Move google_project_service into the provider configuration / add enabled_services to the provider

[ari-becker]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Every time I add a new kind of GCP resource to my terraform configuration, I need to add a google_project_service to enable the API for that kind of GCP resource.

This leads to a configuration that looks like the following:

resource "google_project_service" "enabled" {
  for_each = toset([
    "appengine.googleapis.com",
    "iam.googleapis.com",
    ...
  ])

  service = each.value
}

resource "google_app_engine_application" "this" {
  ...
  depends_on = [google_project_service.enabled]
}

resource "google_service_account" "this" {
  ...
  depends_on = [google_project_service.enabled]
}

where nearly every resource requires depends_on to be added to it in order to assure that the resource will be applied cleanly, by forcing Terraform to enable the API before trying to use the API to create the resource. This is error prone - often the depends_on lines are forgotten.

Instead, allow moving the google_project_service.enabled into the provider configuration. This will ensure that the provider always has the APIs enabled.

New or Affected Resource(s)

• google_project_service
• provider

Potential Terraform Configuration

provider "google" {
  enabled_services = [
    "appengine.googleapis.com",
    "iam.googleapis.com",
    ...
  ]
}

References

Take a leaf out of the AWS provider - instead of needing to attach tags to every single resource created by the AWS provider, they added a default_tags option to the provider so that it could be configured once at the provider level and not on every single resource. Reference: https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider

[gtirloni]

AFAIK, provider{} blocks do not configure anything remotely. They just enable TF to access the provider's API, no?

[ari-becker]

AFAIK, provider{} blocks do not configure anything remotely. They just enable TF to access the provider's API, no?

The implementation for this may simply be to, whenever attempting to use an API (for another resource), if that API is in the enabled_services list, then to just go ahead and enable that API and then resume with resource creation, instead of failing the apply. The key is to not require nearly every resource to include the depends_on block to guarantee a clean apply on a fresh project.

[slevenick]

I don't think we want to support this in this way.

google_project_services was a resource that managed a group of services similar to the proposed enabled_services and it was intentionally removed due to issues: #4592

Additionally I don't think we want to add this sort of configuration to the provider block as it introduces a lot of complexity into provider instantiation. Making API calls during provider configuration is tricky, and probably not something we want to do

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.