Menu
I'm seeing something strange with google_compute_firewall, the compute instance is in a shared subnet.
I assume a firewall rule needs to be associated to the network which that subnet belongs to. But we can't add the firewall rule to that network because:
google_compute_firewall.intacct-firewall: Error creating Firewall: googleapi: Error 400: Invalid value for field 'resource.network': 'projects/it-production-186816/global/networks/production'. Cross project referencing is not allowed for this resource., invalid
Unable to find anything documented for firewall rules on shared networks. Are we to add the firewall to the local VPC and not the shared VPC?
The compute image has this network configuration:
network_interface {
subnetwork = "${var.subnetwork}"
subnetwork_project = "${var.vpc_parent}"
access_config = {
nat_ip = "${google_compute_address.dokku.address}"
}
}
So although the compute instance is in project-1, the network it's using is in project-2
EDIT:
My main.tf:
# Backend config
terraform {
backend "gcs" {
bucket = "intacct-staging-remote-backend"
project = "fr-intacct-staging"
credentials = "./creds/serviceaccount.json"
}
}
#
# Provider config
provider "google" {
region = "${var.gcp_region}"
project = "${var.gcp_project}"
credentials = "${file("./creds/serviceaccount.json")}"
}
#
# Static IP Address for the app
resource "google_compute_address" "dokku" {
name = "fr-intacct-staging-ip"
address_type = "EXTERNAL"
}
#
# Compute Instance Config
resource "google_compute_instance" "dokku" {
project = "${var.gcp_project}"
name = "dokku-host1"
machine_type = "${var.comp_type}"
zone = "${var.gcp_zone}"
allow_stopping_for_update = "true"
tags = ["intacct"]
# Install Dokku
metadata_startup_script = <<SCRIPT
sudo yum install -y wget
wget https://raw.githubusercontent.com/dokku/dokku/v0.14.5/bootstrap.sh
sudo DOKKU_TAG=${var.dokku_version} bash bootstrap.sh
sudo dokku apps:create fr-intacct-staging
sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sudo systemctl restart network
setenforce 0
SCRIPT
boot_disk {
initialize_params {
image = "${var.compute_image}"
}
}
network_interface {
subnetwork = "${var.subnetwork}"
subnetwork_project = "${var.vpc_parent}"
access_config = {
nat_ip = "${google_compute_address.dokku.address}"
}
}
}
#
# Firewall rule for app access
resource "google_compute_firewall" "intacct-firewall" {
name = "intacct-firewall"
network = "projects/it-production-186816/global/networks/production"
allow {
protocol = "tcp"
ports = [ "80" ]
}
source_ranges = [ "0.0.0.0/0" ]
target_tags = [ "intacct" ]
}
It seems wrong to be using another provider config for the other project to add a firewall rule.
If it is that way, then so be it... but since the service account in use has permission on the other project, it seems wrong that we'd have to use another provider for the other project?
789
asked Sep 06 '25 21:09
There is no issue with the error, you should execute your terraform in the project where the network is declared.
If it's project-2 (as you are in a multiple project env), you should execute your terraform on project-2 and not declare your terraform to use project-1 to do configuration in another project. That's exactly what the error is telling you :)
UPDATE
Let's be even more precise.
So you could declare another provider, it's what I would prefer to do as I would know precisely where the code is executed and the project, but you could also try to specify the project inside the resource like you did on the compute instance, for the firewall rule:
resource "google_compute_firewall" "intacct-firewall" {
project = "projcet-2"
name = "intacct-firewall"
network = "projects/it-production-186816/global/networks/production"
allow {
protocol = "tcp"
ports = [ "80" ]
}
source_ranges = [ "0.0.0.0/0" ]
target_tags = [ "intacct" ]
}
There is a catch to doing this, the service account you are using should have rights to do thing in both projects.
101
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
