Constraint constraints/cloudfunctions.allowedIngressSettings violated for projects/project_id attempting CreateFunctionActionV1 with ingress_settings set to INGRESS_SETTINGS_UNSPECIFIED
See original GitHub issue[READ] Step 1: Are you in the right place?
Issues filed here should be about bugs for a specific extension in this repository. If you have a general question, need help debugging, or fall into some other category use one of these other channels:
- For general technical questions, post a question on StackOverflow with the firebase tag.
- For general Firebase discussion, use the firebase-talk google group.
- To file a bug against the Firebase Extensions platform, or for an issue affecting multiple extensions, please reach out to Firebase support directly.
[REQUIRED] Step 2: Describe your configuration
- Extension name: firestore-bigquery-export
- Extension version: 1.22 (latest)
- Configuration values (redact info where appropriate):
- _
- _
[REQUIRED] Step 3: Describe the problem
The default setting for “Ingress setting” in the extension seems to be not set. So, if an organization is restricting “Ingress settings = Allow all traffic”, then the installation fails. I am not sure what are the actual requirements for this extension are i.e. does it really need “Ingress settings = Allow all traffic”.
Steps to reproduce:
If your organization policy applies constraints/cloudfunctions.allowedIngressSettings and doesn’t allow “Ingress settings = Allow all traffic” for CloudFunctions, then the installation of this extension fails with the below error.
RESOURCE_ERROR at /deployments/firebase-ext-firestore-bigquery-export/resources/fsexportbigquery: {"ResourceType":"gcp-types/cloudfunctions-v1:projects.locations.functions","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"The request has violated one or more Org Policies. Please refer to the respective violations for more information.","status":"FAILED_PRECONDITION","details":[{"@type":"type.googleapis.com/google.rpc.PreconditionFailure","violations":[{"type":"constraints/cloudfunctions.allowedIngressSettings","subject":"orgpolicy:projects/project_id","description":"**Constraint constraints/cloudfunctions.allowedIngressSettings violated for projects/project_id attempting CreateFunctionActionV1 with ingress_settings set to INGRESS_SETTINGS_UNSPECIFIED**. See https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints for more information."}]}],"statusMessage":"Bad Request","requestPath":"https://cloudfunctions.googleapis.com/v1/projects/project_id/locations/northamerica-northeast1/functions","httpMethod":"POST"}}
Expected result
Installation should work successfully.
Actual result
But it fails.
Recommendation: If the extension doesn’t need “Ingress settings = Allow all traffic”, then I think it would be good to set the default to “Allow internal traffic only”.
Issue Analytics
- State:
- Created a year ago
- Comments:25 (3 by maintainers)
Top GitHub Comments
Hmm… for some reason I wrongly assumed that for
ingressSettings: 'ALLOW_INTERNAL_ONLY'
it required a VPC connector. This may be a much simpler fix than I expected. Let me investigate whether it’s safe to just always set it toALLOW_INTERNAL_ONLY
for functions used for event triggers. Obviously we will still need to setALLOW_ALL
for http endpoints and you won’t be able to install those extensions (bigquery export is not one of them), and that is exactly what we want.@eslamkarim, the fix is fully rolled out now.