You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to a user, that user is claiming responsibility for the issue.
Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.
resource"google_securityposture_posture""security-posture"{
posture_id="security_posture"parent="organizations/${var.org_id}"location="global"state="ACTIVE"description="Security Posture"policy_sets {
policy_set_id="Org policies"description="Set of Org Policies for"policies {
policy_id="Define allowed external IPs for VM instances"description="Prevent the creation of Compute instances with a public IP, which can expose them to internet ingress and egress."constraint {
org_policy_constraint {
canned_constraint_id="compute.vmExternalIpAccess"policy_rules {
deny_all=true
}
}
}
}
policies {
policy_id="Disable Automatic IAM Grants for Default Service Accounts"description="Prevent default service accounts from receiving the overly-permissive IAM role Editor at creation."constraint {
org_policy_constraint {
canned_constraint_id="iam.automaticIamGrantsForDefaultServiceAccounts"policy_rules {
enforce=true
}
}
}
}
policies {
policy_id="Allow Gneration 2 Cloud Functions only"description="Allow Gneration 2 Cloud Functions only. Prevents deployment of gen1 Cloud Functions."constraint {
org_policy_constraint {
canned_constraint_id="cloudfunctions.restrictAllowedGenerations"policy_rules {
values {
allowed_values=["2ndGen"]
}
}
}
}
}
policies {
policy_id="Disallow public ingress for Cloud Run"description="Disallow public ingress for Cloud Run and Cloud Functions (gen2), allowing only internal and load balancer ingress."constraint {
org_policy_constraint {
canned_constraint_id="run.allowedIngress"policy_rules {
values {
allowed_values=[
"internal-and-cloud-load-balancing",
"internal"
]
}
}
}
}
}
}
}
Debug Output
No response
Expected Behavior
Plan does not change if the configuration does not change
Actual Behavior
Terraform wants to update-in-place on every plan execution even if the code does not change. It appears to be re-ordering the policies every time
Steps to reproduce
terraform apply
terraform plan
Important Factoids
No response
References
No response
b/348054918
The text was updated successfully, but these errors were encountered:
After some tries due to restrictions it isn't possible to reproduce this issue. It looks like a permadiff. I'm forwarding this issue to check it internally. it looks fairly like the case that policy_sets is a set instead of a list.
Community Note
Terraform Version & Provider Version(s)
Terraform v1.18.1
on Linux Ubuntu 22.04lts
Affected Resource(s)
google_securityposture_posture
Terraform Configuration
Debug Output
No response
Expected Behavior
Plan does not change if the configuration does not change
Actual Behavior
Terraform wants to update-in-place on every plan execution even if the code does not change. It appears to be re-ordering the policies every time
Steps to reproduce
terraform apply
terraform plan
Important Factoids
No response
References
No response
b/348054918
The text was updated successfully, but these errors were encountered: