0

I'm trying to deploy a cloud function via terraform:

+ resource "google_cloudfunctions_function" "scc-function" {
  + available_memory_mb           = 256
  + description                   = "scc notification handler"
  + entry_point                   = "scc_notification_handler"
  + https_trigger_url             = (known after apply)
  + id                            = (known after apply)
  + ingress_settings              = "ALLOW_INTERNAL_ONLY"
  + labels                        = {
      + "app" = "scc_notifications_to_alerts"
    }
  + max_instances                 = 1
  + name                          = "scc_notification_handler"
  + project                       = "<redacted>"
  + region                        = "europe-west2"
  + runtime                       = "python38"
  + service_account_email         = (known after apply)
  + source_archive_bucket         = "ka-security-cloudmon-trigger"
  + source_archive_object         = "cloudmon_trigger.zip"
  + timeout                       = 60
  + vpc_connector_egress_settings = (known after apply)

  + event_trigger {
      + event_type = "google.pubsub.topic.publish"
      + resource   = "scc-notifications"

      + failure_policy {
          + retry = true
        }
    }

But it always results in:

google_cloudfunctions_function.scc-function: Creating...
Error: googleapi: Error 400: The request has violated one or more Org Policies. Please 
refer to the respective violations for more information., failedPrecondition
with google_cloudfunctions_function.scc-function,
on main.tf line 23, in resource "google_cloudfunctions_function" "scc-function":
23: resource "google_cloudfunctions_function" "scc-function"

I have looked at the org polices, logs, etc. but no joy in finding the cause.

When I run it from the cli as a "gcloud function deploy..." it deploys using the same bucket where the code is stored as a zip file.

Set Org policies:

  root:
- constraint: constraints/compute.requireOsLogin
  type: boolean
- constraint: constraints/gcp.resourceLocations
  allow:
    - in:europe-locations
- constraint: constraints/iam.allowedPolicyMemberDomains
  allow:
    - <redacted>
- constraint: constraints/sql.restrictPublicIp
  enforce: true
  type: boolean
- constraint: constraints/storage.uniformBucketLevelAccess
  enforce: true
  type: boolean
- constraint: constraints/compute.skipDefaultNetworkCreation
  enforce: true
  type: boolean

Any ideas would be greatly appreciated.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
HenkeZ
  • 1

0 Answers0