Error creating service attachment (PSC) with GKE

davidvalver · 03-11-2025 03:05 AM

Hi!

I have a problem creating the service attachment with terraform. I am connecting an apigee from one account to a GKE on another. I have followed this manual https://cloud.google.com/blog/products/api-management/using-private-service-connect-for-apigee-gke-c... and the specific part that fails with terraform is this https://cloud.google.com/apigee/docs/api-platform/architecture/southbound-networking-patterns-endpoi..., specifically section 3.b.

My terraform resources:

resource "google_compute_service_attachment" "psc_gke_service_attachment" {
  provider    = google.principal
  name        = "psc-gke-service-attachment"
  region      = var.region
  description = "A service attachment connecting the GKE cluster to the PSC"

  enable_proxy_protocol = false
  connection_preference = "ACCEPT_AUTOMATIC"
  nat_subnets           = [google_compute_subnetwork.gke_subnetwork_psc.name]
  target_service        = "my-id-of-gke-gateway"
}

resource "google_compute_subnetwork" "gke_subnetwork_psc" {
  provider                 = google.principal
  project                  = var.project
  name                     = "gke-psc"
  ip_cidr_range            = var.apigee_vpc_subnet_psc_cidr
  network                  = google_compute_network.vpc_principal.self_link
  region                   = var.region
  purpose                  = "PRIVATE_SERVICE_CONNECT"
  private_ip_google_access = true
}

I have tried to change multiple service attachment settings. I have also changed the terraform provider version (6.15.0, 6.23.0 and 6.24.0, for example).

The error returned is the following:

google_compute_service_attachment.psc_gke_service_attachment: Creating...
╷
│ Error: Plugin did not respond
│ 
│   with google_compute_service_attachment.psc_gke_service_attachment,
│   on 010_api_gee_service_attachment.tf line 1, in resource "google_compute_service_attachment" "psc_gke_service_attachment":
│    1: resource "google_compute_service_attachment" "psc_gke_service_attachment" {
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-google-beta_v6.24.0_x5 plugin:

panic: runtime error: index out of range [-1]

goroutine 46 [running]:
github.com/hashicorp/terraform-provider-google-beta/google-beta/services/compute.expandComputeServiceAttachmentTargetService({0x40fb6e0, 0xc001df1bd0}, {0x5394dc0, 0xc001dea380}, 0xc00033bc08)
        github.com/hashicorp/terraform-provider-google-beta/google-beta/services/compute/resource_compute_service_attachment.go:894 +0x1b3
github.com/hashicorp/terraform-provider-google-beta/google-beta/services/compute.resourceComputeServiceAttachmentCreate(0xc001dea380, {0x4a67820, 0xc00033bc08})
        github.com/hashicorp/terraform-provider-google-beta/google-beta/services/compute/resource_compute_service_attachment.go:315 +0x945
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x5386848?, {0x5386848?, 0xc001de6ba0?}, 0xd?, {0x4a67820?, 0xc00033bc08?})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.36.0/helper/schema/resource.go:826 +0x15f
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000d5b200, {0x5386848, 0xc001de6ba0}, 0xc0007469c0, 0xc001dea200, {0x4a67820, 0xc00033bc08})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.36.0/helper/schema/resource.go:969 +0xa69
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc001216228, {0x5386848?, 0xc001de6ae0?}, 0xc001cfbef0)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.36.0/helper/schema/grpc_provider.go:1188 +0xd5c
github.com/hashicorp/terraform-plugin-mux/tf5muxserver.(*muxServer).ApplyResourceChange(0xc0003eca80, {0x5386848?, 0xc001de6810?}, 0xc001cfbef0)
        github.com/hashicorp/terraform-plugin-mux@v0.17.0/tf5muxserver/mux_server_ApplyResourceChange.go:36 +0x193
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc00046d400, {0x5386848?, 0xc001dc5d10?}, 0xc001dc31f0)
        github.com/hashicorp/terraform-plugin-go@v0.26.0/tfprotov5/tf5server/server.go:866 +0x3bc
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x4a227c0, 0xc00046d400}, {0x5386848, 0xc001dc5d10}, 0xc001cdf900, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.26.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:611 +0x1a6
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0001d3800, {0x5386848, 0xc001dc5c80}, 0xc001c235c0, 0xc0015549f0, 0x74dac98, 0x0)
        google.golang.org/grpc@v1.70.0/server.go:1400 +0x103b
google.golang.org/grpc.(*Server).handleStream(0xc0001d3800, {0x53871b8, 0xc0012e6000}, 0xc001c235c0)
        google.golang.org/grpc@v1.70.0/server.go:1810 +0xbaa
google.golang.org/grpc.(*Server).serveStreams.func2.1()
        google.golang.org/grpc@v1.70.0/server.go:1030 +0x7f
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 84
        google.golang.org/grpc@v1.70.0/server.go:1041 +0x125

Error: The terraform-provider-google-beta_v6.24.0_x5 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

However, I have managed to create the resource without problems using the command in the documentation listed above from section 3.b:

gcloud compute service-attachments create psc-gke-service-attachment \
  --region=europe-west1 --producer-forwarding-rule=my-id-of-gke-gateway \
  --connection-preference=ACCEPT_AUTOMATIC --nat-subnets=gke-psc --project=my-project-id

It would help me a lot if someone has created this resource with terraform. Or if you have managed to solve this problem. Thank you very much for your help.

AlexET

Hi! Thank you for posting your question in the forum. We've noticed it hasn't received a response yet, but we're keeping an eye on it and will try to get some information from other members soon.

In the meantime, we'd love for you to join us tomorrow at our office hours. We'll be discussing the Apigee Migration Assessment tool. If you're interested, you can register here: https://rsvp.withgoogle.com/events/apigee-emea-office-hours-2024/home. The session is at 4:00 PM CET, which is also a convenient time for many in the Americas. 😊

tyayers

This looks like a tough one to track down, probably an error in the tf definition somewhere.. did you manage to find a solution in the meantime? @ncardace - any ideas?

davidvalver

It is strange that it is a mistake in the definition, because it is taken from the terraform documentation and from an apigee example.

I leave the links to the documentation:

And I haven't been able to solve it with terraform yet.

jamiedel

Hello 👋 I am experiencing the same behavior when I use the `google_compute_service_attachment`. I have also been following the example provided in the published Terraform documentation for this resource.

The best workaround I have found thus far is to create the resource manually and import it into my Terraform state. To echo the post above, if anyone has been able to get this resource working or has identified the bug, please let me know. Thank you!

dknezic

I haven't attempted to reproduce this error yet, however there seems to be multiple related/similar service attachment issues in the terraform provider repo.

github.com/hashicorp/terraform-provider-google-beta/google-beta/services/compute.expandComputeServiceAttachmentTargetService({0x40fb6e0, 0xc001df1bd0}, {0x5394dc0, 0xc001dea380}, 0xc00033bc08)
        github.com/hashicorp/terraform-provider-google-beta/google-beta/services/compute/resource_compute_service_attachment.go:894 +0x1b3

Please note the comments re target_service here ("target_service in the google_compute_service_attachment resource must be a URI"). Also your stack trace error is in the target service code AND has a index out of range error, so im assuming it's the same

https://github.com/hashicorp/terraform-provider-google/issues/22206#issuecomment-2810974795

https://github.com/hashicorp/terraform-provider-google/issues/22169#issuecomment-2779525765

You can also compare your target_service value with the format used in the example here:

https://github.com/hashicorp/terraform-provider-google/issues/18710

You can also see here the relevant code from your stack trace doing a split on the "/" character. Additionally, the validation in the terraform provider is happening on line 896, while you 're having the out of bounds error on line 894. The validation should be moved two lines up

https://github.com/hashicorp/terraform-provider-google/blob/e42bc50cbae936903eeef07d40522665b151f0c2...