Inappropriate value for attribute "metadata": element "items": string required

Terraform
1

Hi,

I am referring to https://github.com/GoogleCloudPlatform/healthcare/tree/master/deploy to enable Data Protection Toolkit

cat config.yaml
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This sample configuration provides the minimum configuration required by the DPT scripts.
# Audit resources will be created locally in the project.
overall:
organization_id: '7954763295'
billing_account: 89NJCG-KL987Y-LPIU76
domain: [mydomain.com](http://mydomain.com/)
generated_fields_path: ./generated_fields.yaml
projects:
- project_id: ghcdrupalprojectdpt
owners_group: [ghcdrupalproject-owners@mydomain.com](mailto:ghcdrupalproject-owners@mydomain.com)
auditors_group: [ghcdrupalproject-auditors@mydomain.com](mailto:ghcdrupalproject-auditors@mydomain.com)
audit:
logs_bigquery_dataset:
dataset_id: mydomain_ghcdrupalprojectdpt001_logs  # Bigquery Dataset names must use underscores.
location: US
devops:
state_storage_bucket:
name: mydomain-ghcdrupalprojectdpt-state
location: US
compute_instances:
- name: ghcdrupalprojectdpt-instance
zone: us-central1-a
machine_type: n1-standard-1
boot_disk:
initialize_params:
image: debian-cloud/debian-9
network_interface:
network: default
metadata:
items:
- key: startup-script
value: sudo apt-get update

I am running the bazel run command which is as below. I am encountering this issue facing Inappropriate value for attribute "metadata": element "items": string required.

#bazel run cmd/apply:apply – --config_path=config.yaml --projects=ghcdrupalprojectdpt

2020/04/11 20:48:18 Running: [terraform apply]
Releasing state lock. This may take a few moments…
2020/04/11 20:48:23 Failed to apply configs: failed to apply “ghcdrupalprojectdpt”: failed to apply resources: failed to apply plan: exit status 1:
Error: Incorrect attribute value type
on main.tf.json line 156, in resource[5].google_compute_instance.ghcdrupalprojectdpt-instance:
156: “metadata”: {
157: “items”: [
158: {
159: “key”: “startup-script”,
160: “value”: “sudo apt-get update”
161: }
162: ]
163: },
Inappropriate value for attribute “metadata”: element “items”: string
required.

I look forward to hearing from you. Thanks in advance.

More info regarding bazel:- https://www.bazel.build/

Best Regards,

Kaushal

2

Hi @kaushalshriyan,

This error is appearing because the provider has defined this metadata argument as being a map from string to string, and so your value of items is not acceptable per that schema: it’s a list of objects.

I believe (based on looking at the docs and the schema) that this metadata argument is expecting a value like the following:

metadata = {
  startup-script = "sudo apt-get update"
}

With Bazel and this other repository in the mix though, I’m not sure where is the appropriate layer to fix this to make the configuration match what the provider is expecting. I see you already opened a GitHub issue in that repository, which is what I was going to suggest as a next step:

It might be worth adding a link in that issue to this discussion thread for additional context to whoever reads that GitHub issue on the Google Cloud Platform side.

3

@apparentlymart Thanks a lot it worked. I am able to proceed. But now I am getting the below issue

Apr 13 17:33:10 ghcdrupalprojectdpt-instance chronyd[483]: Selected source 169.254.169.254
Apr 13 17:33:10 ghcdrupalprojectdpt-instance startup-script: INFO startup-script: ServiceException: 401 Anonymous caller does not have storage.objects.get access to ghcdrupalcodedpt/installnginxmariadbnewtestdrupalghc.sh.
Apr 13 17:33:10 ghcdrupalprojectdpt-instance startup-script: INFO startup-script: sh: /home/kaushalshriyan/installnginxmariadbnewtestdrupalghc.sh: No such file or directory
Apr 13 17:33:10 ghcdrupalprojectdpt-instance startup-script: INFO startup-script: Return code 127.
Apr 13 17:33:10 ghcdrupalprojectdpt-instance startup-script: INFO Finished running startup scripts.

metadata:
startup-script: “cd /home/kaushalshriyan; gsutil cp gs://ghcdrupalcodedpt/installnginxmariadbnewtestdrupalghc.sh /home/kaushalshriyan; sh -xv /home/kaushalshriyan/installnginxmariadbnewtestdrupalghc.sh”

when i ran it by hand

gsutil cp gs://ghcdrupalcodedpt/installnginxmariadbnewtestdrupalghc.sh /home/kaushalshriyan
ServiceException: 401 Anonymous caller does not have storage.objects.get access to ghcdrupalcodedpt/installnginxmariadbnewtestdrupalghc.sh.

Is there a way to grant access to gsutil cp gs://ghcdrupalcodedpt/installnginxmariadbnewtestdrupalghc.sh /home/kaushalshriyan ? in the below mentioned config.yaml file ?

cat config.yaml
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# This sample configuration provides the minimum configuration required by the DPT scripts.
# Audit resources will be created locally in the project.
overall:
organization_id: '7954763295'
billing_account: 89NJCG-KL987Y-LPIU76
domain: [mydomain.com](http://mydomain.com/)
generated_fields_path: ./generated_fields.yaml
projects:
- project_id: ghcdrupalprojectdpt
owners_group: [ghcdrupalproject-owners@mydomain.com](mailto:ghcdrupalproject-owners@mydomain.com)
auditors_group: [ghcdrupalproject-auditors@mydomain.com](mailto:ghcdrupalproject-auditors@mydomain.com)
audit:
logs_bigquery_dataset:
dataset_id: mydomain_ghcdrupalprojectdpt001_logs  # Bigquery Dataset names must use underscores.
location: US
devops:
state_storage_bucket:
name: mydomain-ghcdrupalprojectdpt-state
location: US
compute_instances:
- name: ghcdrupalprojectdpt-instance
zone: us-central1-a
machine_type: n1-standard-1
boot_disk:
initialize_params:
image: debian-cloud/debian-9
network_interface:
network: default
metadata:
      startup-script: "cd /home/kaushalshriyan; gsutil cp gs://ghcdrupalcodedpt/installnginxmariadbnewtestdrupalghc.sh /home/kaushalshriyan; sh -xv /home/kaushalshriyan/installnginxmariadbnewtestdrupalghc.sh"

I look forward to hearing from you. Thanks in advance.

Best Regards,

Kaushal

4

@apparentlymart I have enabled the array service_accounts: in config.yaml file. I am facing this issue -> https://paste.centos.org/view/b7d929c8

Please suggest further. Thanks in Advance and I look forward to hearing from you.

Best Regards,

Kaushal

5

Hi @kaushalshriyan,

I’m afraid this is getting quite far from my expertise now since this seems to be a Google Cloud Platform-specific problem.

Based on what you’ve shared, I’m guessing that what is going on here is that the startup script includes calls to gsutil, and the script is running inside the virtual machine you’ve created, not inside Terraform itself or on the system whe you ran Terraform.

I think in order to make this work you would need to configure the instance to run as a service account, (I think service_account is the Terraform equivalent to that) and make sure that the service account you choose has access to retrieve the given object from the ghcdrupalcodedpt storage bucket. That should then allow gsutil to find and use instance-specific credentials when it is handling that gsutil cp request.