Project tainted

[alfonsozamorac]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.2.9
provider registry.terraform.io/hashicorp/google v5.10.0
provider registry.terraform.io/hashicorp/google-beta v5.10.0

Affected Resource(s)

google_project

Terraform Configuration

terraform {
  required_version = ">= 0.15"
  required_providers {
    google = "~> 5.0"
    google-beta = "~> 5.0"
  }
  experiments = [module_variable_optional_attrs]
}

resource "google_project" "my_project-in-a-folder" {
  name       = "project-tainted"
  project_id = "project-tainted"
  auto_create_network = false
  billing_account     = "XXXXX"
  folder_id           = "YYYYYYY"
  skip_delete         = false
}

Debug Output

module.project-factory.module.project.google_project.project: Creating...
module.project-factory.module.project.google_project.project: Still creating... [10s elapsed]
module.project-factory.module.project.google_project.project: Still creating... [20s elapsed]
module.project-factory.module.project.google_project.project: Still creating... [30s elapsed]
module.project-factory.module.project.google_project.project: Still creating... [40s elapsed]


Error: Error deleting default network in project project-tainted: googleapi: Error 403: Compute Engine API has not been used in project project-tainted before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=project-tainted then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.Help",
    "links": [
      {
        "description": "Google developers console API activation",
        "url": "https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=project-tainted"
      }
    ]
  },
  {
    "@type": "type.googleapis.com/google.rpc.ErrorInfo",
    "domain": "googleapis.com",
    "metadatas": {
      "consumer": "projects/project-tainted",
      "service": "compute.googleapis.com"
    },
    "reason": "SERVICE_DISABLED"
  }
]
, accessNotConfigured

  with module.project-factory.module.project.google_project.project,
  on .terraform/modules/project-factory.project/main.tf line 45, in resource "google_project" "project":
  45: resource "google_project" "project" {


And in the second apply I receive:

# module.project-factory.module.project.google_project.project is tainted, so must be replaced
-/+ resource "google_project" "project" {

Expected Behavior

Successful project creation

Actual Behavior

It fails because the Compute Engine API is not enabled and cannot delete default networks because I have the variable auto_create_network = false. When you try to do a second apply the project appears in 'tainted' state and needs to be destroyed and recreated. It doesn't always happen, making it difficult to reproduce the error.

Steps to reproduce

1. terraform apply
2. terraform apply

Important Factoids

No response

References

No response

[shuyama1]

@alfonsozamorac Thanks for filing the ticket. Yes, that's known issue and it should be fixed by GoogleCloudPlatform/magic-modules#10046 which is released v5.19.0. Would mind upgrading to a 5.19.0+ version and see if this issue still occurs

[alfonsozamorac]

Thank you very much for the response @shuyama1. We will try to upgrade the version to see if it solves the problem. For projects that have a 'tainted' state, what would be the solution? Should we untaint the resource using terraform untaint google_project.my_project, or will upgrading the version fix the status? We cannot destroy and create the projects because our policy prevents recreation for 30 days.

[shuyama1]

Upgrading the version wouldn't resolve the issue for existing resources, unless you let Terraform delete and recreate them. Given the fact that you cannot destroy and create the projects because the policy prevents recreation for 30 days, I think you can run terraform untaint to bring the project resource out of the taint state and you'll probably also need to manually delete the default network as I believe the network deletion failed during the initial creation of the project and Terraform wouldn't able to perform that action in any following runs.

[alfonsozamorac]

I executed terraform untaint on the project resource and verified that the default network was not created. After this change, the remaining resources were successfully created without needing to destroy the project. Thank you very much @shuyama1

[shuyama1]

Great! Glad it worked. Closing this issue now. Feel free to reopen or file a new one if the issue happens again. Thanks!