-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Creating a cloud run job errors when trying to use secret it doesn't have access to but still gets created #13828
Comments
@rdittrich97 can you share your config and the debug log? Is this question related? #13830 |
bug_report.zip |
@rdittrich97 can you post the content directly here? If that is too long, maybe post and share at https://gist.github.com/? |
When creating a Cloud Run resource, Cloud Run API only does some simple verification for the create request. For example, some value should not be negative. It doesn't check the secret since it requires another API call which will significantly increase create API latency. If the request passes the verifications, a cloud run resource will be created with Then the reconciling process will start to make the resource into the desired state as described by TF waits the @rdittrich97 does this explain why the resource still get created? |
@yanweiguo Yes, thank you for the explanation. Does that mean that the cloud run being created but not in terraform state is expected behavior? |
Cloud Run resource being created but terraform reports an error for the creation is expected behavior. |
What should the terraform state look like in this case then? When this happens the cloud run job exists in GCP but it not in the terraform state. |
The issue should be fixed by GoogleCloudPlatform/magic-modules#10298 |
any updates? |
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
1.3.1
provider version: 4.54.0
Affected Resource(s)
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
When there's an error with the configuration I expected it to not create the cloud run job.
Actual Behavior
The terraform apply fails saying:
Error waiting to create Job: Error waiting for Creating Job: Error code 13, message: spec.template.spec.containers[0].env[11].value_from.secret_key_ref.name: Permission denied on secret: <secret> for Revision service account <service_account>. The service account used must be granted the 'Secret Manager Secret Accessor' role (roles/secretmanager.secretAccessor) at the secret, project or higher level
Even though terraform exits with non-zero status the job still get created. In the job details page it shows the same error as terraform did.
If I try to do an apply again terraform fails with:
Error 409: Resource '<cloud_run_job>' already exists.
Steps to Reproduce
Create a secret
Create a cloud run job referring to that secret but with a user that doesn't have permissions to access it
Important Factoids
References
Similar to this issue
The text was updated successfully, but these errors were encountered: