Deadlock Issue in VPC SC Perimeter Updates When object is deleted [373243827]

Assigned

Bug

Status Update

No update yet.

Description

np...@paypal.com

created issue #1

Oct 14, 2024 07:11AM

Issue Description:

Here GCP Project is taken as example, but other objects like service account, user accounts also have the same issue.

When a project listed in the IngressTo or EgressTo section of a VPC Service Controls perimeter is deleted (perimeter with Dry Run enabled), subsequent updates to the perimeter become impossible. This creates a deadlock situation where attempts to update the enforced configuration or dry run configuration result in the following error message:

Error 400: com.google.apps.framework.request.NotFoundException: Project, projects/447257904342, does not exist.

Steps to Reproduce:

Create a VPC Service Controls perimeter and add a project to the IngressTo or EgressTo section.
Enable Dry Run for the perimeter.
Delete the project from the GCP Console or via gcloud commands.
Attempt to update the VPC SC perimeter to remove the deleted project from IngressTo or EgressTo.

Expected Behaviour:
The update to the VPC SC perimeter should succeed without error, allowing the removal of the deleted project.

Actual Behaviour:
The update fails with a NotFoundException, leading to a deadlock situation.

Impact:
This issue prevents necessary updates to VPC SC perimeters, potentially affecting security configurations and resource access management.

Proposed Solution:
Consider enhancing the handling of deleted projects or objects within VPC Service Controls, particularly when Dry Run is enabled. Automatically removing non-existent projects or objects from the Dry Run configuration could help resolve this issue.

Comments

ba...@google.com <ba...@google.com> Oct 14, 2024 08:01AM

Assigned to ma...@google.com.

ma...@google.com <ma...@google.com> #2Oct 14, 2024 11:26AM

Reassigned to gc...@google.com.

Hello,

Thank you for reaching out to us with your request.

We have duly noted your feedback and will thoroughly validate it. While we cannot provide an estimated time of implementation or guarantee the fulfillment of the issue, please be assured that your input is highly valued. Your feedback enables us to enhance our products and services.

We appreciate your continued trust and support in improving our Google Cloud Platform products. In case you want to report a new issue, Please do not hesitate to create a new issue on the Issue Tracker providing a detailed description of your issue.

Once again, we sincerely appreciate your valuable feedback. Thank you for your understanding and collaboration.

Thanks & Regards,
Ashalatha
Google Cloud Support

np...@paypal.com <np...@paypal.com> #3Oct 18, 2024 05:02AM

Can you please increase the priority for this? This is a blocker.

da...@google.com <da...@google.com> #4Dec 10, 2024 06:03PM

This is a high priority customer request. Can we have an update on this?

Thanks

on...@google.com <on...@google.com> Dec 27, 2024 06:25AM

Reassigned to on...@google.com.

on...@google.com <on...@google.com> Dec 27, 2024 11:32AM

Reassigned to gc...@google.com.

ss...@google.com <ss...@google.com> #5Feb 6, 2025 01:44PM

Hi
any update about ETA for this ask ?
Thanks

ka...@google.com <ka...@google.com> #6Feb 25, 2025 02:49PM

This is also important to my Cx. So now there are Cx from multiple regions requesting this ask.

fr...@google.com <fr...@google.com> #7Mar 3, 2025 03:02PM

+1 as TAM for another Cx. They are facing this issue not only with objects but also with IAM (when a user is removed and is a rule target).