Compute VM, tag_bindings don't work #1763
Comments
|
Variant B force a replacement of the VM if tag_bindings changes. Variant A force no replacement. |
|
Hmm, the one we are currently using is for IAM or org policy conditions, the one you mention for tags associated with a VPC and used in firewall policies (not the network tags, the secure tags). I am pretty sure we tested the one we have and it worked, in that case we need to add support for the latter and keep the former. It's getting late here, will investigate tomorrow and thanks for reporting this! |
|
You are correct, and sorry for delaying a proper answer. I will send a PR to fix this between today and tomorrow. |
|
Digging a bit deeper into this, I think we should support both methods:
I'll prepare a PR for the second option, and look into how best to add the second in the same PR, or in a subsequent one. Thanks for raising this. |
|
Well, turns out there's a permadiff in the provider unless the project number is used, which would force us to use a data source in the VM module, which we will never want to have:
So I guess we'll have to go with option A above, and remove the more flexible tag bindings until the provider issue has been addressed. |
The implementation of setting secure tags on a VM instance in module compute_vm in tags.tf is not right.
There two ways:
A: Use of "google_tags_location_tag_binding" instead of "google_tags_tag_binding". Requires also a project_number variable.
B: Delete tags.tf and add this to main.tf
params {
resource_manager_tags = var.tag_bindings
}
I am not sure what of this two is the right way.
The text was updated successfully, but these errors were encountered: