-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCP Peering does not work #3034
GCP Peering does not work #3034
Comments
Hi @dgarstang - is this a different issue than #3026? |
I will close #3026. I think this ticket describes the situation more clearly. |
Hmm, I can't seem to recreate this issue with the following config:
Do you mind running with the full debug logs? i.e. |
I have been working around this with a null resource:
|
@emilymye this is because you need more networks and peerings to reproduce the race condition. We have a lot of different networks in GCP using a shared VPC. Each service lies in its own separated network and we need to peer each network to allow communication between relevant services. We hit the race condition every single time and without a dependency hack using input/output it would take like 20 iterations of plan/apply to have all the peerings created from scratch. Now Terraform team seems to want to let Terraform being dumb regarding parallelism, I mean dumb in a good way. And let the provider to take care of provider specific implementation details like the parallelism issue we have here, i.e. "In GCP it is not possible to peer a network with several other networks at the same time". Our solution is to reproduce a graph of dependency of the peerings using input/output:
The example above reproduces the following graph:
The above solution effectively peers in sequence So it would be upra-supra-mega cool if the Google provider could handle this for us, one possible way would be that the provider allows only one peering resource to run at any given time. It will be slower but will work in one pass and we can use |
An easy way to reproduce this is to use google_compute_network_peering with a count of networks. Setting up a hub and spoke network with counts causes this error every single time. variable "organization_id" {
description = "The organization where the projects and folders should be created"
type = "string"
}
variable "billing_account_id" {
description = "The ID of the billing account resources should be created under (XXXXXX-XXXXX-XXXXXX)"
type = "string"
}
variable "labels" {
description = "Map of labels that will be applied to all resources that have labels"
type = "map"
}
variable "number_of_spokes" {
description = "How many VPCs should be created and peered with the hub"
type = "string"
default = 4
}
resource "google_project" "compute_project" {
name = "compute-project"
project_id = "project-${random_id.compute_project.hex}"
org_id = "${var.organization_id}"
billing_account = "${var.billing_account_id}"
labels = "${var.labels}"
auto_create_network = false
}
resource "random_id" "compute_project" {
byte_length = 4
}
resource "google_compute_network" "hub_network" {
name = "hub-network"
project = "${google_project.compute_project.id}"
auto_create_subnetworks = false
delete_default_routes_on_create = true
}
resource "google_compute_subnetwork" "hub_subnetwork" {
provider = "google-beta"
name = "hub-subnetwork"
project = "${google_project.compute_project.id}"
ip_cidr_range = "10.1.1.0/24"
region = "us-central1"
network = "${google_compute_network.hub_network.self_link}"
enable_flow_logs = true
log_config {
aggregation_interval = "INTERVAL_10_MIN"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
resource "google_compute_firewall" "ingress" {
provider = "google-beta"
name = "hub-firewall"
network = "${google_compute_network.hub_network.name}"
project = "${google_project.compute_project.id}"
enable_logging = true
allow {
protocol = "tcp"
ports = [
"80", //http
"443", //https
"22" //ssh
]
}
}
resource "google_compute_route" "internet" {
name = "hub-network"
project = "${google_project.compute_project.id}"
dest_range = "0.0.0.0/0"
network = "${google_compute_network.hub_network.name}"
next_hop_gateway = "default-internet-gateway"
priority = 1
}
resource "google_compute_network" "vpc_network" {
count = "${var.number_of_spokes}"
name = "spoke-network-${count.index}"
project = "${google_project.compute_project.id}"
auto_create_subnetworks = false
delete_default_routes_on_create = true
depends_on = ["google_compute_subnetwork.hub_subnetwork"]
}
resource "random_id" "vpc_network" {
count = "${var.number_of_spokes}"
byte_length = 4
}
resource "google_compute_subnetwork" "vpc_subnetwork" {
count = length(google_compute_network.vpc_network)
provider = "google-beta"
name = "spoke-subnetwork-${count.index}"
project = "${google_project.compute_project.id}"
ip_cidr_range = "${cidrsubnet("10.1.1.0/16", 8, count.index + 2)}"
region = "us-central1"
network = "${element(google_compute_network.vpc_network.*.self_link, count.index)}"
enable_flow_logs = true
log_config {
aggregation_interval = "INTERVAL_10_MIN"
flow_sampling = 0.5
metadata = "INCLUDE_ALL_METADATA"
}
}
resource "google_compute_network_peering" "hub_to_peer" {
count = length(google_compute_network.vpc_network)
name = "hub-to-peer-${count.index}"
network = "${google_compute_network.hub_network.self_link}"
peer_network = "${element(google_compute_network.vpc_network.*.self_link, count.index)}"
depends_on = ["google_compute_subnetwork.vpc_subnetwork", "google_compute_subnetwork.hub_subnetwork"]
}
resource "google_compute_network_peering" "peer_to_hub" {
count = length(google_compute_network.vpc_network)
name = "peer-to-hub-${count.index}"
network = "${element(google_compute_network.vpc_network.*.self_link, count.index)}"
peer_network = "${google_compute_network.hub_network.self_link}"
depends_on = ["google_compute_subnetwork.vpc_subnetwork", "google_compute_subnetwork.hub_subnetwork"]
} I also agree that it would be really nice if this worked. Creating a wrapper resource just to fulfill this is pretty painful. I also don't think anyone has yet mentioned the easiest workaround, which is using: |
…ashicorp#3034) Signed-off-by: Modular Magician <[email protected]>
…3034) (#5531) Signed-off-by: Modular Magician <[email protected]>
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
Terraform Version
Affected Resource(s)
google_compute_network_peering
Terraform Configuration Files
Debug Output
Expected Behavior
The infra and the dev vpc should be peered.
Actual Behavior
See error. This basically means that peering is broken. The depends_on has no effect. The use of depends_on in dev_infra should mean that it WAITS until the first peering operation completes thereby fulfilling the GCP API requirement of one peering operation at a time.
Steps to Reproduce
terraform apply
The text was updated successfully, but these errors were encountered: