Missing google_project_service data source

[ondrejklucka]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

In 3.x release, both resource and data source for google_project_services have been removed from the provider. However, the now recommended google_project_service resource is missing data source.

What's the best way to check if API has been enabled in the project? Does google_project_service data source make sense?

New or Affected Resource(s)

• google_project_service (data source)

Potential Terraform Configuration

data "google_project_service" "spanner" {
  service = "spanner.googleapis.com"
}

In 3.1.0 release:

Error: Invalid data source

  on data.tf line 1, in data "google_project_service" "spanner":
1: data "google_project_service" "spanner" {

The provider provider.google does not support data source
"google_project_service".

References

[rileykarson]

Hey @ondrejklucka! I'm curious what your use case for this datasource is. Have you found that you often need to check in Terraform whether services are enabled? And in what cases?

Since there's no way to specify a service as disabled in TF, the only actionable thing TF can do for a disabled service is enable it.

---

Generally, I see the google_project_service resource as an assertion more than a resource. In a similar scenario, I'd personally include it in a config like the following:

resource "google_project_service" "spanner" {
  service            = "spanner.googleapis.com"
  disable_on_destroy = true
}

That way, your config will work consistently regardless of whether the service was originally enabled or not.

[ondrejklucka]

Hi @rileykarson , thank you for the quick answer.

We need to know what APIs have been enabled (directly or as dependency) so that we can apply the appropriate IAM policy bindings on project-level (using google_project_iam_policy resource).

[goobysnack]

In my use case, which is also spanner, there is a race condition. When you add the spanner api, it doesn't spin up quickly enough before the instance creation fails. It would be nice if either there were explicit module dependencies or, the way this is often done, poll a data source for the service and make that a dependency of the spanner resources.

[rileykarson]

Thanks for the feedback! I'm somewhat surprised the datasource works when the resource doesn't- it should verify that the service is enabled as part of creation. We're tracking this issue as part of our triage process; if there's lots of interest (measured by number of 👍s on the parent post), we're likely to move it up in our priority list.

[goobysnack]

This is the issue I run into, for context
spanner.tf:

module "gcp_cspan" {
  source = "git::https://<fqdn removed>/tf-modules/gcp-cspan//?ref=master"

  project_id    = module.gcp_project.project_id
  configregion  = "regional-us-east1"
  instance_name = "instance-1"
  num_nodes     = 1
  db_name       = "db-1"
  role = "roles/spanner.databaseUser"
  members = [
    join("",["serviceAccount:svc-account@", module.gcp_project.project_id,".iam.gserviceaccount.com"]),
    "user:someuser@mydomain",
  ]
}

module:

<project services not fully listed>
additional_services = [
    "spanner.googleapis.com",
  ]

resource "google_spanner_instance" "spanner" {
  project      = var.project_id
  config       = var.configregion
  display_name = var.instance_name
  num_nodes    = var.num_nodes
}

resource "google_spanner_database" "database" {
  project  = var.project_id
  instance = google_spanner_instance.spanner.name
  name     = var.db_name
  ddl      = var.ddl
}

resource "google_spanner_database_iam_binding" "database" {
  project  = var.project_id
  instance = google_spanner_instance.spanner.name
  database = google_spanner_database.database.name
  role     = var.role

  members = var.members
}

Error Message:

Error: Error creating Instance: googleapi: Error 403: Cloud Spanner API has not been used in project dpr-tf12test-us-poc-1 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/spanner.googleapis.com/overview?project=<projectID> then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.

  on .terraform/modules/gcp_cspan/main.tf line 3, in resource "google_spanner_instance" "spanner":
   3: resource "google_spanner_instance" "spanner" {

[cschroer]

I do have the same problem here, the main use cases for data source is related to the google_project_iam_policy resource.

If you want to be authoritative on your project IAM policiy, you need to know the enabled services (and also the services enabled by dependencies). You may need to add some IAM rules for service-specific service accounts. I did this with some conditional magic inside my google_iam_policydata source relying on the google_project_services data source.

While removing the resource google_project_services this data source was removed, too. Would be great to have this data source back (no need for the resource, as this one was removed for good reasons).

[Bytamine]

It's nice to have. We were using it to check if "container.googleapis.com" is enabled for a project.
Is there a way to check this without google_project_service data source?

[mitj04]

b/263562201

[mitj04]

• Product Name - Service Usage
• Datasource Name - google_project_service or google_project_services
• API Docs - Link
• Notes -
  • According to the conversion of the issue, we need to determine if the service is enabled or not for the project.

Open Query:

• Should we require to add google_project_service datasource using its resource, which is verifying for the specified service that it's enabled or not?
• Should we require to add google_project_services which would be completely a new data-source?

I've created a PR for the time being to add the google_project_service datasource for verifying the requested service. If the specified service is enabled, the id will be computed and saved in the state file using this datasource.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.