GCP - "Terraform Import" on VPC SC Perimeter removing Access List

amar2k05 · December 21, 2022, 7:07pm

Hi,

I am trying to import VPC SC Perimeter in to terraform state, but the plan shows removing one Access Level(test_ent_perim_access_002) in the perimeter, not sure why. Also Access List “test_ent_perim_access_001” is getting removed and again added. Kindly suggest.

Below is the resource

resource "google_access_context_manager_service_perimeter" "test-ent-prod-perim-001" {
    parent         = "accessPolicies/263896276372"
    name           = "accessPolicies/263896276372/servicePerimeters/test_ent_prod_perim_001"
    title          = "test_ent_prod_perim_001"
    description = "Test Org VPC SC perimeter"
    perimeter_type = "PERIMETER_TYPE_REGULAR"
    status {
      resources = ["7654356728263"]
      restricted_services = ["bigquery.googleapis.com"]
          access_levels       = [
              "accessPolicies/263896276372/accessLevels/test_onprem_ipwhitelist",
              "accessPolicies/263896276372/accessLevels/test_ent_cmn_perim_access_001",
              "accessPolicies/263896276372/accessLevels/test_ent_perim_access_001",
              "accessPolicies/263896276372/accessLevels/test_ent_perim_access_002",
              ]
    }
  }

Below is the import command

terraform import --var-file=$VARS --var-file=$BACKEND --var-file=vars/$ENV/terraform.tfvars google_access_context_manager_service_perimeter.test-ent-prod-perim-001 accessPolicies/263896276372/servicePerimeters/test_ent_prod_perim_001

Below is the plan where it shows the removal of Access Level

Terraform will perform the following actions:
  # google_access_context_manager_service_perimeter.test-ent-prod-perim-001 will be updated in-place
  ~ resource "google_access_context_manager_service_perimeter" "test-ent-prod-perim-001" {
      ~ description               = "Perimeter shielding projects" -> "Prod VPC perimeter"
        id                        = "accessPolicies/263896276372/servicePerimeters/test_ent_prod_perim_001"
        name                      = "accessPolicies/263896276372/servicePerimeters/test_ent_prod_perim_001"
        # (4 unchanged attributes hidden)
      ~ status {
          ~ access_levels       = [
              - "accessPolicies/263896276372/accessLevels/test_ent_perim_access_001",
                "accessPolicies/263896276372/accessLevels/test_onprem_ipwhitelist",
                # (1 unchanged element hidden)
                "accessPolicies/263896276372/accessLevels/test_ent_perim_access_002",
              - "accessPolicies/263896276372/accessLevels/test_ent_perim_access_002",
              + "accessPolicies/263896276372/accessLevels/test_ent_perim_access_001",
            ]
            # (2 unchanged attributes hidden)
        }
        # (1 unchanged block hidden)
    }
Plan: 0 to add, 1 to change, 0 to destroy.

maxb · December 21, 2022, 7:14pm

The object you imported does not match the current information written in the resource block, so Terraform is going to update it so it does match.

amar2k05 · December 21, 2022, 7:19pm

Hi,
Thanks for your reply, but not sure what is not matching. I have made changes so that I will not put the production code here, but essentially the original code is same as above.
I wanted to understand on why import is removing Access Level.

Regards,
Amarnath.

maxb · December 21, 2022, 7:21pm

Because what is written in the .tf file differs from what the GCP API says is currently configured.

amar2k05 · December 21, 2022, 8:17pm

But my access levels which are provided input to the perimeter are exactly same as in GCP console, there is no difference even in the order.