-6928-4d76-9a34-73572d4dc0b6]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creation complete after 21s [id=prj-d-kms-jl08/billingbudgets.googleapis.com]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creation complete after 21s [id=prj-d-kms-jl08/logging.googleapis.com]
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Creation complete after 21s [id=prj-d-kms-jl08/cloudkms.googleapis.com]
Step #4 - "tf apply": module.env.module.env_kms.module.budget.data.google_project.project[0]: Reading...
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creating...
Step #4 - "tf apply": module.env.module.env_kms.module.budget.data.google_project.project[0]: Read complete after 0s [id=projects/prj-d-kms-jl08]
Step #4 - "tf apply": module.env.module.env_kms.module.budget.google_billing_budget.budget[0]: Creating...
Step #4 - "tf apply": module.env.module.env_kms.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 0s [id=projects/prj-d-kms-jl08]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["monitoring.googleapis.com"]: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [20s elapsed]
Step #4 - "tf apply": module.env.module.env_kms.module.budget.google_billing_budget.budget[0]: Creation complete after 1s [id=billingAccounts/01BCCE-4EC0EE-DC58C8/budgets/06ba685c-d14c-4827-a5a1-d0effd160f69]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["monitoring.googleapis.com"]: Creation complete after 21s [id=prj-d-monitoring-hwfg/monitoring.googleapis.com]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["logging.googleapis.com"]: Creation complete after 21s [id=prj-d-monitoring-hwfg/logging.googleapis.com]
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creation complete after 21s [id=prj-d-monitoring-hwfg/billingbudgets.googleapis.com]
Step #4 - "tf apply": module.env.module.monitoring_project.module.budget.data.google_project.project[0]: Reading...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creating...
Step #4 - "tf apply": module.env.google_project_iam_member.monitoring_viewer: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 0s [id=projects/prj-d-monitoring-hwfg]
Step #4 - "tf apply": module.env.module.monitoring_project.module.budget.data.google_project.project[0]: Read complete after 0s [id=projects/prj-d-monitoring-hwfg]
Step #4 - "tf apply": module.env.module.monitoring_project.module.budget.google_billing_budget.budget[0]: Creating...
Step #4 - "tf apply": module.env.module.monitoring_project.module.budget.google_billing_budget.budget[0]: Creation complete after 1s [id=billingAccounts/01BCCE-4EC0EE-DC58C8/budgets/d1a58d65-762f-4255-a553-b53f45d599bc]
Step #4 - "tf apply": module.env.google_project_iam_member.monitoring_viewer: Creation complete after 7s [id=prj-d-monitoring-hwfg/roles/monitoring.viewer/group:gcp-monitoring-workspace@obrienlabs.xyz]
Step #4 - "tf apply": 
Step #4 - "tf apply": Apply complete! Resources: 30 added, 0 changed, 0 destroyed.
Step #4 - "tf apply": 
Step #4 - "tf apply": Outputs:
Step #4 - "tf apply": 
Step #4 - "tf apply": env_folder = "folders/353249398002"
Step #4 - "tf apply": env_kms_project_id = "prj-d-kms-jl08"
Step #4 - "tf apply": env_secrets_project_id = "prj-d-secrets-rrkx"
Step #4 - "tf apply": monitoring_project_id = "prj-d-monitoring-hwfg"
Step #4 - "tf apply": policy-library/policies  doesn't match development; skipping
Step #4 - "tf apply": policy-library/lib  doesn't match development; skipping
Step #4 - "tf apply": policy-library/.git  doesn't match development; skipping
Finished Step #4 - "tf apply"
PUSH
Artifacts will be uploaded to gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts using gsutil cp
cloudbuild-tf-apply.yaml: Uploading path....
Copying file://cloudbuild-tf-apply.yaml [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/  2.6 KiB]   0% Done                                    
/ [1/1 files][  2.6 KiB/  2.6 KiB] 100% Done                                    
Operation completed over 1 objects/2.6 KiB.                                      
cloudbuild-tf-apply.yaml: 1 matching files uploaded
tmp_plan/*.tfplan: Uploading path....
Copying file://tmp_plan/envs-development.tfplan [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/127.4 KiB]   0% Done                                    
/ [1/1 files][127.4 KiB/127.4 KiB] 100% Done                                    
Operation completed over 1 objects/127.4 KiB.                                    
tmp_plan/*.tfplan: 1 matching files uploaded
2 total artifacts uploaded to gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/terraform/cloudbuild/apply/df615c83-83a8-44f7-8784-bb982705f74c/
Uploading manifest artifacts-df615c83-83a8-44f7-8784-bb982705f74c.json
Artifact manifest located at gs://bkt-prj-b-cicd-82vv-gcp-environments-build-artifacts/terraform/cloudbuild/apply/df615c83-83a8-44f7-8784-bb982705f74c/artifacts-df615c83-83a8-44f7-8784-bb982705f74c.json
DONE

3-networks-hub-and-spoke

init
plan

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ ./tf-wrapper.sh plan shared

Plan: 82 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + dns_hub_project_id = "prj-c-dns-hub-6f4b"

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: /home/michael/tef-olxyz/github/gcp-networks/tmp_plan/envs-shared.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/home/michael/tef-olxyz/github/gcp-networks/tmp_plan/envs-shared.tfplan"
envs/production  doesn't match shared; skipping
envs/non-production  doesn't match shared; skipping
envs/development  doesn't match shared; skipping

3-networks-hub-and-spoke shared apply

ichael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ ./tf-wrapper.sh apply shared
*************** TERRAFORM APPLY *******************
      At environment: envs/shared 
***************************************************
module.hierarchical_firewall_policy.random_string.suffix: Creating...
module.hierarchical_firewall_policy.random_string.suffix: Creation complete after 0s [id=3q5s]
module.dns_hub_vpc.module.vpc.google_compute_network.network: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy: Creating...
odule.dns_hub_vpc.module.vpc.google_compute_network.network: Still creating... [10s elapsed]
module.dns_hub_vpc.module.vpc.google_compute_network.network: Still creating... [20s elapsed]
module.dns_hub_vpc.module.vpc.google_compute_network.network: Still creating... [30s elapsed]
module.dns_hub_vpc.module.vpc.google_compute_network.network: Creation complete after 33s [id=projects/prj-c-dns-hub-6f4b/global/networks/vpc-c-dns-hub]
module.dns_hub_region1_router1.google_compute_router.router: Creating...
google_dns_policy.default_policy: Creating...
module.dns_hub_region2_router2.google_compute_router.router: Creating...
module.dns_hub_region1_router2.google_compute_router.router: Creating...
module.dns_hub_region2_router1.google_compute_router.router: Creating...
module.dns_hub_vpc.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-dns-hub-us-central1"]: Creating...
module.dns-forwarding-zone.google_dns_managed_zone.forwarding[0]: Creating...
module.dns_hub_vpc.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-dns-hub-us-west1"]: Creating...
module.dns-forwarding-zone.google_dns_managed_zone.forwarding[0]: Creation complete after 2s [id=projects/prj-c-dns-hub-6f4b/managedZones/fz-dns-hub]
google_dns_policy.default_policy: Creation complete after 2s [id=projects/prj-c-dns-hub-6f4b/policies/dp-dns-hub-default-policy]
module.dns_hub_region1_router1.google_compute_router.router: Still creating... [10s elapsed]
module.dns_hub_region1_router2.google_compute_router.router: Still creating... [10s elapsed]
module.dns_hub_region2_router1.google_compute_router.router: Still creating... [10s elapsed]
module.dns_hub_vpc.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-dns-hub-us-west1"]: Still creating... [10s elapsed]
module.dns_hub_region2_router2.google_compute_router.router: Still creating... [10s elapsed]
module.dns_hub_vpc.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-dns-hub-us-central1"]: Still creating... [10s elapsed]
module.dns_hub_vpc.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-dns-hub-us-central1"]: Creation complete after 13s [id=projects/prj-c-dns-hub-6f4b/regions/us-central1/subnetworks/sb-c-dns-hub-us-central1]
module.dns_hub_region2_router1.google_compute_router.router: Creation complete after 13s [id=projects/prj-c-dns-hub-6f4b/regions/us-central1/routers/cr-c-dns-hub-us-central1-cr3]
module.dns_hub_region1_router2.google_compute_router.router: Creation complete after 16s [id=projects/prj-c-dns-hub-6f4b/regions/us-west1/routers/cr-c-dns-hub-us-west1-cr2]
module.dns_hub_vpc.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-dns-hub-us-west1"]: Creation complete after 17s [id=projects/prj-c-dns-hub-6f4b/regions/us-west1/subnetworks/sb-c-dns-hub-us-west1]
module.dns_hub_vpc.module.routes.google_compute_route.route["rt-c-dns-hub-1000-all-default-private-api"]: Creating...
module.dns_hub_region1_router1.google_compute_router.router: Still creating... [20s elapsed]
module.dns_hub_region2_router2.google_compute_router.router: Still creating... [20s elapsed]
module.dns_hub_region2_router2.google_compute_router.router: Creation complete after 23s [id=projects/prj-c-dns-hub-6f4b/regions/us-central1/routers/cr-c-dns-hub-us-central1-cr4]
module.dns_hub_region1_router1.google_compute_router.router: Creation complete after 25s [id=projects/prj-c-dns-hub-6f4b/regions/us-west1/routers/cr-c-dns-hub-us-west1-cr1]
module.dns_hub_vpc.module.routes.google_compute_route.route["rt-c-dns-hub-1000-all-default-private-api"]: Still creating... [10s elapsed]
module.dns_hub_vpc.module.routes.google_compute_route.route["rt-c-dns-hub-1000-all-default-private-api"]: Creation complete after 12s [id=projects/prj-c-dns-hub-6f4b/global/routes/rt-c-dns-hub-1000-all-default-private-api]
module.restricted_shared_vpc.random_id.random_access_level_suffix: Creating...
module.base_shared_vpc.data.google_compute_network.vpc_dns_hub: Reading...
module.restricted_shared_vpc.data.google_compute_network.vpc_dns_hub: Reading...
module.restricted_shared_vpc.random_id.random_access_level_suffix: Creation complete after 0s [id=Z_E]
module.restricted_shared_vpc.module.main.module.vpc.google_compute_network.network: Creating...
module.base_shared_vpc.module.main.module.vpc.google_compute_network.network: Creating...
module.restricted_shared_vpc.module.access_level_members.google_access_context_manager_access_level.access_level: Creating...
module.base_shared_vpc.data.google_compute_network.vpc_dns_hub: Read complete after 0s [id=projects/prj-c-dns-hub-6f4b/global/networks/vpc-c-dns-hub]
module.restricted_shared_vpc.data.google_compute_network.vpc_dns_hub: Read complete after 0s [id=projects/prj-c-dns-hub-6f4b/global/networks/vpc-c-dns-hub]
module.restricted_shared_vpc.module.main.module.vpc.google_compute_network.network: Still creating... [10s elapsed]
module.base_shared_vpc.module.main.module.vpc.google_compute_network.network: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.main.module.vpc.google_compute_network.network: Still creating... [20s elapsed]
module.base_shared_vpc.module.main.module.vpc.google_compute_network.network: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.main.module.vpc.google_compute_network.network: Still creating... [30s elapsed]
module.base_shared_vpc.module.main.module.vpc.google_compute_network.network: Still creating... [30s elapsed]
module.base_shared_vpc.module.main.module.vpc.google_compute_network.network: Creation complete after 32s [id=projects/prj-c-base-net-hub-5y8h/global/networks/vpc-c-shared-base-hub]
module.base_shared_vpc.module.main.module.vpc.google_compute_shared_vpc_host_project.shared_vpc_host[0]: Creating...
module.base_shared_vpc.module.private_service_connect.google_compute_global_address.private_service_connect: Creating...
module.base_shared_vpc.module.peering_zone.google_dns_managed_zone.peering[0]: Creating...
module.base_shared_vpc.module.private_service_connect.module.googleapis.google_dns_managed_zone.private[0]: Creating...
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy.fw_policy[0]: Creating...
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-base-hub-us-central1-proxy"]: Creating...
module.base_shared_vpc.google_dns_policy.default_policy: Creating...
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-base-hub-us-west1"]: Creating...
module.base_shared_vpc.module.private_service_connect.module.gcr.google_dns_managed_zone.private[0]: Creating...
module.restricted_shared_vpc.module.main.module.vpc.google_compute_network.network: Creation complete after 33s [id=projects/prj-c-restricted-net-hub-a8d5/global/networks/vpc-c-shared-restricted-hub]
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-base-hub-us-west1-proxy"]: Creating...
module.base_shared_vpc.module.peering_zone.google_dns_managed_zone.peering[0]: Creation complete after 2s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-to-dns-hub]
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-base-hub-us-central1"]: Creating...
module.base_shared_vpc.module.private_service_connect.module.googleapis.google_dns_managed_zone.private[0]: Creation complete after 2s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-apis]
module.restricted_shared_vpc.module.main.module.vpc.google_compute_shared_vpc_host_project.shared_vpc_host[0]: Creating...
module.base_shared_vpc.google_dns_policy.default_policy: Creation complete after 2s [id=projects/prj-c-base-net-hub-5y8h/policies/dp-c-shared-base-default-policy]
module.base_shared_vpc.module.private_service_connect.module.gcr.google_dns_managed_zone.private[0]: Creation complete after 2s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-gcr]
module.base_shared_vpc.module.private_service_connect.module.googleapis.google_dns_record_set.cloud-static-records["*/CNAME"]: Creating...
module.base_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_managed_zone.private[0]: Creating...
module.base_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_managed_zone.private[0]: Creation complete after 1s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-pkg-dev]
module.base_shared_vpc.module.private_service_connect.module.googleapis.google_dns_record_set.cloud-static-records["private/A"]: Creating...
module.base_shared_vpc.module.private_service_connect.module.googleapis.google_dns_record_set.cloud-static-records["*/CNAME"]: Creation complete after 3s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-apis/rrsets/*.googleapis.com./CNAME]
module.base_shared_vpc.module.private_service_connect.module.gcr.google_dns_record_set.cloud-static-records["/A"]: Creating...
module.base_shared_vpc.module.private_service_connect.module.googleapis.google_dns_record_set.cloud-static-records["private/A"]: Creation complete after 2s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-apis/rrsets/private.googleapis.com./A]
module.base_shared_vpc.module.private_service_connect.module.gcr.google_dns_record_set.cloud-static-records["*/CNAME"]: Creating...
module.base_shared_vpc.module.private_service_connect.module.gcr.google_dns_record_set.cloud-static-records["/A"]: Creation complete after 2s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-gcr/rrsets/gcr.io./A]
module.base_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_record_set.cloud-static-records["*/CNAME"]: Creating...
module.base_shared_vpc.module.private_service_connect.module.gcr.google_dns_record_set.cloud-static-records["*/CNAME"]: Creation complete after 3s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-gcr/rrsets/*.gcr.io./CNAME]
module.base_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_record_set.cloud-static-records["/A"]: Creating...
module.base_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_record_set.cloud-static-records["*/CNAME"]: Creation complete after 3s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-pkg-dev/rrsets/*.pkg.dev./CNAME]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-restricted-hub-us-west1-proxy"]: Creating...
module.base_shared_vpc.module.main.module.vpc.google_compute_shared_vpc_host_project.shared_vpc_host[0]: Still creating... [10s elapsed]
module.base_shared_vpc.module.private_service_connect.google_compute_global_address.private_service_connect: Still creating... [10s elapsed]
module.base_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_record_set.cloud-static-records["/A"]: Creation complete after 2s [id=projects/prj-c-base-net-hub-5y8h/managedZones/dz-c-shared-base-pkg-dev/rrsets/pkg.dev./A]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-restricted-hub-us-central1"]: Creating...
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy.fw_policy[0]: Still creating... [10s elapsed]
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-base-hub-us-central1-proxy"]: Still creating... [10s elapsed]
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-base-hub-us-west1"]: Still creating... [10s elapsed]
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-base-hub-us-west1-proxy"]: Still creating... [10s elapsed]
module.base_shared_vpc.module.main.module.vpc.google_compute_shared_vpc_host_project.shared_vpc_host[0]: Creation complete after 11s [id=prj-c-base-net-hub-5y8h]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-restricted-hub-us-west1"]: Creating...
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy.fw_policy[0]: Creation complete after 11s [id=projects/prj-c-base-net-hub-5y8h/global/firewallPolicies/fp-c-hub-and-spoke-base-firewalls]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-restricted-hub-us-central1-proxy"]: Creating...
module.base_shared_vpc.module.private_service_connect.google_compute_global_address.private_service_connect: Creation complete after 11s [id=projects/prj-c-base-net-hub-5y8h/global/addresses/global-psconnect-ip]
module.restricted_shared_vpc.google_dns_policy.default_policy: Creating...
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-base-hub-us-central1"]: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.main.module.vpc.google_compute_shared_vpc_host_project.shared_vpc_host[0]: Still creating... [10s elapsed]
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-base-hub-us-central1-proxy"]: Creation complete after 13s [id=projects/prj-c-base-net-hub-5y8h/regions/us-central1/subnetworks/sb-c-shared-base-hub-us-central1-proxy]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy.fw_policy[0]: Creating...
module.restricted_shared_vpc.google_dns_policy.default_policy: Creation complete after 2s [id=projects/prj-c-restricted-net-hub-a8d5/policies/dp-c-shared-restricted-default-policy]
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_association.vpc_associations["cHJvamVjdHMvcHJqLWMtYmFzZS1uZXQtaHViLTV5OGgvZ2xvYmFsL25ldHdvcmtzL3ZwYy1jLXNoYXJlZC1iYXNlLWh1Yg=="]: Creating...
module.restricted_shared_vpc.module.main.module.vpc.google_compute_shared_vpc_host_project.shared_vpc_host[0]: Creation complete after 11s [id=prj-c-restricted-net-hub-a8d5]
module.base_shared_vpc.module.private_service_connect.google_compute_global_forwarding_rule.forwarding_rule_private_service_connect: Creating...
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-base-hub-us-central1"]: Creation complete after 11s [id=projects/prj-c-base-net-hub-5y8h/regions/us-central1/subnetworks/sb-c-shared-base-hub-us-central1]
module.restricted_shared_vpc.module.peering_zone.google_dns_managed_zone.peering[0]: Creating...
module.restricted_shared_vpc.module.peering_zone.google_dns_managed_zone.peering[0]: Creation complete after 2s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-to-dns-hub]
module.restricted_shared_vpc.module.private_service_connect.google_compute_global_address.private_service_connect: Creating...
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_association.vpc_associations["cHJvamVjdHMvcHJqLWMtYmFzZS1uZXQtaHViLTV5OGgvZ2xvYmFsL25ldHdvcmtzL3ZwYy1jLXNoYXJlZC1iYXNlLWh1Yg=="]: Creation complete after 6s [id=projects/prj-c-base-net-hub-5y8h/global/firewallPolicies/fp-c-hub-and-spoke-base-firewalls/associations/fp-c-hub-and-spoke-base-firewalls-vpc-c-shared-base-hub]
module.restricted_shared_vpc.module.private_service_connect.module.googleapis.google_dns_managed_zone.private[0]: Creating...
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-restricted-hub-us-west1-proxy"]: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-restricted-hub-us-central1"]: Still creating... [10s elapsed]
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-base-hub-us-west1"]: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.private_service_connect.module.googleapis.google_dns_managed_zone.private[0]: Creation complete after 1s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-apis]
module.restricted_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_managed_zone.private[0]: Creating...
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-base-hub-us-west1-proxy"]: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-restricted-hub-us-west1"]: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-restricted-hub-us-central1-proxy"]: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_managed_zone.private[0]: Creation complete after 1s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-pkg-dev]
module.restricted_shared_vpc.module.private_service_connect.module.gcr.google_dns_managed_zone.private[0]: Creating...
module.restricted_shared_vpc.module.private_service_connect.module.gcr.google_dns_managed_zone.private[0]: Creation complete after 1s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-gcr]
module.restricted_shared_vpc.module.private_service_connect.module.googleapis.google_dns_record_set.cloud-static-records["*/CNAME"]: Creating...
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy.fw_policy[0]: Still creating... [10s elapsed]
module.base_shared_vpc.module.private_service_connect.google_compute_global_forwarding_rule.forwarding_rule_private_service_connect: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy.fw_policy[0]: Creation complete after 11s [id=projects/prj-c-restricted-net-hub-a8d5/global/firewallPolicies/fp-c-hub-and-spoke-restricted-firewalls]
module.restricted_shared_vpc.module.private_service_connect.module.googleapis.google_dns_record_set.cloud-static-records["restricted/A"]: Creating...
module.restricted_shared_vpc.module.private_service_connect.module.googleapis.google_dns_record_set.cloud-static-records["*/CNAME"]: Creation complete after 2s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-apis/rrsets/*.googleapis.com./CNAME]
module.restricted_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_record_set.cloud-static-records["*/CNAME"]: Creating...
module.base_shared_vpc.module.private_service_connect.google_compute_global_forwarding_rule.forwarding_rule_private_service_connect: Creation complete after 11s [id=projects/prj-c-base-net-hub-5y8h/global/forwardingRules/globalrule]
module.restricted_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_record_set.cloud-static-records["/A"]: Creating...
module.restricted_shared_vpc.module.private_service_connect.google_compute_global_address.private_service_connect: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_record_set.cloud-static-records["*/CNAME"]: Creation complete after 1s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-pkg-dev/rrsets/*.pkg.dev./CNAME]
module.restricted_shared_vpc.module.private_service_connect.module.gcr.google_dns_record_set.cloud-static-records["/A"]: Creating...
module.restricted_shared_vpc.module.private_service_connect.module.pkg_dev.google_dns_record_set.cloud-static-records["/A"]: Creation complete after 2s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-pkg-dev/rrsets/pkg.dev./A]
module.restricted_shared_vpc.module.private_service_connect.module.gcr.google_dns_record_set.cloud-static-records["*/CNAME"]: Creating...
module.restricted_shared_vpc.module.private_service_connect.google_compute_global_address.private_service_connect: Creation complete after 11s [id=projects/prj-c-restricted-net-hub-a8d5/global/addresses/global-psconnect-ip]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_association.vpc_associations["cHJvamVjdHMvcHJqLWMtcmVzdHJpY3RlZC1uZXQtaHViLWE4ZDUvZ2xvYmFsL25ldHdvcmtzL3ZwYy1jLXNoYXJlZC1yZXN0cmljdGVkLWh1Yg=="]: Creating...
module.restricted_shared_vpc.module.private_service_connect.module.gcr.google_dns_record_set.cloud-static-records["/A"]: Creation complete after 2s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-gcr/rrsets/gcr.io./A]
module.restricted_shared_vpc.module.private_service_connect.google_compute_global_forwarding_rule.forwarding_rule_private_service_connect: Creating...
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-base-hub-us-west1-proxy"]: Creation complete after 26s [id=projects/prj-c-base-net-hub-5y8h/regions/us-west1/subnetworks/sb-c-shared-base-hub-us-west1-proxy]
module.base_shared_vpc.module.region1_router1[0].google_compute_router.router: Creating...
module.restricted_shared_vpc.module.private_service_connect.module.gcr.google_dns_record_set.cloud-static-records["*/CNAME"]: Creation complete after 1s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-gcr/rrsets/*.gcr.io./CNAME]
module.base_shared_vpc.module.region2_router1[0].google_compute_router.router: Creating...
module.restricted_shared_vpc.module.private_service_connect.module.googleapis.google_dns_record_set.cloud-static-records["restricted/A"]: Creation complete after 3s [id=projects/prj-c-restricted-net-hub-a8d5/managedZones/dz-c-shared-restricted-apis/rrsets/restricted.googleapis.com./A]
module.base_shared_vpc.module.region1_router2[0].google_compute_router.router: Creating...
module.base_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-base-hub-us-west1"]: Creation complete after 28s [id=projects/prj-c-base-net-hub-5y8h/regions/us-west1/subnetworks/sb-c-shared-base-hub-us-west1]
module.base_shared_vpc.module.region2_router2[0].google_compute_router.router: Creating...
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-restricted-hub-us-west1-proxy"]: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-restricted-hub-us-central1"]: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-restricted-hub-us-west1"]: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-restricted-hub-us-central1-proxy"]: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-restricted-hub-us-central1"]: Creation complete after 24s [id=projects/prj-c-restricted-net-hub-a8d5/regions/us-central1/subnetworks/sb-c-shared-restricted-hub-us-central1]
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["65530"]: Creating...
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-restricted-hub-us-west1"]: Creation complete after 23s [id=projects/prj-c-restricted-net-hub-a8d5/regions/us-west1/subnetworks/sb-c-shared-restricted-hub-us-west1]
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["1000"]: Creating...
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-west1/sb-c-shared-restricted-hub-us-west1-proxy"]: Creation complete after 25s [id=projects/prj-c-restricted-net-hub-a8d5/regions/us-west1/subnetworks/sb-c-shared-restricted-hub-us-west1-proxy]
module.restricted_shared_vpc.module.main.module.subnets.google_compute_subnetwork.subnetwork["us-central1/sb-c-shared-restricted-hub-us-central1-proxy"]: Creation complete after 24s [id=projects/prj-c-restricted-net-hub-a8d5/regions/us-central1/subnetworks/sb-c-shared-restricted-hub-us-central1-proxy]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_association.vpc_associations["cHJvamVjdHMvcHJqLWMtcmVzdHJpY3RlZC1uZXQtaHViLWE4ZDUvZ2xvYmFsL25ldHdvcmtzL3ZwYy1jLXNoYXJlZC1yZXN0cmljdGVkLWh1Yg=="]: Creation complete after 9s [id=projects/prj-c-restricted-net-hub-a8d5/global/firewallPolicies/fp-c-hub-and-spoke-restricted-firewalls/associations/fp-c-hub-and-spoke-restricted-firewalls-vpc-c-shared-restricted-hub]


module.base_shared_vpc.module.region1_router1[0].google_compute_router.router: Still creating... [10s elapsed]
module.base_shared_vpc.module.region2_router1[0].google_compute_router.router: Still creating... [10s elapsed]
module.base_shared_vpc.module.region1_router2[0].google_compute_router.router: Still creating... [10s elapsed]
module.base_shared_vpc.module.region2_router2[0].google_compute_router.router: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.private_service_connect.google_compute_global_forwarding_rule.forwarding_rule_private_service_connect: Creation complete after 11s [id=projects/prj-c-restricted-net-hub-a8d5/global/forwardingRules/globalrule]
module.restricted_shared_vpc.module.region1_router1[0].google_compute_router.router: Creating...
module.restricted_shared_vpc.module.region2_router1[0].google_compute_router.router: Creating...
module.restricted_shared_vpc.module.region2_router2[0].google_compute_router.router: Creating...
module.restricted_shared_vpc.module.region1_router2[0].google_compute_router.router: Creating...
module.base_shared_vpc.module.region2_router2[0].google_compute_router.router: Creation complete after 11s [id=projects/prj-c-base-net-hub-5y8h/regions/us-central1/routers/cr-c-shared-base-hub-us-central1-cr4]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["65530"]: Creating...
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["65530"]: Still creating... [10s elapsed]
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["1000"]: Still creating... [10s elapsed]
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["65530"]: Creation complete after 11s [id=projects/prj-c-base-net-hub-5y8h/global/firewallPolicies/fp-c-hub-and-spoke-base-firewalls/rules/65530]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["1000"]: Creating...
module.base_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["1000"]: Creation complete after 12s [id=projects/prj-c-base-net-hub-5y8h/global/firewallPolicies/fp-c-hub-and-spoke-base-firewalls/rules/1000]
module.base_shared_vpc.module.region1_router1[0].google_compute_router.router: Still creating... [20s elapsed]
module.base_shared_vpc.module.region2_router1[0].google_compute_router.router: Still creating... [20s elapsed]
module.base_shared_vpc.module.region1_router2[0].google_compute_router.router: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.region1_router1[0].google_compute_router.router: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.region2_router1[0].google_compute_router.router: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.region2_router2[0].google_compute_router.router: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.region1_router2[0].google_compute_router.router: Still creating... [10s elapsed]
module.base_shared_vpc.module.region2_router1[0].google_compute_router.router: Creation complete after 21s [id=projects/prj-c-base-net-hub-5y8h/regions/us-central1/routers/cr-c-shared-base-hub-us-central1-cr3]
module.base_shared_vpc.module.region1_router1[0].google_compute_router.router: Creation complete after 22s [id=projects/prj-c-base-net-hub-5y8h/regions/us-west1/routers/cr-c-shared-base-hub-us-west1-cr1]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["65530"]: Still creating... [10s elapsed]
module.base_shared_vpc.module.region1_router2[0].google_compute_router.router: Creation complete after 23s [id=projects/prj-c-base-net-hub-5y8h/regions/us-west1/routers/cr-c-shared-base-hub-us-west1-cr2]
module.restricted_shared_vpc.module.region1_router1[0].google_compute_router.router: Creation complete after 12s [id=projects/prj-c-restricted-net-hub-a8d5/regions/us-west1/routers/cr-c-shared-restricted-hub-us-west1-cr5]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["65530"]: Creation complete after 12s [id=projects/prj-c-restricted-net-hub-a8d5/global/firewallPolicies/fp-c-hub-and-spoke-restricted-firewalls/rules/65530]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["1000"]: Still creating... [10s elapsed]
module.restricted_shared_vpc.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["1000"]: Creation complete after 12s [id=projects/prj-c-restricted-net-hub-a8d5/global/firewallPolicies/fp-c-hub-and-spoke-restricted-firewalls/rules/1000]
odule.restricted_shared_vpc.module.region2_router2[0].google_compute_router.router: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.region1_router2[0].google_compute_router.router: Still creating... [20s elapsed]
module.restricted_shared_vpc.module.region2_router2[0].google_compute_router.router: Creation complete after 22s [id=projects/prj-c-restricted-net-hub-a8d5/regions/us-central1/routers/cr-c-shared-restricted-hub-us-central1-cr8]
module.restricted_shared_vpc.module.region2_router1[0].google_compute_router.router: Creation complete after 22s [id=projects/prj-c-restricted-net-hub-a8d5/regions/us-central1/routers/cr-c-shared-restricted-hub-us-central1-cr7]
module.restricted_shared_vpc.module.region1_router2[0].google_compute_router.router: Creation complete after 22s [id=projects/prj-c-restricted-net-hub-a8d5/regions/us-west1/routers/cr-c-shared-restricted-hub-us-west1-cr6]
module.restricted_shared_vpc.time_sleep.wait_vpc_sc_propagation: Creating...
odule.restricted_shared_vpc.time_sleep.wait_vpc_sc_propagation: Still creating... [20s elapsed]
module.restricted_shared_vpc.time_sleep.wait_vpc_sc_propagation: Still creating... [30s elapsed]
module.restricted_shared_vpc.time_sleep.wait_vpc_sc_propagation: Still creating... [40s elapsed]

module.restricted_shared_vpc.time_sleep.wait_vpc_sc_propagation: Still creating... [50s elapsed]
module.restricted_shared_vpc.time_sleep.wait_vpc_sc_propagation: Still creating... [1m0s elapsed]
module.restricted_shared_vpc.time_sleep.wait_vpc_sc_propagation: Creation complete after 1m0s [id=2024-04-13T21:53:16Z]

Error: Error waiting to create OrganizationSecurityPolicy: Error waiting for Creating OrganizationSecurityPolicy: error while retrieving operation: googleapi: Error 403: Caller does not have required permission to use project tef-olxyz. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=tef-olxyz and then retry. Propagation of the new permission may take a few minutes.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developer console IAM admin",
        "url": "https://console.developers.google.com/iam-admin/iam/project?project=tef-olxyz"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadatas": {
      "consumer": "projects/tef-olxyz",
      "service": "compute.googleapis.com"
    },
    "reason": "USER_PROJECT_DENIED"
  }
]
, forbidden

  with module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy,
  on ../../modules/hierarchical_firewall_policy/main.tf line 27, in resource "google_compute_organization_security_policy" "policy":
  27: resource "google_compute_organization_security_policy" "policy" {


Error: Error creating AccessLevel: googleapi: Error 403: Caller does not have required permission to use project tef-olxyz. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=tef-olxyz and then retry. Propagation of the new permission may take a few minutes.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developer console IAM admin",
        "url": "https://console.developers.google.com/iam-admin/iam/project?project=tef-olxyz"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadata": {
      "consumer": "projects/tef-olxyz",
      "service": "accesscontextmanager.googleapis.com"
    },
    "reason": "USER_PROJECT_DENIED"
  }
]

  with module.restricted_shared_vpc.module.access_level_members.google_access_context_manager_access_level.access_level,
  on .terraform/modules/restricted_shared_vpc.access_level_members/modules/access_level/main.tf line 21, in resource "google_access_context_manager_access_level" "access_level":
  21: resource "google_access_context_manager_access_level" "access_level" {

ACM error on iam role - fixing

Error: Error creating AccessLevel: googleapi: Error 403: Caller does not have required permission to use project tef-olxyz. Grant the caller the roles/serviceusage.serviceUsageConsumer role, or a custom role with the serviceusage.services.use permission, by visiting https://console.developers.google.com/iam-admin/iam/project?project=tef-olxyz and then retry. Propagation of the new permission may take a few minutes.

Service Usage Consumer missing from sa-terraform-net

sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com

Adding

see #379

wait 2 min for IAM propagation - retry apply

init
plan



Plan: 15 to add, 0 to change, 0 to destroy.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: /home/michael/tef-olxyz/github/gcp-networks/tmp_plan/envs-shared.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/home/michael/tef-olxyz/github/gcp-networks/tmp_plan/envs-shared.tfplan"
envs/production  doesn't match shared; skipping
envs/non-production  doesn't match shared; skipping
envs/development  doesn't match shared; skipping

apply shared
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ ./tf-wrapper.sh apply shared
*************** TERRAFORM APPLY *******************
      At environment: envs/shared 
***************************************************
module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy: Creating...
module.restricted_shared_vpc.module.access_level_members.google_access_context_manager_access_level.access_level: Creating...
module.restricted_shared_vpc.module.access_level_members.google_access_context_manager_access_level.access_level: Creation complete after 1s [id=accessPolicies/807865857747/accessLevels/alp_c_shared_restricted_members_67f1]
module.restricted_shared_vpc.module.regular_service_perimeter.google_access_context_manager_service_perimeter.regular_service_perimeter: Creating...
module.restricted_shared_vpc.module.regular_service_perimeter.google_access_context_manager_service_perimeter.regular_service_perimeter: Creation complete after 1s [id=accessPolicies/807865857747/servicePerimeters/sp_c_shared_restricted_default_perimeter_67f1]
module.restricted_shared_vpc.module.regular_service_perimeter.google_access_context_manager_service_perimeter_resource.service_perimeter_resource["127928059862"]: Creating...
module.restricted_shared_vpc.module.regular_service_perimeter.google_access_context_manager_service_perimeter_resource.service_perimeter_resource["127928059862"]: Creation complete after 1s [id=accessPolicies/807865857747/servicePerimeters/sp_c_shared_restricted_default_perimeter_67f1/projects/127928059862]

Error: Error creating OrganizationSecurityPolicy: googleapi: Error 400: Invalid value for field 'resource.displayName': 'common-firewall-rules-3q5s'. The display name is already used. Please choose another one, invalid

  with module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy,
  on ../../modules/hierarchical_firewall_policy/main.tf line 27, in resource "google_compute_organization_security_policy" "policy":
  27: resource "google_compute_organization_security_policy" "policy" {

#380

rename hierarchical_firewall_policy

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/3-networks-hub-and-spoke/envs/shared/hierarchical_firewall.tf#L21

  name   = "common-firewall-rules"

The SA needs the role compute.orgSecurityPolicyAdmin or more recently compute.orgFirewallPolicyAdmin
https://cloud.google.com/firewall/docs/firewall-policies#iam
Compute Organization Firewall Policy Admin
https://cloud.google.com/compute/docs/access/iam#compute.orgFirewallPolicyAdmin

#381

Brute force - instead of rename in the console with potential state file corruption - change the name in the policy tf

  name   = "common-firewall-rules2"


michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git diff
diff --git a/common.auto.tfvars b/common.auto.tfvars
index 5ee83f3..aa501e1 100644
--- a/common.auto.tfvars
+++ b/common.auto.tfvars
@@ -24,4 +24,5 @@ perimeter_additional_members = ["user:michael@obrienlabs.xyz"]
 
 remote_state_bucket = "bkt-prj-b-seed-tfstate-7120"
 
-//enable_hub_and_spoke_transitivity = true
+#enable_hub_and_spoke_transitivity = true
+enable_hub_and_spoke_transitivity = false
diff --git a/envs/shared/hierarchical_firewall.tf b/envs/shared/hierarchical_firewall.tf
index ee1b0d1..d0ff931 100644
--- a/envs/shared/hierarchical_firewall.tf
+++ b/envs/shared/hierarchical_firewall.tf
@@ -18,7 +18,7 @@ module "hierarchical_firewall_policy" {
   source = "../../modules/hierarchical_firewall_policy/"
 
   parent = local.common_folder_name
-  name   = "common-firewall-rules"
+  name   = "common-firewall-rules2"
   associations = [
     local.common_folder_name,
     local.network_folder_name,

3 shared apply

Terraform will perform the following actions:

  # module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy will be created
  + resource "google_compute_organization_security_policy" "policy" {
      + display_name = "common-firewall-rules2-3q5s"
      + fingerprint  = (known after apply)
      + id           = (known after apply)
      + parent       = "folders/96486704059"
      + policy_id    = (known after apply)
      + type         = "FIREWALL"
    }

apply

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ ./tf-wrapper.sh apply shared
*************** TERRAFORM APPLY *******************
      At environment: envs/shared 
***************************************************
module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy: Creating...

Error: Error waiting to create OrganizationSecurityPolicy: Error waiting for Creating OrganizationSecurityPolicy: error while retrieving operation: googleapi: Error 403: Compute Engine API has not been used in project tef-olxyz before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=tef-olxyz then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developers console API activation",
        "url": "https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=tef-olxyz"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadatas": {
      "consumer": "projects/tef-olxyz",
      "service": "compute.googleapis.com"
    },
    "reason": "SERVICE_DISABLED"
  }
]
, accessNotConfigured

  with module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy,
  on ../../modules/hierarchical_firewall_policy/main.tf line 27, in resource "google_compute_organization_security_policy" "policy":
  27: resource "google_compute_organization_security_policy" "policy" {

base issue - enable compute API

#382

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ gcloud services enable compute.googleapis.com
Operation "operations/acf.p2-438381210056-2415ed08-fad8-4333-8c8e-1017881efb60" finished successfully.

rename 3rd time

3-networks-hub-and-spoke step 11 shared apply

  name   = "common-firewall-rules3"


ichael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ ./tf-wrapper.sh apply shared
*************** TERRAFORM APPLY *******************
      At environment: envs/shared 
***************************************************
module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy.policy: Creation complete after 12s [id=locations/global/securityPolicies/638814738464]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/652472417643"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-egress"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/173484768969"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/358902749545"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-iap-ssh-rdp"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/206926817949"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/353249398002"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-ingress"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-google-hbs-and-hcs"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-windows-activation"]: Creating...

module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/652472417643"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/173484768969"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/358902749545"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-egress"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-iap-ssh-rdp"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/206926817949"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/353249398002"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-ingress"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-google-hbs-and-hcs"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-windows-activation"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/173484768969"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/652472417643"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/358902749545"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/206926817949"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-egress"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-iap-ssh-rdp"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/353249398002"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-ingress"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-google-hbs-and-hcs"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-windows-activation"]: Still creating... [20s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/173484768969"]: Creation complete after 22s [id=locations/global/securityPolicies/638814738464/association/locations/global/securityPolicies/638814738464-folders/173484768969]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/96486704059"]: Creating...
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-egress"]: Creation complete after 27s [id=locations/global/securityPolicies/638814738464/priority/510]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-windows-activation"]: Creation complete after 27s [id=locations/global/securityPolicies/638814738464/priority/5100]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/652472417643"]: Still creating... [30s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/358902749545"]: Still creating... [30s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-iap-ssh-rdp"]: Still creating... [30s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/206926817949"]: Still creating... [30s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-google-hbs-and-hcs"]: Still creating... [30s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/353249398002"]: Still creating... [30s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-ingress"]: Still creating... [30s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["delegate-rfc1918-ingress"]: Creation complete after 30s [id=locations/global/securityPolicies/638814738464/priority/500]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-iap-ssh-rdp"]: Creation complete after 30s [id=locations/global/securityPolicies/638814738464/priority/5000]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/96486704059"]: Still creating... [10s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/206926817949"]: Creation complete after 35s [id=locations/global/securityPolicies/638814738464/association/locations/global/securityPolicies/638814738464-folders/206926817949]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/96486704059"]: Creation complete after 15s [id=locations/global/securityPolicies/638814738464/association/locations/global/securityPolicies/638814738464-folders/96486704059]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/652472417643"]: Creation complete after 37s [id=locations/global/securityPolicies/638814738464/association/locations/global/securityPolicies/638814738464-folders/652472417643]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/353249398002"]: Creation complete after 39s [id=locations/global/securityPolicies/638814738464/association/locations/global/securityPolicies/638814738464-folders/353249398002]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/358902749545"]: Still creating... [40s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-google-hbs-and-hcs"]: Still creating... [40s elapsed]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_association.association["folders/358902749545"]: Creation complete after 41s [id=locations/global/securityPolicies/638814738464/association/locations/global/securityPolicies/638814738464-folders/358902749545]
module.hierarchical_firewall_policy.google_compute_organization_security_policy_rule.rule["allow-google-hbs-and-hcs"]: Creation complete after 42s [id=locations/global/securityPolicies/638814738464/priority/5200]

Apply complete! Resources: 12 added, 0 changed, 0 destroyed.

Outputs:

dns_hub_project_id = "prj-c-dns-hub-6f4b"
envs/production  doesn't match shared; skipping
envs/non-production  doesn't match shared; skipping
envs/development  doesn't match shared; skipping
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ 

done 3- shared

[obriensystems]

3-networks-hub-and-spoke step 15 development apply

expect 8 min cloud build duration

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git checkout -b development
fatal: A branch named 'development' already exists.
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git checkout development
Switched to branch 'development'
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git push origin development


Step #4 - "tf apply": Apply complete! Resources: 66 added, 0 changed, 0 destroyed.
Step #4 - "tf apply": 
Step #4 - "tf apply": Outputs:
Step #4 - "tf apply": 
Step #4 - "tf apply": access_context_manager_policy_id = 807865857747
Step #4 - "tf apply": base_host_project_id = "prj-d-shared-base-nlqs"
Step #4 - "tf apply": base_network_name = "vpc-d-shared-base-spoke"
Step #4 - "tf apply": base_network_self_link = "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/global/networks/vpc-d-shared-base-spoke"
Step #4 - "tf apply": base_subnets_ips = [
Step #4 - "tf apply":   "10.1.64.0/18",
Step #4 - "tf apply":   "10.19.2.0/23",
Step #4 - "tf apply":   "10.0.64.0/18",
Step #4 - "tf apply":   "10.18.2.0/23",
Step #4 - "tf apply": ]
Step #4 - "tf apply": base_subnets_names = [
Step #4 - "tf apply":   "sb-d-shared-base-us-central1",
Step #4 - "tf apply":   "sb-d-shared-base-us-central1-proxy",
Step #4 - "tf apply":   "sb-d-shared-base-us-west1",
Step #4 - "tf apply":   "sb-d-shared-base-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": base_subnets_secondary_ranges = [
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply":   tolist([
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "ip_cidr_range" = "100.64.64.0/18"
Step #4 - "tf apply":       "range_name" = "rn-d-shared-base-us-west1-gke-pod"
Step #4 - "tf apply":     },
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "ip_cidr_range" = "100.65.64.0/18"
Step #4 - "tf apply":       "range_name" = "rn-d-shared-base-us-west1-gke-svc"
Step #4 - "tf apply":     },
Step #4 - "tf apply":   ]),
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply": ]
Step #4 - "tf apply": base_subnets_self_links = [
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/regions/us-central1/subnetworks/sb-d-shared-base-us-central1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/regions/us-central1/subnetworks/sb-d-shared-base-us-central1-proxy",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/regions/us-west1/subnetworks/sb-d-shared-base-us-west1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/regions/us-west1/subnetworks/sb-d-shared-base-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": restricted_access_level_name = "alp_d_shared_restricted_members_d036"
Step #4 - "tf apply": restricted_host_project_id = "prj-d-shared-restricted-j004"
Step #4 - "tf apply": restricted_network_name = "vpc-d-shared-restricted-spoke"
Step #4 - "tf apply": restricted_network_self_link = "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/global/networks/vpc-d-shared-restricted-spoke"
Step #4 - "tf apply": restricted_service_perimeter_name = "sp_d_shared_restricted_default_perimeter_d036"
Step #4 - "tf apply": restricted_subnets_ips = [
Step #4 - "tf apply":   "10.9.64.0/18",
Step #4 - "tf apply":   "10.27.2.0/23",
Step #4 - "tf apply":   "10.8.64.0/18",
Step #4 - "tf apply":   "10.26.2.0/23",
Step #4 - "tf apply": ]
Step #4 - "tf apply": restricted_subnets_names = [
Step #4 - "tf apply":   "sb-d-shared-restricted-us-central1",
Step #4 - "tf apply":   "sb-d-shared-restricted-us-central1-proxy",
Step #4 - "tf apply":   "sb-d-shared-restricted-us-west1",
Step #4 - "tf apply":   "sb-d-shared-restricted-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": restricted_subnets_secondary_ranges = [
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply":   tolist([
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "ip_cidr_range" = "100.72.64.0/18"
Step #4 - "tf apply":       "range_name" = "rn-d-shared-restricted-us-west1-gke-pod"
Step #4 - "tf apply":     },
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "ip_cidr_range" = "100.73.64.0/18"
Step #4 - "tf apply":       "range_name" = "rn-d-shared-restricted-us-west1-gke-svc"
Step #4 - "tf apply":     },
Step #4 - "tf apply":   ]),
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply": ]
Step #4 - "tf apply": restricted_subnets_self_links = [
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/regions/us-central1/subnetworks/sb-d-shared-restricted-us-central1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/regions/us-central1/subnetworks/sb-d-shared-restricted-us-central1-proxy",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/regions/us-west1/subnetworks/sb-d-shared-restricted-us-west1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/regions/us-west1/subnetworks/sb-d-shared-restricted-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": policy-library/policies  doesn't match development; skipping
Step #4 - "tf apply": policy-library/lib  doesn't match development; skipping
Step #4 - "tf apply": policy-library/.git  doesn't match development; skipping
Finished Step #4 - "tf apply"
PUSH
Artifacts will be uploaded to gs://bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts using gsutil cp
cloudbuild-tf-apply.yaml: Uploading path....
Copying file://cloudbuild-tf-apply.yaml [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/  2.6 KiB]   0% Done                                    
/ [1/1 files][  2.6 KiB/  2.6 KiB] 100% Done                                    
Operation completed over 1 objects/2.6 KiB.                                      
cloudbuild-tf-apply.yaml: 1 matching files uploaded
tmp_plan/*.tfplan: Uploading path....
Copying file://tmp_plan/envs-development.tfplan [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/205.7 KiB]   0% Done                                    
/ [1/1 files][205.7 KiB/205.7 KiB] 100% Done                                    
Operation completed over 1 objects/205.7 KiB.                                    
tmp_plan/*.tfplan: 1 matching files uploaded
2 total artifacts uploaded to gs://bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts/terraform/cloudbuild/apply/fb4b5fd5-6575-4f8a-8dd3-d4a489bee8c9/
Uploading manifest artifacts-fb4b5fd5-6575-4f8a-8dd3-d4a489bee8c9.json
Artifact manifest located at gs://bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts/terraform/cloudbuild/apply/fb4b5fd5-6575-4f8a-8dd3-d4a489bee8c9/artifacts-fb4b5fd5-6575-4f8a-8dd3-d4a489bee8c9.json
DONE

6.5 min

[obriensystems]

1925

3-networks-hub-and-spoke step 17 non-production apply

expect 8 min cloud build duration
all 3 branches essentially the same - so will pass

Switched to a new branch 'non-production'
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ git push origin non-production
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-networks
 * [new branch]      non-production -> non-production
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ 



Step #4 - "tf apply": Apply complete! Resources: 66 added, 0 changed, 0 destroyed.
Step #4 - "tf apply": 
Step #4 - "tf apply": Outputs:
Step #4 - "tf apply": 
Step #4 - "tf apply": access_context_manager_policy_id = 807865857747
Step #4 - "tf apply": base_host_project_id = "prj-n-shared-base-b12y"
Step #4 - "tf apply": base_network_name = "vpc-n-shared-base-spoke"
Step #4 - "tf apply": base_network_self_link = "https://www.googleapis.com/compute/v1/projects/prj-n-shared-base-b12y/global/networks/vpc-n-shared-base-spoke"
Step #4 - "tf apply": base_subnets_ips = [
Step #4 - "tf apply":   "10.1.128.0/18",
Step #4 - "tf apply":   "10.19.4.0/23",
Step #4 - "tf apply":   "10.0.128.0/18",
Step #4 - "tf apply":   "10.18.4.0/23",
Step #4 - "tf apply": ]
Step #4 - "tf apply": base_subnets_names = [
Step #4 - "tf apply":   "sb-n-shared-base-us-central1",
Step #4 - "tf apply":   "sb-n-shared-base-us-central1-proxy",
Step #4 - "tf apply":   "sb-n-shared-base-us-west1",
Step #4 - "tf apply":   "sb-n-shared-base-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": base_subnets_secondary_ranges = [
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply":   tolist([
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "ip_cidr_range" = "100.64.128.0/18"
Step #4 - "tf apply":       "range_name" = "rn-n-shared-base-us-west1-gke-pod"
Step #4 - "tf apply":     },
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "ip_cidr_range" = "100.65.128.0/18"
Step #4 - "tf apply":       "range_name" = "rn-n-shared-base-us-west1-gke-svc"
Step #4 - "tf apply":     },
Step #4 - "tf apply":   ]),
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply": ]
Step #4 - "tf apply": base_subnets_self_links = [
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-n-shared-base-b12y/regions/us-central1/subnetworks/sb-n-shared-base-us-central1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-n-shared-base-b12y/regions/us-central1/subnetworks/sb-n-shared-base-us-central1-proxy",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-n-shared-base-b12y/regions/us-west1/subnetworks/sb-n-shared-base-us-west1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-n-shared-base-b12y/regions/us-west1/subnetworks/sb-n-shared-base-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": restricted_access_level_name = "alp_n_shared_restricted_members_380d"
Step #4 - "tf apply": restricted_host_project_id = "prj-n-shared-restricted-qnv6"
Step #4 - "tf apply": restricted_network_name = "vpc-n-shared-restricted-spoke"
Step #4 - "tf apply": restricted_network_self_link = "https://www.googleapis.com/compute/v1/projects/prj-n-shared-restricted-qnv6/global/networks/vpc-n-shared-restricted-spoke"
Step #4 - "tf apply": restricted_service_perimeter_name = "sp_n_shared_restricted_default_perimeter_380d"
Step #4 - "tf apply": restricted_subnets_ips = [
Step #4 - "tf apply":   "10.9.128.0/18",
Step #4 - "tf apply":   "10.27.4.0/23",
Step #4 - "tf apply":   "10.8.128.0/18",
Step #4 - "tf apply":   "10.26.4.0/23",
Step #4 - "tf apply": ]
Step #4 - "tf apply": restricted_subnets_names = [
Step #4 - "tf apply":   "sb-n-shared-restricted-us-central1",
Step #4 - "tf apply":   "sb-n-shared-restricted-us-central1-proxy",
Step #4 - "tf apply":   "sb-n-shared-restricted-us-west1",
Step #4 - "tf apply":   "sb-n-shared-restricted-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": restricted_subnets_secondary_ranges = [
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply":   tolist([
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "ip_cidr_range" = "100.72.128.0/18"
Step #4 - "tf apply":       "range_name" = "rn-n-shared-restricted-us-west1-gke-pod"
Step #4 - "tf apply":     },
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "ip_cidr_range" = "100.73.128.0/18"
Step #4 - "tf apply":       "range_name" = "rn-n-shared-restricted-us-west1-gke-svc"
Step #4 - "tf apply":     },
Step #4 - "tf apply":   ]),
Step #4 - "tf apply":   tolist([]),
Step #4 - "tf apply": ]
Step #4 - "tf apply": restricted_subnets_self_links = [
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-n-shared-restricted-qnv6/regions/us-central1/subnetworks/sb-n-shared-restricted-us-central1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-n-shared-restricted-qnv6/regions/us-central1/subnetworks/sb-n-shared-restricted-us-central1-proxy",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-n-shared-restricted-qnv6/regions/us-west1/subnetworks/sb-n-shared-restricted-us-west1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-n-shared-restricted-qnv6/regions/us-west1/subnetworks/sb-n-shared-restricted-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": envs/development  doesn't match non-production; skipping
Step #4 - "tf apply": policy-library/policies  doesn't match non-production; skipping
Step #4 - "tf apply": policy-library/lib  doesn't match non-production; skipping
Step #4 - "tf apply": policy-library/.git  doesn't match non-production; skipping
Finished Step #4 - "tf apply"
PUSH
Artifacts will be uploaded to gs://bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts using gsutil cp
cloudbuild-tf-apply.yaml: Uploading path....
Copying file://cloudbuild-tf-apply.yaml [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/  2.6 KiB]   0% Done                                    
/ [1/1 files][  2.6 KiB/  2.6 KiB] 100% Done                                    
Operation completed over 1 objects/2.6 KiB.                                      
cloudbuild-tf-apply.yaml: 1 matching files uploaded
tmp_plan/*.tfplan: Uploading path....
Copying file://tmp_plan/envs-non-production.tfplan [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/205.7 KiB]   0% Done                                    
/ [1/1 files][205.7 KiB/205.7 KiB] 100% Done                                    
Operation completed over 1 objects/205.7 KiB.                                    
tmp_plan/*.tfplan: 1 matching files uploaded
2 total artifacts uploaded to gs://bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts/terraform/cloudbuild/apply/1ff38c7a-453a-4a03-95e6-8424f757e3c7/
Uploading manifest artifacts-1ff38c7a-453a-4a03-95e6-8424f757e3c7.json
Artifact manifest located at gs://bkt-prj-b-cicd-82vv-gcp-networks-build-artifacts/terraform/cloudbuild/apply/1ff38c7a-453a-4a03-95e6-8424f757e3c7/artifacts-1ff38c7a-453a-4a03-95e6-8424f757e3c7.json
DONE

[obriensystems]

3-networks-hub-and-spoke step 18 - disable SA impersonation locally

michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ echo $GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
sa-terraform-net@prj-b-seed-8919.iam.gserviceaccount.com
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ unset GOOGLE_IMPERSONATE_SERVICE_ACCOUNT
michael@cloudshell:~/tef-olxyz/github/gcp-networks (tef-olxyz)$ 

Move to 4-projects for BU1 and 2

[fmichaelobrien]

4-projects step 1

follow
https://console.cloud.google.com/welcome?_ga=2.192830826.-1750013018.1710944254&pli=1&rapt=AEjHL4NJQCFMX-JxwfoImFwvn847w-629e9Hg9oNf08u05OzCger_rZoTO_n6pnIOkOmqYeHgfQTCn2x1UGkvyAG4BDQ-p42RNYgCodMUAxmlyQ62O_sWYA&project=prj-b-cicd-82vv

michael@cloudshell:~ (tef-olxyz)$ cd tef-olxyz/
michael@cloudshell:~/tef-olxyz (tef-olxyz)$ cd github/
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ ls
gcp-bootstrap  gcp-environments  gcp-networks  gcp-org  gcp-policies  _pbmm-gh360-day0-deploy-example  pbmm-on-gcp-onboarding
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="pbmm-on-gcp-onboarding/0-bootstrap/" output -raw cloudbuild_project_id)
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ echo ${CLOUD_BUILD_PROJECT_ID}
prj-b-cicd-82vv
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ ls
gcp-bootstrap  gcp-environments  gcp-networks  gcp-org  gcp-policies  _pbmm-gh360-day0-deploy-example  pbmm-on-gcp-onboarding
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ gcloud source repos clone gcp-projects --project=${CLOUD_BUILD_PROJECT_ID}
Cloning into '/home/michael/tef-olxyz/github/gcp-projects'...
warning: You appear to have cloned an empty repository.
Project [prj-b-cicd-82vv] repository [gcp-projects] was cloned to [/home/michael/tef-olxyz/github/gcp-projects].
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd gcp-projects
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ cp -RT ../pbmm-on-gcp-onboarding/4-projects/ .
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/cloudbuild-tf-* .
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/tf-wrapper.sh .
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ chmod 755 ./tf-wrapper.sh

per-session terraform downgrade

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ terraform --version
Terraform v1.7.5
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ ls ../../
github  README.md  terraform  terraform_1.3.10_linux_amd64.zip
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ 
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ which terraform
/usr/bin/terraform
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ sudo cp ../../terraform /usr/bin/terraform 
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ terraform --version
Terraform v1.3.10
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html

4-projects - step 5 modify tfvars

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/4-projects/README.md

[fmichaelobrien]

@nbugden thank you for the bucket names fix
Merge in 63 character bucket naming standard fix indirectly via the next terraform init - that pull in in the latest generated terraform-google-provider via the magic modules compile

GoogleCloudPlatform/magic-modules#10426
for
hashicorp/terraform-provider-google#17831

following
previous pr terraform-google-modules/terraform-google-cloud-storage#308

closes
terraform-google-modules/terraform-example-foundation#1169
terraform-google-modules/terraform-google-cloud-storage#307

upgrade the provider on the next init (1.3.10) and 1.6 (we are not using the default 1.7.5 yet)
https://github.com/hashicorp/terraform-provider-google?tab=readme-ov-file#upgrading-the-provider

terraform init -upgrade

Sync procedure jira needed for #376

[obriensystems]

4-projects - step 5 modify tfvars

• no changes - leave at us for now not northamerica-northeast-1

4-projects - step 6 repo create

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git add .
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git commit -m 'Initialize projects repo'
[master (root-commit) 9a3066e] Initialize projects repo
 100 files changed, 5053 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 business_unit_1/development/README.md
 create mode 100644 business_unit_1/development/backend.tf
 create mode 100644 business_unit_1/development/backend.tf.cloud.example
 create mode 120000 business_unit_1/development/common.auto.tfvars
 create mode 120000 business_unit_1/development/development.auto.tfvars
 create mode 100644 business_unit_1/development/main.tf
 create mode 100644 business_unit_1/development/outputs.tf
 create mode 100644 business_unit_1/development/variables.tf
 create mode 100644 business_unit_1/non-production/README.md
 create mode 100644 business_unit_1/non-production/backend.tf
 create mode 100644 business_unit_1/non-production/backend.tf.cloud.example
 create mode 120000 business_unit_1/non-production/common.auto.tfvars
 create mode 100644 business_unit_1/non-production/main.tf
 create mode 120000 business_unit_1/non-production/non-production.auto.tfvars
 create mode 100644 business_unit_1/non-production/outputs.tf
 create mode 100644 business_unit_1/non-production/variables.tf
 create mode 100644 business_unit_1/production/README.md
 create mode 100644 business_unit_1/production/backend.tf
 create mode 100644 business_unit_1/production/backend.tf.cloud.example
 create mode 120000 business_unit_1/production/common.auto.tfvars
 create mode 100644 business_unit_1/production/main.tf
 create mode 100644 business_unit_1/production/outputs.tf
 create mode 120000 business_unit_1/production/production.auto.tfvars
 create mode 100644 business_unit_1/production/variables.tf
 create mode 100644 business_unit_1/shared/README.md
 create mode 100644 business_unit_1/shared/backend.tf
 create mode 100644 business_unit_1/shared/backend.tf.cloud.example
 create mode 120000 business_unit_1/shared/common.auto.tfvars
 create mode 100644 business_unit_1/shared/example_infra_pipeline.tf
 create mode 100644 business_unit_1/shared/outputs.tf
 create mode 100644 business_unit_1/shared/remote.tf
 create mode 100644 business_unit_1/shared/remote.tf.cloud.example
 create mode 120000 business_unit_1/shared/shared.auto.tfvars
 create mode 100644 business_unit_1/shared/variables.tf
 create mode 100644 business_unit_2/development/README.md
 create mode 100644 business_unit_2/development/backend.tf
 create mode 100644 business_unit_2/development/backend.tf.cloud.example
 create mode 120000 business_unit_2/development/common.auto.tfvars
 create mode 120000 business_unit_2/development/development.auto.tfvars
 create mode 100644 business_unit_2/development/main.tf
 create mode 100644 business_unit_2/development/outputs.tf
 create mode 100644 business_unit_2/development/variables.tf
 create mode 100644 business_unit_2/non-production/README.md
 create mode 100644 business_unit_2/non-production/backend.tf
 create mode 100644 business_unit_2/non-production/backend.tf.cloud.example
 create mode 120000 business_unit_2/non-production/common.auto.tfvars
 create mode 100644 business_unit_2/non-production/main.tf
 create mode 120000 business_unit_2/non-production/non-production.auto.tfvars
 create mode 100644 business_unit_2/non-production/outputs.tf
 create mode 100644 business_unit_2/non-production/variables.tf
 create mode 100644 business_unit_2/production/README.md
 create mode 100644 business_unit_2/production/backend.tf
 create mode 100644 business_unit_2/production/backend.tf.cloud.example
 create mode 120000 business_unit_2/production/common.auto.tfvars
 create mode 100644 business_unit_2/production/main.tf
 create mode 100644 business_unit_2/production/outputs.tf
 create mode 120000 business_unit_2/production/production.auto.tfvars
 create mode 100644 business_unit_2/production/variables.tf
 create mode 100644 business_unit_2/shared/README.md
 create mode 100644 business_unit_2/shared/backend.tf
 create mode 100644 business_unit_2/shared/backend.tf.cloud.example
 create mode 120000 business_unit_2/shared/common.auto.tfvars
 create mode 100644 business_unit_2/shared/example_infra_pipeline.tf
 create mode 100644 business_unit_2/shared/outputs.tf
 create mode 100644 business_unit_2/shared/remote.tf
 create mode 100644 business_unit_2/shared/remote.tf.cloud.example
 create mode 120000 business_unit_2/shared/shared.auto.tfvars
 create mode 100644 business_unit_2/shared/variables.tf
 create mode 100644 cloudbuild-tf-apply.yaml
 create mode 100644 cloudbuild-tf-plan.yaml
 create mode 100644 common.auto.tfvars
 create mode 100644 development.auto.tfvars
 create mode 100644 modules/base_env/README.md
 create mode 100644 modules/base_env/business_unit_folder.tf
 create mode 100644 modules/base_env/example_base_shared_vpc_project.tf
 create mode 100644 modules/base_env/example_floating_project.tf
 create mode 100644 modules/base_env/example_peering_project.tf
 create mode 100644 modules/base_env/example_restricted_shared_vpc_project.tf
 create mode 100644 modules/base_env/example_storage_cmek.tf
 create mode 100644 modules/base_env/outputs.tf
 create mode 100644 modules/base_env/remote.tf
 create mode 100644 modules/base_env/remote.tf.cloud.example
 create mode 100644 modules/base_env/variables.tf
 create mode 100644 modules/base_env/versions.tf
 create mode 100644 modules/infra_pipelines/README.md
 create mode 100644 modules/infra_pipelines/main.tf
 create mode 100644 modules/infra_pipelines/outputs.tf
 create mode 100644 modules/infra_pipelines/variables.tf
 create mode 100644 modules/infra_pipelines/versions.tf
 create mode 100644 modules/single_project/README.md
 create mode 100644 modules/single_project/main.tf
 create mode 100644 modules/single_project/outputs.tf
 create mode 100644 modules/single_project/variables.tf
 create mode 100644 modules/single_project/versions.tf
 create mode 100644 non-production.auto.tfvars
 create mode 100644 production.auto.tfvars
 create mode 100644 shared.auto.tfvars
 create mode 100755 tf-wrapper.sh

4-projects - apply SA and shared locally

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ export CLOUD_BUILD_PROJECT_ID=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -raw cloudbuild_project_id)
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ echo ${CLOUD_BUILD_PROJECT_ID}
prj-b-cicd-82vv
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ terraform --version
Terraform v1.7.5
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ which terraform
/usr/bin/terraform
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ sudo cp ../../terraform /usr/bin/
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ terraform --version
Terraform v1.3.10
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ 

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ export GOOGLE_IMPERSONATE_SERVICE_ACCOUNT=$(terraform -chdir="../pbmm-on-gcp-onboarding/0-bootstrap/" output -raw projects_step_terraform_service_account_email)
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ echo ${GOOGLE_IMPERSONATE_SERVICE_ACCOUNT}
sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com


michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ ./tf-wrapper.sh init shared
*************** TERRAFORM INIT *******************
      At environment: business_unit_2/shared 
**************************************************
Initializing modules...
- app_infra_cloudbuild_project in ../../modules/single_project
Downloading registry.terraform.io/terraform-google-modules/project-factory/google 14.5.0 for app_infra_cloudbuild_project.project...
- app_infra_cloudbuild_project.project in .terraform/modules/app_infra_cloudbuild_project.project
- app_infra_cloudbuild_project.project.budget in .terraform/modules/app_infra_cloudbuild_project.project/modules/budget
- app_infra_cloudbuild_project.project.essential_contacts in .terraform/modules/app_infra_cloudbuild_project.project/modules/essential_contacts
- app_infra_cloudbuild_project.project.gsuite_group in .terraform/modules/app_infra_cloudbuild_project.project/modules/gsuite_group
- app_infra_cloudbuild_project.project.project-factory in .terraform/modules/app_infra_cloudbuild_project.project/modules/core_project_factory
- app_infra_cloudbuild_project.project.project-factory.project_services in .terraform/modules/app_infra_cloudbuild_project.project/modules/project_services
- app_infra_cloudbuild_project.project.quotas in .terraform/modules/app_infra_cloudbuild_project.project/modules/quota_manager
- app_infra_cloudbuild_project.project.shared_vpc_access in .terraform/modules/app_infra_cloudbuild_project.project/modules/shared_vpc_access
- infra_pipelines in ../../modules/infra_pipelines
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.2.0 for infra_pipelines.tf_workspace...
- infra_pipelines.tf_workspace in .terraform/modules/infra_pipelines.tf_workspace/modules/tf_cloudbuild_workspace
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for infra_pipelines.tf_workspace.artifacts_bucket...
- infra_pipelines.tf_workspace.artifacts_bucket in .terraform/modules/infra_pipelines.tf_workspace.artifacts_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for infra_pipelines.tf_workspace.log_bucket...
- infra_pipelines.tf_workspace.log_bucket in .terraform/modules/infra_pipelines.tf_workspace.log_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for infra_pipelines.tf_workspace.state_bucket...
- infra_pipelines.tf_workspace.state_bucket in .terraform/modules/infra_pipelines.tf_workspace.state_bucket/modules/simple_bucket

Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding hashicorp/google versions matching ">= 3.43.0, >= 3.50.0, >= 3.64.0, >= 4.17.0, >= 4.28.0, != 4.31.0, >= 4.46.0, < 6.0.0"...
- Finding hashicorp/google-beta versions matching ">= 3.43.0, >= 3.50.0, >= 3.64.0, >= 4.11.0, >= 4.17.0, >= 4.28.0, != 4.31.0, < 6.0.0"...
- Finding hashicorp/time versions matching ">= 0.5.0"...
- Finding hashicorp/random versions matching ">= 2.2.0"...
- Finding hashicorp/null versions matching ">= 2.1.0"...
- Installing hashicorp/google v5.25.0...
- Installed hashicorp/google v5.25.0 (signed by HashiCorp)
- Installing hashicorp/google-beta v5.25.0...
- Installed hashicorp/google-beta v5.25.0 (signed by HashiCorp)
- Installing hashicorp/time v0.11.1...
- Installed hashicorp/time v0.11.1 (signed by HashiCorp)
- Installing hashicorp/random v3.6.1...
- Installed hashicorp/random v3.6.1 (signed by HashiCorp)
- Installing hashicorp/null v3.2.2...
- Installed hashicorp/null v3.2.2 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
business_unit_2/production  doesn't match shared; skipping
business_unit_2/non-production  doesn't match shared; skipping
business_unit_2/development  doesn't match shared; skipping
*************** TERRAFORM INIT *******************
      At environment: business_unit_1/shared 
**************************************************
Initializing modules...
- app_infra_cloudbuild_project in ../../modules/single_project
Downloading registry.terraform.io/terraform-google-modules/project-factory/google 14.5.0 for app_infra_cloudbuild_project.project...
- app_infra_cloudbuild_project.project in .terraform/modules/app_infra_cloudbuild_project.project
- app_infra_cloudbuild_project.project.budget in .terraform/modules/app_infra_cloudbuild_project.project/modules/budget
- app_infra_cloudbuild_project.project.essential_contacts in .terraform/modules/app_infra_cloudbuild_project.project/modules/essential_contacts
- app_infra_cloudbuild_project.project.gsuite_group in .terraform/modules/app_infra_cloudbuild_project.project/modules/gsuite_group
- app_infra_cloudbuild_project.project.project-factory in .terraform/modules/app_infra_cloudbuild_project.project/modules/core_project_factory
- app_infra_cloudbuild_project.project.project-factory.project_services in .terraform/modules/app_infra_cloudbuild_project.project/modules/project_services
- app_infra_cloudbuild_project.project.quotas in .terraform/modules/app_infra_cloudbuild_project.project/modules/quota_manager
- app_infra_cloudbuild_project.project.shared_vpc_access in .terraform/modules/app_infra_cloudbuild_project.project/modules/shared_vpc_access
- infra_pipelines in ../../modules/infra_pipelines
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.2.0 for infra_pipelines.tf_workspace...
- infra_pipelines.tf_workspace in .terraform/modules/infra_pipelines.tf_workspace/modules/tf_cloudbuild_workspace
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for infra_pipelines.tf_workspace.artifacts_bucket...
- infra_pipelines.tf_workspace.artifacts_bucket in .terraform/modules/infra_pipelines.tf_workspace.artifacts_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for infra_pipelines.tf_workspace.log_bucket...
- infra_pipelines.tf_workspace.log_bucket in .terraform/modules/infra_pipelines.tf_workspace.log_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for infra_pipelines.tf_workspace.state_bucket...
- infra_pipelines.tf_workspace.state_bucket in .terraform/modules/infra_pipelines.tf_workspace.state_bucket/modules/simple_bucket

Initializing the backend...

Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding hashicorp/google versions matching ">= 3.43.0, >= 3.50.0, >= 3.64.0, >= 4.17.0, >= 4.28.0, != 4.31.0, >= 4.46.0, < 6.0.0"...
- Finding hashicorp/google-beta versions matching ">= 3.43.0, >= 3.50.0, >= 3.64.0, >= 4.11.0, >= 4.17.0, >= 4.28.0, != 4.31.0, < 6.0.0"...
- Finding hashicorp/time versions matching ">= 0.5.0"...
- Finding hashicorp/null versions matching ">= 2.1.0"...
- Finding hashicorp/random versions matching ">= 2.2.0"...
- Installing hashicorp/google v5.25.0...
- Installed hashicorp/google v5.25.0 (signed by HashiCorp)
- Installing hashicorp/google-beta v5.25.0...
- Installed hashicorp/google-beta v5.25.0 (signed by HashiCorp)
- Installing hashicorp/time v0.11.1...
- Installed hashicorp/time v0.11.1 (signed by HashiCorp)
- Installing hashicorp/null v3.2.2...
- Installed hashicorp/null v3.2.2 (signed by HashiCorp)
- Installing hashicorp/random v3.6.1...
- Installed hashicorp/random v3.6.1 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
business_unit_1/production  doesn't match shared; skipping
business_unit_1/non-production  doesn't match shared; skipping
business_unit_1/development  doesn't match shared; skipping

plan

Plan: 35 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  + apply_triggers_id          = (known after apply)
  + artifact_buckets           = (known after apply)
  + cloudbuild_project_id      = (known after apply)
  + default_region             = "us-central1"
  + enable_cloudbuild_deploy   = true
  + log_buckets                = (known after apply)
  + plan_triggers_id           = (known after apply)
  + repos                      = [
      + "bu1-example-app",
    ]
  + state_buckets              = (known after apply)
  + terraform_service_accounts = (known after apply)

─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Saved the plan to: /home/michael/tef-olxyz/github/gcp-projects/tmp_plan/business_unit_1-shared.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "/home/michael/tef-olxyz/github/gcp-projects/tmp_plan/business_unit_1-shared.tfplan"
business_unit_1/production  doesn't match shared; skipping
business_unit_1/non-production  doesn't match shared; skipping
business_unit_1/development  doesn't match shared; skipping
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ ./tf-wrapper.sh plan shared

4-projects apply shared

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ ./tf-wrapper.sh apply shared
*************** TERRAFORM APPLY *******************
      At environment: business_unit_2/shared 
***************************************************
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.random_id.random_project_id_suffix: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.random_string.random_project_id_suffix[0]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.random_id.random_project_id_suffix: Creation complete after 0s [id=4Es]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.random_string.random_project_id_suffix[0]: Creation complete after 0s [id=zl31]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Creating...

module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [30s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [40s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [50s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Creation complete after 59s [id=projects/prj-c-bu2infra-pipeline-zl31]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_service_account.default_service_account[0]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 2s [id=projects/prj-c-bu2infra-pipeline-zl31/serviceAccounts/project-service-account@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Still creating... [10s elapsed]

module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Creation complete after 22s [id=prj-c-bu2infra-pipeline-zl31/artifactregistry.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Creation complete after 22s [id=prj-c-bu2infra-pipeline-zl31/cloudkms.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Creation complete after 22s [id=prj-c-bu2infra-pipeline-zl31/cloudbuild.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creation complete after 22s [id=prj-c-bu2infra-pipeline-zl31/billingbudgets.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Creation complete after 22s [id=prj-c-bu2infra-pipeline-zl31/sourcerepo.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Creation complete after 22s [id=prj-c-bu2infra-pipeline-zl31/iam.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Creation complete after 22s [id=prj-c-bu2infra-pipeline-zl31/cloudresourcemanager.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.budget.data.google_project.project[0]: Reading...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creating...
module.infra_pipelines[0].google_sourcerepo_repository.app_infra_repo["bu2-example-app"]: Creating...
module.infra_pipelines[0].google_sourcerepo_repository.gcp_policies: Creating...
module.infra_pipelines[0].google_storage_bucket.cloudbuild_bucket: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 0s [id=projects/prj-c-bu2infra-pipeline-zl31]
module.app_infra_cloudbuild_project[0].module.project.module.budget.data.google_project.project[0]: Read complete after 0s [id=projects/prj-c-bu2infra-pipeline-zl31]
module.app_infra_cloudbuild_project[0].module.project.module.budget.google_billing_budget.budget[0]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.budget.google_billing_budget.budget[0]: Creation complete after 1s [id=billingAccounts/01BCCE-4EC0EE-DC58C8/budgets/185ebabc-bad3-4d8e-a44e-117d21f8ee24]
module.infra_pipelines[0].google_storage_bucket.cloudbuild_bucket: Creation complete after 1s [id=prj-c-bu2infra-pipeline-zl31_cloudbuild]
module.infra_pipelines[0].google_sourcerepo_repository.gcp_policies: Creation complete after 2s [id=projects/prj-c-bu2infra-pipeline-zl31/repos/gcp-policies]
module.infra_pipelines[0].google_sourcerepo_repository.app_infra_repo["bu2-example-app"]: Creation complete after 3s [id=projects/prj-c-bu2infra-pipeline-zl31/repos/bu2-example-app]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].data.google_project.cloudbuild_project[0]: Reading...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account.cb_sa[0]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].module.log_bucket.google_storage_bucket.bucket: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].module.artifacts_bucket.google_storage_bucket.bucket: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].module.state_bucket[0].google_storage_bucket.bucket: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-c-bu2infra-pipeline-zl31]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_project_iam_member.pool_user[0]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account.cb_sa[0]: Creation complete after 1s [id=projects/prj-c-bu2infra-pipeline-zl31/serviceAccounts/sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_project_iam_member.cb_sa_logging: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account_iam_member.cb_service_agent_impersonate[0]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_sourcerepo_repository_iam_member.member[0]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].module.log_bucket.google_storage_bucket.bucket: Creation complete after 2s [id=bkt-prj-c-bu2infra-pipeline-zl31-bu2-example-app-logs]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_storage_bucket_iam_member.log_admin: Creating...

xample-app-state]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_storage_bucket_iam_member.state_admin: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].module.artifacts_bucket.google_storage_bucket.bucket: Creation complete after 3s [id=bkt-prj-c-bu2infra-pipeline-zl31-bu2-example-app-artifacts]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_storage_bucket_iam_member.artifacts_admin: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-c-bu2infra-pipeline-zl31/triggers/78ecd0cb-8baf-4010-b849-4026c499bb4d]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 0s [id=projects/prj-c-bu2infra-pipeline-zl31/triggers/e2c1c660-ae1f-438d-9f27-03e163e63baf]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account_iam_member.cb_service_agent_impersonate[0]: Creation complete after 4s [id=projects/prj-c-bu2infra-pipeline-zl31/serviceAccounts/sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator/serviceAccount:service-791678989149@gcp-sa-cloudbuild.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_sourcerepo_repository_iam_member.member[0]: Creation complete after 4s [id=projects/prj-c-bu2infra-pipeline-zl31/repos/bu2-example-app/roles/viewer/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-c-bu2infra-pipeline-zl31-bu2-example-app-logs/roles/storage.admin/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_storage_bucket_iam_member.state_admin: Creation complete after 4s [id=b/bkt-prj-c-bu2infra-pipeline-zl31-bu2-example-app-state/roles/storage.admin/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 5s [id=b/bkt-prj-c-bu2infra-pipeline-zl31-bu2-example-app-artifacts/roles/storage.admin/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_project_iam_member.pool_user[0]: Creation complete after 8s [id=prj-b-cicd-82vv/roles/cloudbuild.workerPoolUser/serviceAccount:791678989149@cloudbuild.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_project_iam_member.cb_sa_logging: Creation complete after 8s [id=prj-c-bu2infra-pipeline-zl31/roles/logging.logWriter/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Still creating... [10s elapsed]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Still creating... [10s elapsed]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creation complete after 12s [id=projects/prj-c-bu2infra-pipeline-zl31/serviceAccounts/sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com/roles/iam.serviceAccountUser/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu2-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creation complete after 12s [id=projects/prj-c-bu2infra-pipeline-zl31/serviceAccounts/sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].google_storage_bucket_iam_member.tf_state["bu2-example-app"]: Creating...
module.infra_pipelines[0].google_organization_iam_member.browser["bu2-example-app"]: Creating...
module.infra_pipelines[0].google_sourcerepo_repository_iam_member.member["bu2-example-app"]: Creating...
module.infra_pipelines[0].google_artifact_registry_repository_iam_member.terraform-image-iam["bu2-example-app"]: Creating...

module.infra_pipelines[0].google_sourcerepo_repository_iam_member.member["bu2-example-app"]: Creation complete after 4s [id=projects/prj-c-bu2infra-pipeline-zl31/repos/gcp-policies/roles/viewer/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].google_organization_iam_member.browser["bu2-example-app"]: Creation complete after 4s [id=1064386348915/roles/browser/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].google_storage_bucket_iam_member.tf_state["bu2-example-app"]: Creation complete after 4s [id=b/bkt-prj-b-seed-8919-gcp-projects-tfstate/roles/storage.objectViewer/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]
module.infra_pipelines[0].google_artifact_registry_repository_iam_member.terraform-image-iam["bu2-example-app"]: Creation complete after 5s [id=projects/prj-b-cicd-82vv/locations/us-central1/repositories/tf-runners/roles/artifactregistry.reader/serviceAccount:sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com]

Apply complete! Resources: 35 added, 0 changed, 0 destroyed.

Outputs:

apply_triggers_id = [
  "projects/prj-c-bu2infra-pipeline-zl31/triggers/e2c1c660-ae1f-438d-9f27-03e163e63baf",
]
artifact_buckets = {
  "bu2-example-app" = "bkt-prj-c-bu2infra-pipeline-zl31-bu2-example-app-artifacts"
}
cloudbuild_project_id = "prj-c-bu2infra-pipeline-zl31"
default_region = "us-central1"
enable_cloudbuild_deploy = true
log_buckets = {
  "bu2-example-app" = "bkt-prj-c-bu2infra-pipeline-zl31-bu2-example-app-logs"
}
plan_triggers_id = [
  "projects/prj-c-bu2infra-pipeline-zl31/triggers/78ecd0cb-8baf-4010-b849-4026c499bb4d",
]
repos = toset([
  "bu2-example-app",
])
state_buckets = {
  "bu2-example-app" = "bkt-prj-c-bu2infra-pipeline-zl31-bu2-example-app-state"
}
terraform_service_accounts = {
  "bu2-example-app" = "sa-tf-cb-bu2-example-app@prj-c-bu2infra-pipeline-zl31.iam.gserviceaccount.com"
}
business_unit_2/production  doesn't match shared; skipping
business_unit_2/non-production  doesn't match shared; skipping
business_unit_2/development  doesn't match shared; skipping
*************** TERRAFORM APPLY *******************
      At environment: business_unit_1/shared 


***************************************************
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.random_id.random_project_id_suffix: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.random_id.random_project_id_suffix: Creation complete after 0s [id=5F0]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.random_string.random_project_id_suffix[0]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.random_string.random_project_id_suffix[0]: Creation complete after 0s [id=iap1]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [30s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [40s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Still creating... [50s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project.main: Creation complete after 58s [id=projects/prj-c-bu1infra-pipeline-iap1]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_service_account.default_service_account[0]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_service_account.default_service_account[0]: Creation complete after 2s [id=projects/prj-c-bu1infra-pipeline-iap1/serviceAccounts/project-service-account@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Still creating... [10s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Still creating... [20s elapsed]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["artifactregistry.googleapis.com"]: Creation complete after 22s [id=prj-c-bu1infra-pipeline-iap1/artifactregistry.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudbuild.googleapis.com"]: Creation complete after 22s [id=prj-c-bu1infra-pipeline-iap1/cloudbuild.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudresourcemanager.googleapis.com"]: Creation complete after 22s [id=prj-c-bu1infra-pipeline-iap1/cloudresourcemanager.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["cloudkms.googleapis.com"]: Creation complete after 22s [id=prj-c-bu1infra-pipeline-iap1/cloudkms.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["iam.googleapis.com"]: Creation complete after 22s [id=prj-c-bu1infra-pipeline-iap1/iam.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["billingbudgets.googleapis.com"]: Creation complete after 22s [id=prj-c-bu1infra-pipeline-iap1/billingbudgets.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.module.project_services.google_project_service.project_services["sourcerepo.googleapis.com"]: Creation complete after 22s [id=prj-c-bu1infra-pipeline-iap1/sourcerepo.googleapis.com]
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.budget.data.google_project.project[0]: Reading...
module.infra_pipelines[0].google_sourcerepo_repository.gcp_policies: Creating...
module.infra_pipelines[0].google_sourcerepo_repository.app_infra_repo["bu1-example-app"]: Creating...
module.infra_pipelines[0].google_storage_bucket.cloudbuild_bucket: Creating...
module.app_infra_cloudbuild_project[0].module.project.module.project-factory.google_project_default_service_accounts.default_service_accounts[0]: Creation complete after 1s [id=projects/prj-c-bu1infra-pipeline-iap1]
module.app_infra_cloudbuild_project[0].module.project.module.budget.data.google_project.project[0]: Read complete after 1s [id=projects/prj-c-bu1infra-pipeline-iap1]
module.app_infra_cloudbuild_project[0].module.project.module.budget.google_billing_budget.budget[0]: Creating...
module.infra_pipelines[0].google_storage_bucket.cloudbuild_bucket: Creation complete after 1s [id=prj-c-bu1infra-pipeline-iap1_cloudbuild]
module.app_infra_cloudbuild_project[0].module.project.module.budget.google_billing_budget.budget[0]: Creation complete after 0s [id=billingAccounts/01BCCE-4EC0EE-DC58C8/budgets/10f7c651-2ccd-4b06-99ed-3acf8d096caa]
module.infra_pipelines[0].google_sourcerepo_repository.gcp_policies: Creation complete after 4s [id=projects/prj-c-bu1infra-pipeline-iap1/repos/gcp-policies]
module.infra_pipelines[0].google_sourcerepo_repository.app_infra_repo["bu1-example-app"]: Creation complete after 4s [id=projects/prj-c-bu1infra-pipeline-iap1/repos/bu1-example-app]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].data.google_project.cloudbuild_project[0]: Reading...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account.cb_sa[0]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].module.log_bucket.google_storage_bucket.bucket: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].module.state_bucket[0].google_storage_bucket.bucket: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].module.artifacts_bucket.google_storage_bucket.bucket: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].data.google_project.cloudbuild_project[0]: Read complete after 0s [id=projects/prj-c-bu1infra-pipeline-iap1]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_project_iam_member.pool_user[0]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account.cb_sa[0]: Creation complete after 1s [id=projects/prj-c-bu1infra-pipeline-iap1/serviceAccounts/sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_project_iam_member.cb_sa_logging: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_sourcerepo_repository_iam_member.member[0]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account_iam_member.cb_service_agent_impersonate[0]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].module.state_bucket[0].google_storage_bucket.bucket: Creation complete after 2s [id=bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-state]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_storage_bucket_iam_member.state_admin: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].module.log_bucket.google_storage_bucket.bucket: Creation complete after 3s [id=bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-logs]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_storage_bucket_iam_member.log_admin: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].module.artifacts_bucket.google_storage_bucket.bucket: Creation complete after 3s [id=bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-artifacts]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_storage_bucket_iam_member.artifacts_admin: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_cloudbuild_trigger.triggers["apply"]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 0s [id=projects/prj-c-bu1infra-pipeline-iap1/triggers/5f6a2213-685e-4348-9f5d-21725f3a4290]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_cloudbuild_trigger.triggers["plan"]: Creating...
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_cloudbuild_trigger.triggers["plan"]: Creation complete after 1s [id=projects/prj-c-bu1infra-pipeline-iap1/triggers/fb552c33-3cdf-495f-8afc-aa1e91cf3103]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountUser"]: Creation complete after 4s [id=projects/prj-c-bu1infra-pipeline-iap1/serviceAccounts/sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com/roles/iam.serviceAccountUser/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_sourcerepo_repository_iam_member.member[0]: Creation complete after 4s [id=projects/prj-c-bu1infra-pipeline-iap1/repos/bu1-example-app/roles/viewer/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_storage_bucket_iam_member.state_admin: Creation complete after 5s [id=b/bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-state/roles/storage.admin/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_storage_bucket_iam_member.log_admin: Creation complete after 4s [id=b/bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-logs/roles/storage.admin/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-artifacts/roles/storage.admin/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_project_iam_member.pool_user[0]: Creation complete after 8s [id=prj-b-cicd-82vv/roles/cloudbuild.workerPoolUser/serviceAccount:406184153674@cloudbuild.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_project_iam_member.cb_sa_logging: Creation complete after 8s [id=prj-c-bu1infra-pipeline-iap1/roles/logging.logWriter/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account_iam_member.cb_service_agent_impersonate[0]: Still creating... [10s elapsed]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Still creating... [10s elapsed]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account_iam_member.cb_sa_self["roles/iam.serviceAccountTokenCreator"]: Creation complete after 12s [id=projects/prj-c-bu1infra-pipeline-iap1/serviceAccounts/sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].module.tf_workspace["bu1-example-app"].google_service_account_iam_member.cb_service_agent_impersonate[0]: Creation complete after 12s [id=projects/prj-c-bu1infra-pipeline-iap1/serviceAccounts/sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com/roles/iam.serviceAccountTokenCreator/serviceAccount:service-406184153674@gcp-sa-cloudbuild.iam.gserviceaccount.com]
module.infra_pipelines[0].google_sourcerepo_repository_iam_member.member["bu1-example-app"]: Creating...
module.infra_pipelines[0].google_organization_iam_member.browser["bu1-example-app"]: Creating...
module.infra_pipelines[0].google_storage_bucket_iam_member.tf_state["bu1-example-app"]: Creating...
module.infra_pipelines[0].google_artifact_registry_repository_iam_member.terraform-image-iam["bu1-example-app"]: Creating...
module.infra_pipelines[0].google_sourcerepo_repository_iam_member.member["bu1-example-app"]: Creation complete after 4s [id=projects/prj-c-bu1infra-pipeline-iap1/repos/gcp-policies/roles/viewer/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].google_organization_iam_member.browser["bu1-example-app"]: Creation complete after 4s [id=1064386348915/roles/browser/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].google_storage_bucket_iam_member.tf_state["bu1-example-app"]: Creation complete after 4s [id=b/bkt-prj-b-seed-8919-gcp-projects-tfstate/roles/storage.objectViewer/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]
module.infra_pipelines[0].google_artifact_registry_repository_iam_member.terraform-image-iam["bu1-example-app"]: Creation complete after 5s [id=projects/prj-b-cicd-82vv/locations/us-central1/repositories/tf-runners/roles/artifactregistry.reader/serviceAccount:sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com]

Apply complete! Resources: 35 added, 0 changed, 0 destroyed.

Outputs:

apply_triggers_id = [
  "projects/prj-c-bu1infra-pipeline-iap1/triggers/5f6a2213-685e-4348-9f5d-21725f3a4290",
]
artifact_buckets = {
  "bu1-example-app" = "bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-artifacts"
}
cloudbuild_project_id = "prj-c-bu1infra-pipeline-iap1"
default_region = "us-central1"
enable_cloudbuild_deploy = true
log_buckets = {
  "bu1-example-app" = "bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-logs"
}
plan_triggers_id = [
  "projects/prj-c-bu1infra-pipeline-iap1/triggers/fb552c33-3cdf-495f-8afc-aa1e91cf3103",
]
repos = toset([
  "bu1-example-app",
])
state_buckets = {
  "bu1-example-app" = "bkt-prj-c-bu1infra-pipeline-iap1-bu1-example-app-state"
}
terraform_service_accounts = {
  "bu1-example-app" = "sa-tf-cb-bu1-example-app@prj-c-bu1infra-pipeline-iap1.iam.gserviceaccount.com"
}
business_unit_1/production  doesn't match shared; skipping
business_unit_1/non-production  doesn't match shared; skipping
business_unit_1/development  doesn't match shared; skipping

both business units up for shared

push plan

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git push --set-upstream origin plan
error: src refspec plan does not match any
error: failed to push some refs to 'https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-projects'

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git push --set-upstream origin plan
error: src refspec plan does not match any
error: failed to push some refs to 'https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-projects'

I forgot to checkout plan

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git push --set-upstream origin plan
error: src refspec plan does not match any
error: failed to push some refs to 'https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-projects'

fixing
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git branch --unset-upstream
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git status
On branch master
Untracked files:
  (use "git add <file>..." to include in what will be committed)
        business_unit_1/shared/.terraform.lock.hcl
        business_unit_2/shared/.terraform.lock.hcl
        tmp_plan/

nothing added to commit but untracked files present (use "git add" to track)

Create plan branch - retain changes

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git checkout -b plan
Switched to a new branch 'plan'
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ ls
business_unit_1  cloudbuild-tf-apply.yaml  common.auto.tfvars       modules                     production.auto.tfvars  shared.auto.tfvars  tmp_plan
business_unit_2  cloudbuild-tf-plan.yaml   development.auto.tfvars  non-production.auto.tfvars  README.md               tf-wrapper.sh
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git status
On branch plan
Untracked files:
  (use "git add <file>..." to include in what will be committed)
        business_unit_1/shared/.terraform.lock.hcl
        business_unit_2/shared/.terraform.lock.hcl
        tmp_plan/

nothing added to commit but untracked files present (use "git add" to track)

4-projects push plan

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 85, done.
Counting objects: 100% (85/85), done.
Delta compression using up to 4 threads
Compressing objects: 100% (80/80), done.
Writing objects: 100% (85/85), 37.68 KiB | 2.09 MiB/s, done.
Total 85 (delta 47), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (47/47)
remote: Waiting for private key checker: 69/69 objects left
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-projects
 * [new branch]      plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.

4-projects - wait for plan cloud build job to finish - OK

Step #1 - "tf plan validate all": Plan: 101 to add, 0 to change, 0 to destroy.
Step #1 - "tf plan validate all": 
Step #1 - "tf plan validate all": Changes to Outputs:
Step #1 - "tf plan validate all":   + access_context_manager_policy_id     = 807865857747
Step #1 - "tf plan validate all":   + base_shared_vpc_project              = (known after apply)
Step #1 - "tf plan validate all":   + base_shared_vpc_project_sa           = (known after apply)
Step #1 - "tf plan validate all":   + base_subnets_self_links              = [
Step #1 - "tf plan validate all":       + "https://www.googleapis.com/compute/v1/projects/prj-p-shared-base-oae0/regions/us-central1/subnetworks/sb-p-shared-base-us-central1",
Step #1 - "tf plan validate all":       + "https://www.googleapis.com/compute/v1/projects/prj-p-shared-base-oae0/regions/us-central1/subnetworks/sb-p-shared-base-us-central1-proxy",
Step #1 - "tf plan validate all":       + "https://www.googleapis.com/compute/v1/projects/prj-p-shared-base-oae0/regions/us-west1/subnetworks/sb-p-shared-base-us-west1",
Step #1 - "tf plan validate all":       + "https://www.googleapis.com/compute/v1/projects/prj-p-shared-base-oae0/regions/us-west1/subnetworks/sb-p-shared-base-us-west1-proxy",
Step #1 - "tf plan validate all":     ]
Step #1 - "tf plan validate all":   + bucket                               = {
Step #1 - "tf plan validate all":       + autoclass                   = [
Step #1 - "tf plan validate all":           + {
Step #1 - "tf plan validate all":               + enabled                = false
Step #1 - "tf plan validate all":               + terminal_storage_class = (known after apply)
Step #1 - "tf plan validate all":             },
Step #1 - "tf plan validate all":         ]
Step #1 - "tf plan validate all":       + cors                        = []
Step #1 - "tf plan validate all":       + custom_placement_config     = []
Step #1 - "tf plan validate all":       + default_event_based_hold    = null
Step #1 - "tf plan validate all":       + effective_labels            = (known after apply)
Step #1 - "tf plan validate all":       + enable_object_retention     = null
Step #1 - "tf plan validate all":       + encryption                  = [
Step #1 - "tf plan validate all":           + {
Step #1 - "tf plan validate all":               + default_kms_key_name = (known after apply)
Step #1 - "tf plan validate all":             },
Step #1 - "tf plan validate all":         ]
Step #1 - "tf plan validate all":       + force_destroy               = false
Step #1 - "tf plan validate all":       + id                          = (known after apply)
Step #1 - "tf plan validate all":       + labels                      = null
Step #1 - "tf plan validate all":       + lifecycle_rule              = []
Step #1 - "tf plan validate all":       + location                    = "US"
Step #1 - "tf plan validate all":       + logging                     = []
Step #1 - "tf plan validate all":       + name                        = (known after apply)
Step #1 - "tf plan validate all":       + project                     = (known after apply)
Step #1 - "tf plan validate all":       + project_number              = (known after apply)
Step #1 - "tf plan validate all":       + public_access_prevention    = "inherited"
Step #1 - "tf plan validate all":       + requester_pays              = null
Step #1 - "tf plan validate all":       + retention_policy            = []
Step #1 - "tf plan validate all":       + rpo                         = (known after apply)
Step #1 - "tf plan validate all":       + self_link                   = (known after apply)
Step #1 - "tf plan validate all":       + soft_delete_policy          = (known after apply)
Step #1 - "tf plan validate all":       + storage_class               = "STANDARD"
Step #1 - "tf plan validate all":       + terraform_labels            = (known after apply)
Step #1 - "tf plan validate all":       + timeouts                    = null
Step #1 - "tf plan validate all":       + uniform_bucket_level_access = true
Step #1 - "tf plan validate all":       + url                         = (known after apply)
Step #1 - "tf plan validate all":       + versioning                  = [
Step #1 - "tf plan validate all":           + {
Step #1 - "tf plan validate all":               + enabled = true
Step #1 - "tf plan validate all":             },
Step #1 - "tf plan validate all":         ]
Step #1 - "tf plan validate all":       + website                     = (known after apply)
Step #1 - "tf plan validate all":     }
Step #1 - "tf plan validate all":   + env_kms_project                      = (known after apply)
Step #1 - "tf plan validate all":   + floating_project                     = (known after apply)
Step #1 - "tf plan validate all":   + iap_firewall_tags                    = (known after apply)
Step #1 - "tf plan validate all":   + keyring                              = (known after apply)
Step #1 - "tf plan validate all":   + keys                                 = [
Step #1 - "tf plan validate all":       + "crypto-key-example",
Step #1 - "tf plan validate all":     ]
Step #1 - "tf plan validate all":   + peering_complete                     = (known after apply)
Step #1 - "tf plan validate all":   + peering_network                      = {
Step #1 - "tf plan validate all":       + export_custom_routes                = false
Step #1 - "tf plan validate all":       + export_subnet_routes_with_public_ip = false
Step #1 - "tf plan validate all":       + id                                  = (known after apply)
Step #1 - "tf plan validate all":       + import_custom_routes                = false
Step #1 - "tf plan validate all":       + import_subnet_routes_with_public_ip = true
Step #1 - "tf plan validate all":       + name                                = (known after apply)
Step #1 - "tf plan validate all":       + network                             = "https://www.googleapis.com/compute/v1/projects/prj-p-shared-base-oae0/global/networks/vpc-p-shared-base-spoke"
Step #1 - "tf plan validate all":       + peer_network                        = (known after apply)
Step #1 - "tf plan validate all":       + stack_type                          = "IPV4_ONLY"
Step #1 - "tf plan validate all":       + state                               = (known after apply)
Step #1 - "tf plan validate all":       + state_details                       = (known after apply)
Step #1 - "tf plan validate all":       + timeouts                            = null
Step #1 - "tf plan validate all":     }
Step #1 - "tf plan validate all":   + peering_project                      = (known after apply)
Step #1 - "tf plan validate all":   + peering_subnetwork_self_link         = (known after apply)
Step #1 - "tf plan validate all":   + restricted_enabled_apis              = [
Step #1 - "tf plan validate all":       + "accesscontextmanager.googleapis.com",
Step #1 - "tf plan validate all":       + "billingbudgets.googleapis.com",
Step #1 - "tf plan validate all":     ]
Step #1 - "tf plan validate all":   + restricted_shared_vpc_project        = (known after apply)
Step #1 - "tf plan validate all":   + restricted_shared_vpc_project_number = (known after apply)
Step #1 - "tf plan validate all":   + restricted_subnets_self_links        = [
Step #1 - "tf plan validate all":       + "https://www.googleapis.com/compute/v1/projects/prj-p-shared-restricted-2pqc/regions/us-central1/subnetworks/sb-p-shared-restricted-us-central1",
Step #1 - "tf plan validate all":       + "https://www.googleapis.com/compute/v1/projects/prj-p-shared-restricted-2pqc/regions/us-central1/subnetworks/sb-p-shared-restricted-us-central1-proxy",
Step #1 - "tf plan validate all":       + "https://www.googleapis.com/compute/v1/projects/prj-p-shared-restricted-2pqc/regions/us-west1/subnetworks/sb-p-shared-restricted-us-west1",
Step #1 - "tf plan validate all":       + "https://www.googleapis.com/compute/v1/projects/prj-p-shared-restricted-2pqc/regions/us-west1/subnetworks/sb-p-shared-restricted-us-west1-proxy",
Step #1 - "tf plan validate all":     ]
Step #1 - "tf plan validate all":   + vpc_service_control_perimeter_name   = "sp_p_shared_restricted_default_perimeter_20f1"
Step #1 - "tf plan validate all": *************** TERRAFORM VALIDATE ******************
Step #1 - "tf plan validate all":       At environment: business_unit_1/production 
Step #1 - "tf plan validate all":       Using policy from: /workspace/policy-library 
Step #1 - "tf plan validate all": *****************************************************
Step #1 - "tf plan validate all": WARNING: This command is using service account impersonation. All API calls will be executed as [sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com].
Step #1 - "tf plan validate all": Validating resources...
Step #1 - "tf plan validate all": ....................done.
Finished Step #1 - "tf plan validate all"
PUSH
Artifacts will be uploaded to gs://bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts using gsutil cp
cloudbuild-tf-plan.yaml: Uploading path....
Copying file://cloudbuild-tf-plan.yaml [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/  2.0 KiB]   0% Done                                    
/ [1/1 files][  2.0 KiB/  2.0 KiB] 100% Done                                    
Operation completed over 1 objects/2.0 KiB.                                      
cloudbuild-tf-plan.yaml: 1 matching files uploaded
tmp_plan/*.tfplan: Uploading path....
Copying file://tmp_plan/business_unit_1-non-production.tfplan [Content-Type=application/octet-stream]...
Copying file://tmp_plan/business_unit_1-development.tfplan [Content-Type=application/octet-stream]...
/ [0/8 files][    0.0 B/  1.8 MiB]   0% Done                                    
/ [0/8 files][    0.0 B/  1.8 MiB]   0% Done                                    
Copying file://tmp_plan/business_unit_2-non-production.tfplan [Content-Type=application/octet-stream]...
/ [0/8 files][    0.0 B/  1.8 MiB]   0% Done                                    
Copying file://tmp_plan/business_unit_1-shared.tfplan [Content-Type=application/octet-stream]...
Copying file://tmp_plan/business_unit_1-production.tfplan [Content-Type=application/octet-stream]...
/ [0/8 files][    0.0 B/  1.8 MiB]   0% Done                                    
/ [0/8 files][    0.0 B/  1.8 MiB]   0% Done                                    
Copying file://tmp_plan/business_unit_2-development.tfplan [Content-Type=application/octet-stream]...
/ [0/8 files][    0.0 B/  1.8 MiB]   0% Done                                    
Copying file://tmp_plan/business_unit_2-production.tfplan [Content-Type=application/octet-stream]...
/ [0/8 files][    0.0 B/  1.8 MiB]   0% Done                                    
Copying file://tmp_plan/business_unit_2-shared.tfplan [Content-Type=application/octet-stream]...
/ [0/8 files][    0.0 B/  1.8 MiB]   0% Done                                    
/ [1/8 files][101.1 KiB/  1.8 MiB]   5% Done                                    
-
- [2/8 files][647.4 KiB/  1.8 MiB]  35% Done                                    
- [3/8 files][647.4 KiB/  1.8 MiB]  35% Done                                    
- [4/8 files][  1.8 MiB/  1.8 MiB]  99% Done                                    
- [5/8 files][  1.8 MiB/  1.8 MiB]  99% Done                                    
- [6/8 files][  1.8 MiB/  1.8 MiB]  99% Done                                    
- [7/8 files][  1.8 MiB/  1.8 MiB]  99% Done                                    
- [8/8 files][  1.8 MiB/  1.8 MiB] 100% Done                                    
Operation completed over 8 objects/1.8 MiB.                                      
tmp_plan/*.tfplan: 8 matching files uploaded
9 total artifacts uploaded to gs://bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts/terraform/cloudbuild/plan/097ffa67-f589-4984-a17e-32c1891cfcfd/
Uploading manifest artifacts-097ffa67-f589-4984-a17e-32c1891cfcfd.json
Artifact manifest located at gs://bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts/terraform/cloudbuild/plan/097ffa67-f589-4984-a17e-32c1891cfcfd/artifacts-097ffa67-f589-4984-a17e-32c1891cfcfd.json
DONE

4-projects step 15 - production CB apply

michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$  git checkout -b production
Switched to a new branch 'production'
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git push origin production
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-projects
  [new branch]      production -> production

Step #4 - "tf apply": module.env.module.firewall_rules.google_compute_network_firewall_policy_rule.rules["1000"]: Creation complete after 32s [id=projects/prj-p-bu2sample-peering-snb4/global/firewallPolicies/fp-p-peering-project-firewalls/rules/1000]
Step #4 - "tf apply": module.env.google_compute_network_firewall_policy_association.vpc_association: Creating...
Step #4 - "tf apply": module.env.google_compute_network_firewall_policy_association.vpc_association: Creation complete after 9s [id=projects/prj-p-bu2sample-peering-snb4/global/firewallPolicies/fp-p-peering-project-firewalls/associations/fp-p-peering-project-firewalls-vpc-p-peering-base]

Step #4 - "tf apply": 
Step #4 - "tf apply": Error: Error adding network peering: googleapi: Error 403: Rate Limit Exceeded
Step #4 - "tf apply": Details:
Step #4 - "tf apply": [
Step #4 - "tf apply":   {
Step #4 - "tf apply":     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
Step #4 - "tf apply":     "domain": "compute.googleapis.com",
Step #4 - "tf apply":     "metadatas": {
Step #4 - "tf apply":       "containerId": "17819846901",
Step #4 - "tf apply":       "containerType": "PROJECT",
Step #4 - "tf apply":       "location": "global"
Step #4 - "tf apply":     },
Step #4 - "tf apply":     "reason": "CONCURRENT_OPERATIONS_QUOTA_EXCEEDED"
Step #4 - "tf apply":   },
Step #4 - "tf apply":   {
Step #4 - "tf apply":     "@type": "type.googleapis.com/google.rpc.Help",
Step #4 - "tf apply":     "links": [
Step #4 - "tf apply":       {
Step #4 - "tf apply":         "description": "Concurrent operations quota documentation.",
Step #4 - "tf apply":         "url": "https://cloud.google.com/compute/operations-quota#concurrent_operation_limits"
Step #4 - "tf apply":       }
Step #4 - "tf apply":     ]
Step #4 - "tf apply":   },
Step #4 - "tf apply":   {
Step #4 - "tf apply":     "@type": "type.googleapis.com/google.rpc.LocalizedMessage",
Step #4 - "tf apply":     "locale": "en-US",
Step #4 - "tf apply":     "message": "Quota on concurrent operations exceeded for project 17819846901 in global."
Step #4 - "tf apply":   }
Step #4 - "tf apply": ]
Step #4 - "tf apply": , rateLimitExceeded
Step #4 - "tf apply": 
Step #4 - "tf apply":   with module.env.module.peering.google_compute_network_peering.peer_network_peering,
Step #4 - "tf apply":   on .terraform/modules/env.peering/modules/network-peering/main.tf line 50, in resource "google_compute_network_peering" "peer_network_peering":
Step #4 - "tf apply":   50: resource "google_compute_network_peering" "peer_network_peering" {
Step #4 - "tf apply": 
Finished Step #4 - "tf apply"
ERROR
ERROR: build step 4 "us-central1-docker.pkg.dev/prj-b-cicd-82vv/tf-runners/terraform:v1" failed: step exited with non-zero status: 1

[obriensystems]

#391
retry fixes the API quota CONCURRENT_OPERATIONS_QUOTA_EXCEEDED issue - wait 60 min - now we see all shared VPCs for business units

[obriensystems]

39 projects (non-production and dev pending)
10 projects across production-bu1/bu2
20 more pending - but I may not run both

[obriensystems]

4-projects step 17 - development

michael@cloudshell:~$ gcloud config set project tef-olxyz
Updated property [core/project].
michael@cloudshell:~ (tef-olxyz)$ cd tef-olxyz/github/gcp-projects/
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ terraform --version
Terraform v1.7.5
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ which terraform
/usr/bin/terraform
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ cp ../../terraform /usr/bin/
cp: cannot create regular file '/usr/bin/terraform': Permission denied
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ sudo cp ../../terraform /usr/bin/
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ terraform --version
Terraform v1.3.10
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git checkout -b development
Switched to a new branch 'development'
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ git push origin development
Total 0 (delta 0), reused 0 (delta 0), pack-reused 0
To https://source.developers.google.com/p/prj-b-cicd-82vv/r/gcp-projects
 * [new branch]      development -> development
michael@cloudshell:~/tef-olxyz/github/gcp-projects (tef-olxyz)$ 

check development apply trigger

CSR repositories

4-projects - skip non-production for now

unset service account impersonation

Step #4 - "tf apply": Apply complete! Resources: 101 added, 0 changed, 0 destroyed.
Step #4 - "tf apply": 
Step #4 - "tf apply": Outputs:
Step #4 - "tf apply": 
Step #4 - "tf apply": access_context_manager_policy_id = 807865857747
Step #4 - "tf apply": base_shared_vpc_project = "prj-d-bu1sample-base-kizc"
Step #4 - "tf apply": base_shared_vpc_project_sa = "project-service-account@prj-d-bu1sample-base-kizc.iam.gserviceaccount.com"
Step #4 - "tf apply": base_subnets_self_links = [
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/regions/us-central1/subnetworks/sb-d-shared-base-us-central1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/regions/us-central1/subnetworks/sb-d-shared-base-us-central1-proxy",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/regions/us-west1/subnetworks/sb-d-shared-base-us-west1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/regions/us-west1/subnetworks/sb-d-shared-base-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": bucket = {
Step #4 - "tf apply":   "autoclass" = tolist([])
Step #4 - "tf apply":   "cors" = tolist([])
Step #4 - "tf apply":   "custom_placement_config" = tolist([])
Step #4 - "tf apply":   "default_event_based_hold" = false
Step #4 - "tf apply":   "effective_labels" = tomap({})
Step #4 - "tf apply":   "enable_object_retention" = false
Step #4 - "tf apply":   "encryption" = tolist([
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "default_kms_key_name" = "projects/prj-d-bu1env-kms-m0bx/locations/us/keyRings/sample-keyring/cryptoKeys/crypto-key-example"
Step #4 - "tf apply":     },
Step #4 - "tf apply":   ])
Step #4 - "tf apply":   "force_destroy" = false
Step #4 - "tf apply":   "id" = "bkt-prj-d-bu1sample-base-kizc-us-cmek-encrypted-wmts8"
Step #4 - "tf apply":   "labels" = tomap(null) /* of string */
Step #4 - "tf apply":   "lifecycle_rule" = tolist([])
Step #4 - "tf apply":   "location" = "US"
Step #4 - "tf apply":   "logging" = tolist([])
Step #4 - "tf apply":   "name" = "bkt-prj-d-bu1sample-base-kizc-us-cmek-encrypted-wmts8"
Step #4 - "tf apply":   "project" = "prj-d-bu1sample-base-kizc"
Step #4 - "tf apply":   "project_number" = 161114371844
Step #4 - "tf apply":   "public_access_prevention" = "inherited"
Step #4 - "tf apply":   "requester_pays" = false
Step #4 - "tf apply":   "retention_policy" = tolist([])
Step #4 - "tf apply":   "rpo" = "DEFAULT"
Step #4 - "tf apply":   "self_link" = "https://www.googleapis.com/storage/v1/b/bkt-prj-d-bu1sample-base-kizc-us-cmek-encrypted-wmts8"
Step #4 - "tf apply":   "soft_delete_policy" = tolist([
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "effective_time" = "2024-04-17T00:11:12.724Z"
Step #4 - "tf apply":       "retention_duration_seconds" = 604800
Step #4 - "tf apply":     },
Step #4 - "tf apply":   ])
Step #4 - "tf apply":   "storage_class" = "STANDARD"
Step #4 - "tf apply":   "terraform_labels" = tomap({})
Step #4 - "tf apply":   "timeouts" = null /* object */
Step #4 - "tf apply":   "uniform_bucket_level_access" = true
Step #4 - "tf apply":   "url" = "gs://bkt-prj-d-bu1sample-base-kizc-us-cmek-encrypted-wmts8"
Step #4 - "tf apply":   "versioning" = tolist([
Step #4 - "tf apply":     {
Step #4 - "tf apply":       "enabled" = true
Step #4 - "tf apply":     },
Step #4 - "tf apply":   ])
Step #4 - "tf apply":   "website" = tolist([])
Step #4 - "tf apply": }
Step #4 - "tf apply": env_kms_project = "prj-d-bu1env-kms-m0bx"
Step #4 - "tf apply": floating_project = "prj-d-bu1sample-floating-bzum"
Step #4 - "tf apply": iap_firewall_tags = tomap({
Step #4 - "tf apply":   "tagKeys/281477283940102" = "tagValues/281479877791895"
Step #4 - "tf apply":   "tagKeys/281480629325912" = "tagValues/281478394091586"
Step #4 - "tf apply": })
Step #4 - "tf apply": keyring = "projects/prj-d-bu1env-kms-m0bx/locations/us/keyRings/sample-keyring"
Step #4 - "tf apply": keys = [
Step #4 - "tf apply":   "crypto-key-example",
Step #4 - "tf apply": ]
Step #4 - "tf apply": peering_complete = "1858322091449506169"
Step #4 - "tf apply": peering_network = {
Step #4 - "tf apply":   "export_custom_routes" = false
Step #4 - "tf apply":   "export_subnet_routes_with_public_ip" = false
Step #4 - "tf apply":   "id" = "vpc-d-shared-base-spoke/bu1-d-vpc-d-shared-base-spoke-vpc-d-peering-base"
Step #4 - "tf apply":   "import_custom_routes" = false
Step #4 - "tf apply":   "import_subnet_routes_with_public_ip" = true
Step #4 - "tf apply":   "name" = "bu1-d-vpc-d-shared-base-spoke-vpc-d-peering-base"
Step #4 - "tf apply":   "network" = "https://www.googleapis.com/compute/v1/projects/prj-d-shared-base-nlqs/global/networks/vpc-d-shared-base-spoke"
Step #4 - "tf apply":   "peer_network" = "https://www.googleapis.com/compute/beta/projects/prj-d-bu1sample-peering-8a3v/global/networks/vpc-d-peering-base"
Step #4 - "tf apply":   "stack_type" = "IPV4_ONLY"
Step #4 - "tf apply":   "state" = "ACTIVE"
Step #4 - "tf apply":   "state_details" = "[2024-04-16T17:11:31.220-07:00]: Connected."
Step #4 - "tf apply":   "timeouts" = null /* object */
Step #4 - "tf apply": }
Step #4 - "tf apply": peering_project = "prj-d-bu1sample-peering-8a3v"
Step #4 - "tf apply": peering_subnetwork_self_link = "https://www.googleapis.com/compute/v1/projects/prj-d-bu1sample-peering-8a3v/regions/us-central1/subnetworks/sb-d-bu1-peered-us-central1"
Step #4 - "tf apply": restricted_enabled_apis = tolist([
Step #4 - "tf apply":   "accesscontextmanager.googleapis.com",
Step #4 - "tf apply":   "billingbudgets.googleapis.com",
Step #4 - "tf apply": ])
Step #4 - "tf apply": restricted_shared_vpc_project = "prj-d-bu1sample-restrict-dide"
Step #4 - "tf apply": restricted_shared_vpc_project_number = "229211895034"
Step #4 - "tf apply": restricted_subnets_self_links = [
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/regions/us-central1/subnetworks/sb-d-shared-restricted-us-central1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/regions/us-central1/subnetworks/sb-d-shared-restricted-us-central1-proxy",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/regions/us-west1/subnetworks/sb-d-shared-restricted-us-west1",
Step #4 - "tf apply":   "https://www.googleapis.com/compute/v1/projects/prj-d-shared-restricted-j004/regions/us-west1/subnetworks/sb-d-shared-restricted-us-west1-proxy",
Step #4 - "tf apply": ]
Step #4 - "tf apply": vpc_service_control_perimeter_name = "sp_d_shared_restricted_default_perimeter_d036"
Step #4 - "tf apply": policy-library/policies  doesn't match development; skipping
Step #4 - "tf apply": policy-library/lib  doesn't match development; skipping
Step #4 - "tf apply": policy-library/.git  doesn't match development; skipping
Finished Step #4 - "tf apply"
PUSH
Artifacts will be uploaded to gs://bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts using gsutil cp
cloudbuild-tf-apply.yaml: Uploading path....
Copying file://cloudbuild-tf-apply.yaml [Content-Type=application/octet-stream]...
/ [0/1 files][    0.0 B/  2.6 KiB]   0% Done                                    
/ [1/1 files][  2.6 KiB/  2.6 KiB] 100% Done                                    
Operation completed over 1 objects/2.6 KiB.                                      
cloudbuild-tf-apply.yaml: 1 matching files uploaded
tmp_plan/*.tfplan: Uploading path....
Copying file://tmp_plan/business_unit_2-development.tfplan [Content-Type=application/octet-stream]...
Copying file://tmp_plan/business_unit_1-development.tfplan [Content-Type=application/octet-stream]...
/ [0/2 files][    0.0 B/546.3 KiB]   0% Done                                    
/ [0/2 files][    0.0 B/546.3 KiB]   0% Done                                    
/ [1/2 files][546.3 KiB/546.3 KiB]  99% Done                                    
/ [2/2 files][546.3 KiB/546.3 KiB] 100% Done                                    
Operation completed over 2 objects/546.3 KiB.                                    
tmp_plan/*.tfplan: 2 matching files uploaded
3 total artifacts uploaded to gs://bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts/terraform/cloudbuild/apply/cc46b1be-10fd-4ad3-b3bd-13f812812048/
Uploading manifest artifacts-cc46b1be-10fd-4ad3-b3bd-13f812812048.json
Artifact manifest located at gs://bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts/terraform/cloudbuild/apply/cc46b1be-10fd-4ad3-b3bd-13f812812048/artifacts-cc46b1be-10fd-4ad3-b3bd-13f812812048.json
DONE

enumerate zombie resources like the two organization level firewall policies

[obriensystems]

49 projects - production and development to 4-projects

need workloads - 5-app-infra

[fmichaelobrien]

Architecture reverse engineering / diagramming in progress for Fortigate retrofit

• Overlay fortigate NGFW dual LB example into 3-networks-hub-and-spoke #389
• Architecture documentation #377

Microsegmentation

There are two classifications in the LZ - restricted and base.
There are three environments - development, non-production, production.

High Level Diagram - Default

High Level Diagram - Development environment only

[obriensystems]

5-app-infra

https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/5-app-infra/README.md#deploying-with-cloud-build

To set your Cloud Platform project in this session use “gcloud config set project [PROJECT_ID]”
michael@cloudshell:~$ gcloud config set project tef-olxyz
Updated property [core/project].
michael@cloudshell:~ (tef-olxyz)$ cd tef-olxyz/github/
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ which terraform
/usr/bin/terraform
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ terraform --version
Terraform v1.7.5
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.1. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ sudo cp ../terraform /usr/bin/terraform
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ terraform --version
Terraform v1.3.10
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.8.1. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ export INFRA_PIPELINE_PROJECT_ID=$(terraform -chdir="gcp-projects/business_unit_1/shared/" output -raw cloudbuild_project_id)
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ echo ${INFRA_PIPELINE_PROJECT_ID}
prj-c-bu1infra-pipeline-iap1
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ gcloud source repos clone gcp-policies gcp-policies-app-infra --project=${INFRA_PIPELINE_PROJECT_ID}
Cloning into '/home/michael/tef-olxyz/github/gcp-policies-app-infra'...
warning: You appear to have cloned an empty repository.
Project [prj-c-bu1infra-pipeline-iap1] repository [gcp-policies] was cloned to [/home/michael/tef-olxyz/github/gcp-policies-app-infra].
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd gcp-policies-app-infra
michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ ls
michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ git checkout -b main
Switched to a new branch 'main'
michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ cp -RT ../terraform-example-foundation/policy-library/ .
cp: cannot stat '../terraform-example-foundation/policy-library/': No such file or directory
michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$  cp -RT ../pbmm-on-gcp-onboarding/policy-library/ .
michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ 

5-app-infra commit main

michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ git add .
michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ ls
lib  policies
michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ git commit -m 'Initialize policy library repo'
[main (root-commit) 06829ee] Initialize policy library repo
 112 files changed, 9682 insertions(+)
 create mode 100644 lib/constraints.rego
 create mode 100644 lib/util.rego
 create mode 100644 lib/util_test.rego
 create mode 100644 policies/constraints/appengine_versions.yaml
 create mode 100644 policies/constraints/bigquery_world_readable.yaml
 create mode 100644 policies/constraints/dnssec_prevent_rsasha1_ksk.yaml
 create mode 100644 policies/constraints/dnssec_prevent_rsasha1_zsk.yaml
 create mode 100644 policies/constraints/gke_allow_only_private_cluster.yaml
 create mode 100644 policies/constraints/gke_allowed_node_sa_scope.yaml
 create mode 100644 policies/constraints/gke_container_optimized_os.yaml
 create mode 100644 policies/constraints/gke_dashboard_disable.yaml
 create mode 100644 policies/constraints/gke_disable_default_service_account.yaml
 create mode 100644 policies/constraints/gke_disable_legacy_endpoints.yaml
 create mode 100644 policies/constraints/gke_enable_alias_ip_ranges.yaml
 create mode 100644 policies/constraints/gke_legacy_abac.yaml
 create mode 100644 policies/constraints/gke_master_authorized_networks_enabled.yaml
 create mode 100644 policies/constraints/gke_node_pool_auto_repair.yaml
 create mode 100644 policies/constraints/gke_node_pool_auto_upgrade.yaml
 create mode 100644 policies/constraints/gke_restrict_client_auth_methods.yaml
 create mode 100644 policies/constraints/gke_restrict_pod_traffic.yaml
 create mode 100644 policies/constraints/iam_deny_public.yaml
 create mode 100644 policies/constraints/network_enable_flow_logs.yaml
 create mode 100644 policies/constraints/network_enable_private_google_access.yaml
 create mode 100644 policies/constraints/restrict_fw_rules_rdp_world_open.yaml
 create mode 100644 policies/constraints/restrict_fw_rules_ssh_world_open.yaml
 create mode 100644 policies/constraints/restrict_fw_rules_world_open.yaml
 create mode 100644 policies/constraints/serviceusage_allow_basic_apis.yaml
 create mode 100644 policies/constraints/sql_public_ip.yaml
 create mode 100644 policies/constraints/sql_ssl.yaml
 create mode 100644 policies/constraints/storage_bucket_policy_only.yaml
 create mode 100644 policies/constraints/storage_denylist_public.yaml
 create mode 100644 policies/templates/gcp_allowed_resource_types.yaml
 create mode 100644 policies/templates/gcp_always_violates_v1.yaml
 create mode 100644 policies/templates/gcp_app_service_versions.yaml
 create mode 100644 policies/templates/gcp_appengine_location_v1.yaml
 create mode 100644 policies/templates/gcp_bigquery_cmek_encryption_v1.yaml
 create mode 100644 policies/templates/gcp_bigquery_dataset_world_readable_v1.yaml
 create mode 100644 policies/templates/gcp_bigquery_table_retention_v1.yaml
 create mode 100644 policies/templates/gcp_bq_dataset_location_v1.yaml
 create mode 100644 policies/templates/gcp_cmek_rotation_v1.yaml
 create mode 100644 policies/templates/gcp_cmek_settings_v1.yaml
 create mode 100644 policies/templates/gcp_compute_allowed_networks.yaml
 create mode 100644 policies/templates/gcp_compute_disk_resource_policies_v1.yaml
 create mode 100644 policies/templates/gcp_compute_external_ip_address.yaml
 create mode 100644 policies/templates/gcp_compute_ip_forward.yaml
 create mode 100644 policies/templates/gcp_compute_zone_v1.yaml
 create mode 100644 policies/templates/gcp_dataproc_location_v1.yaml
 create mode 100644 policies/templates/gcp_dnssec_prevent_rsasha1_v1.yaml
 create mode 100644 policies/templates/gcp_dnssec_v1.yaml
 create mode 100644 policies/templates/gcp_enforce_labels_v1.yaml
 create mode 100644 policies/templates/gcp_enforce_naming_v1.yaml
 create mode 100644 policies/templates/gcp_gke_allowed_node_sa_v1.yaml
 create mode 100644 policies/templates/gcp_gke_cluster_location.yaml
 create mode 100644 policies/templates/gcp_gke_cluster_version_v1.yaml
 create mode 100644 policies/templates/gcp_gke_container_optimized_os.yaml
 create mode 100644 policies/templates/gcp_gke_dashboard_v1.yaml
 create mode 100644 policies/templates/gcp_gke_disable_default_service_account_v1.yaml
 create mode 100644 policies/templates/gcp_gke_disable_legacy_endpoints_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_alias_ip_ranges.yaml
 create mode 100644 policies/templates/gcp_gke_enable_private_endpoint.yaml
 create mode 100644 policies/templates/gcp_gke_enable_shielded_nodes_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_stackdriver_kubernetes_engine_monitoring_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_stackdriver_logging_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_stackdriver_monitoring_v1.yaml
 create mode 100644 policies/templates/gcp_gke_enable_workload_identity_v1.yaml
 create mode 100644 policies/templates/gcp_gke_legacy_abac_v1.yaml
 create mode 100644 policies/templates/gcp_gke_master_authorized_networks_enabled_v1.yaml
 create mode 100644 policies/templates/gcp_gke_node_auto_repair_v1.yaml
 create mode 100644 policies/templates/gcp_gke_node_auto_upgrade_v1.yaml
 create mode 100644 policies/templates/gcp_gke_private_cluster_v1.yaml
 create mode 100644 policies/templates/gcp_gke_restrict_client_auth_methods_v1.yaml
 create mode 100644 policies/templates/gcp_gke_restrict_pod_traffic_v1.yaml
 create mode 100644 policies/templates/gcp_glb_external_ip_access_constraint_v1.yaml
 create mode 100644 policies/templates/gcp_iam_allow_ban_roles_v1.yaml
 create mode 100644 policies/templates/gcp_iam_allowed_bindings.yaml
 create mode 100644 policies/templates/gcp_iam_allowed_policy_member_domains.yaml
 create mode 100644 policies/templates/gcp_iam_audit_log.yaml
 create mode 100644 policies/templates/gcp_iam_custom_role_permissions_v1.yaml
 create mode 100644 policies/templates/gcp_iam_required_bindings_v1.yaml
 create mode 100644 policies/templates/gcp_iam_restrict_service_account_creation_v1.yaml
 create mode 100644 policies/templates/gcp_iam_restrict_service_account_key_age_v1.yaml
 create mode 100644 policies/templates/gcp_iam_restrict_service_account_key_type_v1.yaml
 create mode 100644 policies/templates/gcp_lb_forwarding_rules.yaml
 create mode 100644 policies/templates/gcp_network_enable_firewall_logs_v1.yaml
 create mode 100644 policies/templates/gcp_network_enable_flow_logs_v1.yaml
 create mode 100644 policies/templates/gcp_network_enable_private_google_access_v1.yaml
 create mode 100644 policies/templates/gcp_network_restrict_default_v1.yaml
 create mode 100644 policies/templates/gcp_network_routing_v1.yaml
 create mode 100644 policies/templates/gcp_resource_value_pattern_v1.yaml
 create mode 100644 policies/templates/gcp_restricted_firewall_rules_v1.yaml
 create mode 100644 policies/templates/gcp_serviceusage_allowed_services_v1.yaml
 create mode 100644 policies/templates/gcp_spanner_location_v1.yaml
 create mode 100644 policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml
 create mode 100644 policies/templates/gcp_sql_backup_v1.yaml
 create mode 100644 policies/templates/gcp_sql_instance_type_v1.yaml
 create mode 100644 policies/templates/gcp_sql_location_v1.yaml
 create mode 100644 policies/templates/gcp_sql_maintenance_window_v1.yaml
 create mode 100644 policies/templates/gcp_sql_public_ip_v1.yaml
 create mode 100644 policies/templates/gcp_sql_ssl_v1.yaml
 create mode 100644 policies/templates/gcp_sql_world_readable_v1.yaml
 create mode 100644 policies/templates/gcp_storage_bucket_policy_only_v1.yaml
 create mode 100644 policies/templates/gcp_storage_bucket_retention_v1.yaml
 create mode 100644 policies/templates/gcp_storage_bucket_world_readable_v1.yaml
 create mode 100644 policies/templates/gcp_storage_cmek_encryption_v1.yaml
 create mode 100644 policies/templates/gcp_storage_location_v1.yaml
 create mode 100644 policies/templates/gcp_storage_logging_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_allowed_regions.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_ensure_access_levels_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_ensure_project_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_ensure_services_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_ip_range_v1.yaml
 create mode 100644 policies/templates/gcp_vpc_sc_project_perimeter.yaml
michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ git push --set-upstream origin main
Enumerating objects: 118, done.
Counting objects: 100% (118/118), done.
Delta compression using up to 4 threads
Compressing objects: 100% (118/118), done.
Writing objects: 100% (118/118), 72.63 KiB | 2.42 MiB/s, done.
Total 118 (delta 87), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (87/87)
remote: Waiting for private key checker: 98/112 objects left
To https://source.developers.google.com/p/prj-c-bu1infra-pipeline-iap1/r/gcp-policies
 * [new branch]      main -> main
Branch 'main' set up to track remote branch 'main' from 'origin'.

clone bu1-example-app

michael@cloudshell:~/tef-olxyz/github/gcp-policies-app-infra (tef-olxyz)$ cd ..
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ gcloud source repos clone bu1-example-app --project=${INFRA_PIPELINE_PROJECT_ID}
Cloning into '/home/michael/tef-olxyz/github/bu1-example-app'...
warning: You appear to have cloned an empty repository.
Project [prj-c-bu1infra-pipeline-iap1] repository [bu1-example-app] was cloned to [/home/michael/tef-olxyz/github/bu1-example-app].
michael@cloudshell:~/tef-olxyz/github (tef-olxyz)$ cd bu1-example-app
michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$ git checkout -b plan
Switched to a new branch 'plan'
michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$ cp -RT ../pbmm-on-gcp-onboarding/5-app-infra/ .
michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$  cp ../pbmm-on-gcp-onboarding/build/cloudbuild-tf-* .
michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$ cp ../pbmm-on-gcp-onboarding/build/tf-wrapper.sh .
michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$ chmod 755 ./tf-wrapper.sh
michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$ mv common.auto.example.tfvars common.auto.tfvars


michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$    git add .
michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$ git status
On branch plan

No commits yet

Changes to be committed:
  (use "git rm --cached <file>..." to unstage)
        new file:   .gitignore
        new file:   README.md
        new file:   business_unit_1/development/README.md
        new file:   business_unit_1/development/backend.tf
        new file:   business_unit_1/development/common.auto.tfvars
        new file:   business_unit_1/development/main.tf
        new file:   business_unit_1/development/outputs.tf
        new file:   business_unit_1/development/variables.tf
        new file:   business_unit_1/development/versions.tf
        new file:   business_unit_1/non-production/README.md
        new file:   business_unit_1/non-production/backend.tf
        new file:   business_unit_1/non-production/common.auto.tfvars
        new file:   business_unit_1/non-production/main.tf
        new file:   business_unit_1/non-production/outputs.tf
        new file:   business_unit_1/non-production/variables.tf
        new file:   business_unit_1/non-production/versions.tf
        new file:   business_unit_1/production/README.md
        new file:   business_unit_1/production/backend.tf
        new file:   business_unit_1/production/common.auto.tfvars
        new file:   business_unit_1/production/main.tf
        new file:   business_unit_1/production/outputs.tf
        new file:   business_unit_1/production/variables.tf
        new file:   business_unit_1/production/versions.tf
        new file:   cloudbuild-tf-apply.yaml
        new file:   cloudbuild-tf-plan.yaml
        new file:   common.auto.tfvars
        new file:   modules/env_base/README.md
        new file:   modules/env_base/main.tf
        new file:   modules/env_base/outputs.tf
        new file:   modules/env_base/variables.tf
        new file:   modules/env_base/versions.tf
        new file:   tf-wrapper.sh

michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$ git commit -m 'Initialize bu1 example app repo'
[plan (root-commit) d1ac96b] Initialize bu1 example app repo
 32 files changed, 1748 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 README.md
 create mode 100644 business_unit_1/development/README.md
 create mode 100644 business_unit_1/development/backend.tf
 create mode 120000 business_unit_1/development/common.auto.tfvars
 create mode 100644 business_unit_1/development/main.tf
 create mode 100644 business_unit_1/development/outputs.tf
 create mode 100644 business_unit_1/development/variables.tf
 create mode 100644 business_unit_1/development/versions.tf
 create mode 100644 business_unit_1/non-production/README.md
 create mode 100644 business_unit_1/non-production/backend.tf
 create mode 120000 business_unit_1/non-production/common.auto.tfvars
 create mode 100644 business_unit_1/non-production/main.tf
 create mode 100644 business_unit_1/non-production/outputs.tf
 create mode 100644 business_unit_1/non-production/variables.tf
 create mode 100644 business_unit_1/non-production/versions.tf
 create mode 100644 business_unit_1/production/README.md
 create mode 100644 business_unit_1/production/backend.tf
 create mode 120000 business_unit_1/production/common.auto.tfvars
 create mode 100644 business_unit_1/production/main.tf
 create mode 100644 business_unit_1/production/outputs.tf
 create mode 100644 business_unit_1/production/variables.tf
 create mode 100644 business_unit_1/production/versions.tf
 create mode 100644 cloudbuild-tf-apply.yaml
 create mode 100644 cloudbuild-tf-plan.yaml
 create mode 100644 common.auto.tfvars
 create mode 100644 modules/env_base/README.md
 create mode 100644 modules/env_base/main.tf
 create mode 100644 modules/env_base/outputs.tf
 create mode 100644 modules/env_base/variables.tf
 create mode 100644 modules/env_base/versions.tf
 create mode 100755 tf-wrapper.sh

michael@cloudshell:~/tef-olxyz/github/bu1-example-app (tef-olxyz)$ git push --set-upstream origin plan
Enumerating objects: 30, done.
Counting objects: 100% (30/30), done.
Delta compression using up to 4 threads
Compressing objects: 100% (28/28), done.
Writing objects: 100% (30/30), 14.27 KiB | 1.78 MiB/s, done.
Total 30 (delta 14), reused 0 (delta 0), pack-reused 0
remote: Resolving deltas: 100% (14/14)
remote: Waiting for private key checker: 22/22 objects left
To https://source.developers.google.com/p/prj-c-bu1infra-pipeline-iap1/r/bu1-example-app
 * [new branch]      plan -> plan
Branch 'plan' set up to track remote branch 'plan' from 'origin'.

5-app-infra step 10 check cloud build plan run

there is no trigger in cb for the example

see #392

[obriensystems]

See latest 3rd org testing 50 min for #421 in #421 (comment)