google_compute_forwarding_rule does not support shared VPC

[zbikmarc]

I think there are two issues which as a result does not allow using google_compute_forwarding_rule with shared VPCs.

1. subnetwork field expects an URL not just a name - in other compute resources like instance and template this filed is just network name
2. There is no subnetwork_project field which might help with issue above.

Terraform Version

Terraform v0.11.1
provider "google" (1.4.0)

Affected Resource(s)

• google_compute_forwarding_rule

Terraform Configuration Files

resource "google_compute_forwarding_rule" "forwarding-rule" {
  name = "${var.name}-fw-rule"

  load_balancing_scheme = "INTERNAL"
  ports                 = ["${var.port}"]
  subnetwork            = "${var.subnetwork}"

  backend_service = "${google_compute_region_backend_service.backend.self_link}"
}

Expected Behavior

One should be able to use Shared VPC subnetwork for creating forwarding rule. It can be done via WebUI

Actual Behavior

When subnetwork field is just subnetwork name terraform fails with:
* google_compute_forwarding_rule.forwarding-rule: Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.subnetwork': 'my-xpn-subnetwork-name'. The URL is malformed., invalid

Steps to Reproduce

1. Create standard forwarding rule
2. Try to use custom subnetwork providing its name instead of URL
3. Try to use subnet from shared VPC providing its name instead of URL
4. In both examples it will fail
5. Try to provide full URL for both scenarios and this time it will work.

Important Factoids

Shared network should be created and be in different project.

References

• https://cloud.google.com/vpc/docs/shared-vpc

[rosbo]

Hi,

Have you tried using the subnetwork data source?

data "google_compute_subnetwork" "my-subnetwork" {
  name   = "${var.subnetwork}"
  project = "your vpc host project"
  region = "us-east1"
}

resource "google_compute_forwarding_rule" "forwarding-rule" {
  name = "${var.name}-fw-rule"

  load_balancing_scheme = "INTERNAL"
  ports                 = ["${var.port}"]
  subnetwork            = "${data.google_compute_subnetwork.my-subnetwork.self_link}"

  backend_service = "${google_compute_region_backend_service.backend.self_link}"
}

[zbikmarc]

@rosbo
This helped but I find it a bit inconsistent. In other places one have to provide name and project (sometimes) but google_compute_forwarding_rule expects URL.

[rosbo]

I agree, we should be consistent across resources.

I will leave it open to fix this.

[jason-tian]

Hi @rosbo , I have the same problem, and I also define the data source in module, but I get the error below:

Resource 'data.google_compute_subnetwork.my-subnetwork' not found for variable 'data.google_compute_subnetwork.my-subnetwork.self_link'
Any suggests for this?
Thanks.

[rosbo]

@jason-tian, this should work. Could you share your config and we can start from there to determine what is missing?

Thank you

[rosbo]

I don't see the data source for the subnetwork in your config. You should have a block like:

data "google_compute_subnetwork" "my-subnetwork" {
  name   = "${var.subnetwork}"
  project = "your vpc host project"
  region = "us-east1"
}

[jason-tian]

Sorry, I miss it. let me show it again.

the module app:

data "google_compute_subnetwork" "my-subnetwork" {
  name = "${var.subnetwork}"
}

resource "google_compute_instance_template" "instance_template" {
  name         = "${var.base_instance_name}-instance-template"
  machine_type = "${var.machine_type}"

  tags   = "${var.tags}"
  labels = "${var.labels}"

  // boot disk
  disk {
    source_image = "debian-cloud/debian-9"
    auto_delete  = true
    boot         = true
    disk_type    = "${var.disk_type}"
    disk_size_gb = "${var.disk_size_gb}"
  }

  metadata_startup_script = "${file("${path.module}/initial.sh")}"

  // networking
  network_interface {
    subnetwork         = "${var.subnetwork}"
    subnetwork_project = "${var.subnetwork_project}"
  }

  service_account {
    email  = "${var.email}"
    scopes = ["compute-rw", "storage-ro", "logging-write", "monitoring"]
  }

  lifecycle {
    create_before_destroy = true
  }
}

resource "google_compute_region_instance_group_manager" "instance-group-manager" {
  name               = "${var.base_instance_name}-instance-group-manager-${var.region}"
  instance_template  = "${google_compute_instance_template.instance_template.self_link}"
  base_instance_name = "${var.base_instance_name}-${var.region}"
  region             = "${var.region}"

  target_size     = "${var.target_size}"
  update_strategy = "NONE"
}

resource "google_compute_region_autoscaler" "autoscaler" {
  name   = "${var.base_instance_name}-autoscaler-${var.region}"
  region = "${var.region}"

  target = "${google_compute_region_instance_group_manager.instance-group-manager.self_link}"

  autoscaling_policy = {
    max_replicas    = "${var.max_replicas}"
    min_replicas    = "${var.target_size}"
    cooldown_period = 60

    cpu_utilization {
      target = 0.7
    }
  }
}

resource "google_compute_region_backend_service" "lb" {
  name             = "${var.base_instance_name}-lb-${var.region}"
  protocol         = "TCP"
  timeout_sec      = 10
  session_affinity = "CLIENT_IP"

  backend {
    group = "${google_compute_region_instance_group_manager.instance-group-manager.instance_group}"
  }

  health_checks = ["${google_compute_health_check.lb-health-check.self_link}"]
}

resource "google_compute_health_check" "lb-health-check" {
  name               = "${var.base_instance_name}-lb-health-check-${var.region}"
  check_interval_sec = 5
  timeout_sec        = 5

  tcp_health_check {
    port = "${var.port}"
  }
}

resource "google_compute_forwarding_rule" "lb-forwarding-rule" {
  name                  = "${var.base_instance_name}-lb-forwarding-rule-${var.region}"
  load_balancing_scheme = "INTERNAL"
  ports                 = ["${var.port}"]
  subnetwork            = "${data.google_compute_subnetwork.my-subnetwork.self_link}"
  backend_service       = "${google_compute_region_backend_service.lb.self_link}"
}

The tf file which is use the module:

module "app" {
  source             = "../../modules/app-group-managed"
  base_instance_name = "****"
  email              = "****"
  network            = "****"
  region             = "${var.region}"
  subnetwork         = "${var.subnetwork}"
  subnetwork_project = "${var.subnetwork_project}"
  port               = "****"

  labels = {
    env     = "int"
    service = "*****"
  }

  tags = "${var.tags}"
}

[jason-tian]

@rosbo Sorry to paste wrong config before. Above should be that I am using.

[rosbo]

Can you try passing the project and the region to the datasource. If you do not, it falls back on the default defined in your provider block.

data "google_compute_subnetwork" "my-subnetwork" {
  name   = "${var.subnetwork}"
  project = "${var.subnetwork_project}"
  region = "${var.region}"
}

[jason-tian]

It works. I misunderstood before about the project and region. Thanks for your help. @rosbo

[rosbo]

You're welcome. Glad that it works now!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!