Кажется, что google_artifact_registry_repository игнорирует атрибут "depends_on"?
Я пытаюсь создать новый проект, а затем новый реестр артефактов Google в новом проекте. Вот ресурсы Terraform:
resource "google_project" "my_project" {
name = "My Project Name"
project_id = "my-project-id-abc"
billing_account = "BILLING-ACCOUNT-ID"
}
resource "google_artifact_registry_repository" "my_ar" {
provider = google-beta
format = "DOCKER"
repository_id = "myreponame"
location = "europe-west1"
project = google_project.my_project.project_id
depends_on = [google_project_service.artifactregistry_googleapis_com]
}
resource "google_project_service" "artifactregistry_googleapis_com" {
project = google_project.my_project.project_id
service = "artifactregistry.googleapis.com"
}
Это почти всегда не удается
terraform apply со следующим сообщением об ошибке:
Error: Error creating Repository: googleapi: Error 403: Permission 'artifactregistry.repositories.create' denied on resource '//artifactregistry.googleapis.com/projects/my-project-id-abc/locations/europe-west1' (or it may not exist).
Details:
[
{
"@type": "type.googleapis.com/google.rpc.ErrorInfo",
"domain": "artifactregistry.googleapis.com",
"metadata": {
"permission": "artifactregistry.repositories.create",
"resource": "projects/my-project-id-abc/locations/europe-west1"
},
"reason": "IAM_PERMISSION_DENIED"
}
]
Повторный немедленный запуск той же команды всегда приводит к следующему сообщению:
Terraform will perform the following actions:
# google_artifact_registry_repository.my_ar will be created
+ resource "google_artifact_registry_repository" "my_ar" {
+ create_time = (known after apply)
+ format = "DOCKER"
+ id = (known after apply)
+ location = "europe-west1"
+ name = (known after apply)
+ project = "my-project-id-abc"
+ repository_id = "myreponame"
+ update_time = (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
google_artifact_registry_repository.my_ar: Creating...
google_artifact_registry_repository.my_ar: Still creating... [10s elapsed]
google_artifact_registry_repository.my_ar: Creation complete after 12s [id=projects/my-project-id-abc/locations/europe-west1/repositories/myreponame]
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Это роль
depends_on = [google_project_service.artifactregistry_googleapis_com] атрибут не поддерживает ждать, пока все будет готово перед созданием репозитория артефактов?
2 ответа
Более элегантная альтернативаnull_resourceдля ресурсов, которым требуется время для подготовки, используется ресурс time_sleep :
resource "google_project" "my_project" {...}
resource "time_sleep" "wait-for-my_project" {
create_duration = "30s"
depends_on = [google_project.my_project]
}
resource "google_artifact_registry_repository" "my_ar" {
...
depends_on = [time_sleep.wait-for-my_project]
}
# ...etc.
С использованием
null_resourceресурс для задержки вещей предоставил временное исправление:
resource "google_artifact_registry_repository" "my_ar" {
project = google_project.my_project.project_id
provider = google-beta
format = "DOCKER"
repository_id = "myreponame"
location = "europe-west1"
depends_on = [null_resource.delay]
}
# in many scenarios the above artifact registries are created while the apis are not yet active
# this is a know issue: https://github.com/hashicorp/terraform-provider-google/issues/9902
# and this delay buys some time before creating the above repositories.
resource "null_resource" "delay" {
depends_on = [ google_project_service.artifactregistry_googleapis_com ]
provisioner "local-exec" {
command = "sleep 120"
}
triggers = {
project = google_project. my_project.id
}
}