update document and script to use gcloud beta terraform vet

[iyabchen]

#714

• Tested locally for the dockerfile, and the tf-wrapper.sh, and they work.
  (the cloud foundation repo's generate doc is replacing some strings, but not impacting the README in general. )

[daniel-cit]

Hi @iyabchen Thanks for the PR.

This change to add

  /builder/google-cloud-sdk/bin/gcloud components install terraform-tools && \

would also need to be done at the bootstrap module before been able to switch to gcloud beta terraform vet

since the image

https://github.com/terraform-google-modules/terraform-google-bootstrap/blob/v5.1.0/modules/cloudbuild/cloudbuild_builder/Dockerfile

is used to run the cloud builds with the tf-wrapper.sh script for the steps 1 to 4

[daniel-cit]

terraform-google-modules/terraform-google-bootstrap#156

[iyabchen]

I updated the dockerfile based on bootstrap repository.
The tests are failing, and one of them are failing for cloud resource manager API not enabled. The other is failing to set IAM policy. It doesn't seem to be related to the changes, unless this is related to base image change.

[iyabchen]

test failure might be related to terraform-google-modules/terraform-google-bootstrap#148.

[bharathkkb]

LGTM, I will wait for @daniel-cit to do an e2e and ensure this works across all of our stages.

[bharathkkb]

I just cut a 6.0 release so we can switch this back to the registry and "~> 6.0"

[iyabchen]

Done, switch it back to 6.0

[daniel-cit]

Hi @iyabchen @bharathkkb
I tested all stages with terraform 0.13.7 and 1.1.9 .

we have two issues:

1. in step 3-networks we have this old issue not directly related to gcloud beta terraform vet but that fails the build:
   google_compute_subnetwork enable_flow_logs deprecated in google terraform 3.0.0 and GCPNetworkEnableFlowLogsConstraintV1 broken GoogleCloudPlatform/policy-library#414

2. in steps 0-bootstrap, due to google_folder_iam_member and google_folder_iam_binding, and in step 4-projects due to google_folder_iam_member we have this crash:
   fail to parse terraform 1.1.9 plan with google_folder_iam_member in a new folder GoogleCloudPlatform/terraform-validator#708

I removed the usage of google_folder_iam_member and google_folder_iam_binding from steps 0 and 4 and there is no other issues related to gcloud beta terraform vet on those steps.

the crash has been fixed but it in not yet in a gcloud release

I can retest the json files created for the stages after a new gcloud release that contains the fix

[iyabchen]

@daniel-cit , gcloud cli 393.0.0 is released, and it is with terraform-tools 0.5.0, which should cover the fix for crash issue you mentioned.
Would you be possible to do a retest?

[daniel-cit]

Hi @iyabchen I will do the retest

[iyabchen]

@daniel-cit I updated to 393.0.0, and the tests are failing for 409 errors... I don't quite get it.
If the bootstrap repo also need to update to 393.0.0 and trigger a new release, let me know.

[daniel-cit]

the Error 409: Requested entity already exists is a name collision with a deleted project that is still in the 30 days interval in which it can be restored.

I rerun the builds and I will keep track of it

[iyabchen]

Seems the test run into something new Error deleting folder 'fldr-production': googleapi: Error 400: Failed to delete folder [folders/38748887386] due to: The folder being deleted is non-empty.

[iyabchen]

It failed differently on rerun: Error enabling the Compute Engine API required to delete the default network

[iyabchen]

all checks passed