In the Organization, they have recently configured the Org Policy "constraints/cloudbuild.allowedWorkerPools". They have configured an exception for my project, however I am still unable to deploy an App Engine, I keep getting the error detailed further below.
This is how the Org Policy was configured to allow my project. They had to place a condition, otherwise they get the error message "A list Policy should have zero or one unconditional policy rule."
Rule 3
Allowed: under:projects/forreal
Condition:
Title :test
Expression :
resource.matchTag("315235378160/locations", "us-central1") || resource.matchTagId("tagKeys/281481244491293", "tagValues/281482598826314")
I wonder if App Engine is compatible with the policy or if it just breaks it...
$ gcloud app deploy
Services to deploy:
descriptor: [/home/marcelo/appengine/app.yaml]
source: [/home/marcelo/appengine]
target project: [forreal]
target service: [martest]
target version: [20240104t212113]
target url: [https://martest-dot-forreal.uc.r.appspot.com]
target service account: [[email protected]]
Do you want to continue (Y/n)?
Beginning deployment of service [martest]...
Created .gcloudignore file. See `gcloud topic gcloudignore` for details.
Uploading 3 files to Google Cloud Storage
33%
67%
100%
100%
File upload done.
WARNING: Node.js 16 is no longer supported by the Node.js community as of 11 September, 2023. Node.js 16 will be end of support on 2024-01-30. As of 2024-01-30 you will no longer be able to deploy your App Engine Standard using nodejs16. We recommend you to upgrade to the latest version of Node.js as soon as possible.
Updating service [martest]...failed.
ERROR: (gcloud.app.deploy) Error Response: [13] Failed to create cloud build: Constraint "constraints/cloudbuild.allowedWorkerPools" violated for "projects/forreal" attempting to create a Build with WorkerPool option "". For more information, see https://cloud.google.com/build/docs/private-pools/using-vpc-service-controls#setting_up_organization_policy_constraints. You must specify a WorkerPool option for this Build.
com.google.net.rpc3.client.RpcClientException: <eye3 title='/ArgoAdminNoCloudAudit.CreateBuild, FAILED_PRECONDITION'/> APPLICATION_ERROR;google.devtools.cloudbuild.v1/ArgoAdminNoCloudAudit.CreateBuild;Constraint "constraints/cloudbuild.allowedWorkerPools" violated for "projects/forreal" attempting to create a Build with WorkerPool option "". For more information, see https://cloud.google.com/build/docs/private-pools/using-vpc-service-controls#setting_up_organization_policy_constraints.
You must specify a WorkerPool option for this Build.;AppErrorCode=9;StartTimeMs=1704403280806;unknown;ResFormat=uncompressed;ServerTimeSec=2.447271665;LogBytes=256;Non-FailFast;EndUserCredsRequested;EffSecLevel=none;ReqFormat=uncompressed;ReqID=a0fd228d6ed45330;GlobalID=0;Server=[2002:a05:6671:39d4:b0:96b:ccea:f0]:4001.
It might be that it is an indication of a violation of the org policy which restricts builds to specific worker pools or App Engine deployments implicitly trigger Cloud Builds, but the command isn't specifying a worker pool as required by the policy.
You can try specifying the worker pool. You can add
--worker-poolflag I.eReplace
[APPROVED\_WORKER\_POOL\_NAME]with an allowed worker pool name.Find approved worker pool names in the Org Policy or consult your organization's administrators.