Search code examples
google-cloud-platformansiblegoogle-compute-engine

google.cloud.gcp_compute_backend_service setting securityPolicy

I've tried to create a backendservice of gcp. The below ansible module is being used for that:

google.cloud.gcp_compute_backend_service

which is creating the backend service, but the securitypolicy is not assigned.

- name: create a global backend service
  google.cloud.gcp_compute_backend_service:
    name: test
    protocol: **
    load_balancing_scheme: EXTERNAL
    backends: **
    security_policy: armor_ssl_policy_1
    enable_cdn: no
    state: present
    project: test
    auth_kind: "serviceaccount"
    service_account_file: ouauthfile
    .
    .
    .

Not sure where am doing wrong, can someone please correct?

I've tried to pass string and selflink as well, no luck with them.

Solution

  • I tried to create a GCP backend service with Ansible just as you did and I was successfull - however - the same thing happened - it was created without the security policy assigned.

    I already had an instance group and health check created beforehand so I focused on just a service; my playbook looked like this:

    - name: Create Backend Service
  hosts: localhost

  vars:
    service_account_file: /home/wb/key.json
    project: xxxx
    auth_kind: serviceaccount
    scopes:
      - https://www.googleapis.com/auth/compute

  tasks:

   - name: create a backend service
     gcp_compute_backend_service:
         name: ansible-service
         security_policy: test-pol
         backends:
         - group: "https://www.googleapis.com/compute/v1/projects/xxxx/zones/europe-central2-a/instan$
         health_checks:
         - "https://www.googleapis.com/compute/v1/projects/xxxx/global/healthChecks/ssh-hc"
         enable_cdn: 'false'
         project: "{{ project }}"
         auth_kind: "{{ auth_kind }}"
         service_account_file: "{{ service_account_file }}"
         scopes: "{{ scopes }}"
         state: present

    The service gets created but there's no security policy assigned.

    securityPolicy parameter according to the Ansible documentation is a string type. I tried using ' and " - even a full GCP selfLink (for the policy) with absolutely no success nor the error message.

    The only way (using CLI) that I found to remedy that is to run gcloud compute backend-services update ansible-service --security-policy=test-pol or try calling API directly (didn't try that yet).

    At this point in my opinion there's an issue with ansible module calling the GCP API.

    I'd recommend you to file issue on Google's IssueTracker if some features doesn't work as you expected. You can also try reporting this to Ansible team and reference the issue at IssueTracker (if you decide to report it) so they may even communicate during the process.