google_project leaves compute API enabled if auto_create_networks = false

[iamasmith]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

v1.1.3
provider version 4.49.0

Affected Resource(s)

• google_project

Terraform Configuration Files

resource "google_project" "foo" {
    name = "<something>"
    project_id = "<something>"
    parent = "<something>"
    auto_create_network = false
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

Project should be created, networks deleted via the Google Compute API and the Google Compute API and all dependencies then disabled so that no unexpected services are left enabled.

Actual Behaviour

Google Compute and OS Login APIs left enabled on the project following completion.

Steps to Reproduce

Simply use the auto_create_networks = false in a new Google Project resource.

Important Factoids

The implementation took a few cycles to find after our security team queried a project that inexplicably had Compute Engine enabled when the source didn't list this in resource google_project_services.

Noting...

1. The reason for this approach shown in the referenced section of the source below is obvious and needs no explanation.

2. The documentation page suggests using the policy to disable this behaviour instead of the parameter which avoids this completely since it is only in the presence of a false setting that the API gets enabled. But it does not identify this as a side effect of the setting.

3. The variable is incorrectly named really but I suppose it is here to stay so one would expect behaviours associated with the outcome it describes without this side effect.

4. Since the enablement of Compute API is only used during creation and not update then it seems safe to immediately disable the API again as there should be no user setting for enabling the API applied against the project.

References

terraform-provider-google/google/resource_google_project.go

Lines 186 to 206 in 16000ed

	if !d.Get("auto_create_network").(bool) {
	// The compute API has to be enabled before we can delete a network.
	billingProject := project.ProjectId
	// err == nil indicates that the billing_project value was found
	if bp, err := getBillingProject(d, config); err == nil {
	billingProject = bp
	}
	if err = enableServiceUsageProjectServices([]string{"compute.googleapis.com"}, project.ProjectId, billingProject, userAgent, config, d.Timeout(schema.TimeoutCreate)); err != nil {
	return errwrap.Wrapf("Error enabling the Compute Engine API required to delete the default network: {{err}} ", err)
	}
	if err = forceDeleteComputeNetwork(d, config, project.ProjectId, "default"); err != nil {
	if isGoogleApiErrorWithCode(err, 404) {
	log.Printf("[DEBUG] Default network not found for project %q, no need to delete it", project.ProjectId)
	} else {
	return errwrap.Wrapf(fmt.Sprintf("Error deleting default network in project %s: {{err}}", project.ProjectId), err)
	}
	}
	}

• #0000

[rileykarson]

This is a reasonable change to make, but would likely cause some customer configurations that inadvertently rely on having GCE enabled to start to fail. Based on that, I'm going to tag this as a breaking change for consideration in the next major release. In the meantime, I'll add a note to our docs.

I can't find it stated explicitly on cloud.google.com, but it's my understanding that managing service activation(s) is generally not considered a security measure in GCP, else I'd potentially consider this differently. The dependency graph of services is not published & may change at-will on behalf of GCP, activating services on all projects. Additionally, GCE in particular is an automatically enabled service in the console.