Error waiting for Deleting Firewall on project creation

[andrew-j-hagner]

Community Note

This is just a repeat of a previous issue that was never addressed and closed, resubmitting because its still a pretty obvious problem, the resource does not work as-is if you make use of auto_create_network=false.

The auto_create_network causes project creation to fail if the compute api isn't enabled (despite the code trying and succeeding to enabled it, the hard-coded 10 second wait is not long enough, at least most days in GCP at least 🙄)

Previous issue I found: #18156
Related issue with Google's Project Factory Module: terraform-google-modules/terraform-google-project-factory#978

The retry will either need to be longer, try multiple times, or at the very least make a note in the docs explaining the dependency.

Per error message:

If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

😬

Note, this failure puts terraform state into a non-retry-able state. The project is created in GCP however the state doesn't know/and or handle that well and will fail on retries because the project already exists. In addition, if you manually delete the project, it will STILL fail on retries because project deletion is a 'soft-delete' in GCP and the name remains unusable for 30? days... making for a very annoying recovery from this.

Terraform Version & Provider Version(s)

Terraform v1.11.2
on linux_arm64

• provider registry.terraform.io/hashicorp/google v6.26.0

Affected Resource(s)

google_project (and in turn the official module https://github.com/terraform-google-modules/terraform-google-project-factory)

Terraform Configuration

No response

Debug Output

Error: Error deleting default network in project REDACTED: Error waiting for Deleting Firewall: error while retrieving operation: googleapi: Error 403: Compute Engine API has not been used in project REDACTED before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=REDACTED then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

Expected Behavior

• The API should be enabled and then the resource should wait until that is observed and proceed
• The resource state should not get into a state where the project has been created but terraform is unaware and tries to re-create
• The documentation should note that if the auto_create_network setting is used it may increase apply time significantly (and really if any setting is used that depends on an API that is being enabled)
• GCP should enable APIs faster... or really just ditch needing to enable them in the first place 😏

Actual Behavior

It fails as described in the summary.

Steps to reproduce

Try to create a project with auto_create_network=false

Important Factoids

No response

References

No response

[ggtisc]

Hi @andrew-j-hagner

I created a google_project with the following configuration but everything works as expected without errors:

resource "google_project" "project_21953" {
  name                = "project-21953"
  project_id          = "project-21953"
  org_id              = "1234567890"
  auto_create_network = false
  billing_account     = "your-billing-account"
  deletion_policy     = "DELETE"

  lifecycle {
    prevent_destroy = false
  }
}

As I'm understanding you are expecting each resource will be enabled automatically, like Compute Engine API but this is not possible due to budget, security, quotas, account restrictions and good practices the good way is to enable/disable each API you are going to use or not.

Finally you are looking to reduce the time it takes to create resources is that right?

If you are presenting a different issue please share with us your code configuration like the above example to see what is happening. For sensitive data you could use examples like:

1. org_id = "1234567890"
2. billing_account = "your-billing-account"