Google Cloud Platform and Terraform to protect App Engine with Identity Aware Proxy IAP

Question

It's around three days that I'm getting crazy trying to secure via Terraform my App Engine. When I secure my application manually through GCP console my steps are:

• Create App Engine
• Activate IAP and create an OAuth consent screen
• Activate the protection to the Web Applications (=> App Engine)

Manually it works.

With terraform I have successfully created all variables, providers and activated all APIs that are needed, but my approach to secure the app seems to have something wrong, but I don't know what. Hereunder my code pieces:

1. Create App Engine (it works)

resource "google_app_engine_application" "app-init" {
    project       = var.project_id
    location_id   = var.project_location
    database_type = "CLOUD_FIRESTORE"
}

1. Activate IAP and create an OAuth consent screen (it doesn't work)

resource "google_iap_brand" "project_brand" {
    support_email     = "my-owner-service-account-email@..."
    application_title = "Cloud IAP protected Application"
    project           = "my-project-id"
}

Executing this I get this error:

Error creating Brand: googleapi: Error 409: Requested entity already exists

What's wrong with my code or my approach?

Thanks a lot in advance to every one!

Answer 1

You can only initiate App Engine once per project and the same thing applies for IAP Brands. Therefore, it means that you already have those configured on your project and they can't be re-created again. See Terraform doc:

Brands can only be created once for a Google Cloud project and the underlying Google API doesn't not support DELETE or PATCH methods. Destroying a Terraform-managed Brand will remove it from state but will not delete it from Google Cloud.

Here's the correct snippet on how to create an App Engine application and enable IAP in Terraform:

resource "google_app_engine_application" "app-init" {
    project       = var.project_id
    location_id   = var.project_location
    database_type = "CLOUD_FIRESTORE"
    iap {
      enabled = true
      oauth2_client_id = "your_client_id"
      oauth2_client_secret = "your_client_secret"
    }
}

Terraform Google provider is just another client that calls Google Cloud APIs. google_app_engine_application is equivalent to apps.create.

Note the credentials oauth2_client_id & oauth2_client_secret. Even if you created a new project, these credentials can only be found once you've setup the OAuth Consent Screen. These settings are required in Terraform, so when creating and managing an App Engine application, you can't enable IAP without the OAuth2 credentials.

Also, the apps.patch API supports update on iap field, but it's not available in Terraform, so if you have an existing App Engine application on your project, the only way to enable/disable IAP is through GCP console, Client Libraries or directly accessing the API.

Answer 2

I think you can send a feedback to Google Cloud teams about your experience on terraforming those resources (IAP and App Engine Application): https://cloud.google.com/support/docs/issue-trackers.

I ended-up with some conditional in my code to make it work with already deployed resources. If App Engine was already deployed then I switch the "feature flag" app_engine_application_terraformed to false:

resource "null_resource" "enable_iap_when_app_engine_manual" {
  count = !var.app_engine_application_terraformed && var.iap_enabled ? 1 : 0

  triggers = { always_run = timestamp() }

  provisioner "local-exec" {
    when    = create
    command = <<-EOT
      gcloud iap web enable --project=${var.project_id} \
        --oauth2-client-id='${var.iap_client_id}' \
        --oauth2-client-secret='${var.iap_client_secret}' \
        --resource-type=app-engine
    EOT
  }
}