Cannot setup CFT development environment - make docker_test_prepare

[caleonardo]

Hi, while following the instructions in "5.1 Set environment variables and create test project" - https://codelabs.developers.google.com/codelabs/cft-onboarding/#3 I am encountering the following two issues after running make docker_test_prepare:

First: a permission error: Error: Error reading Organization Not Found : <MY_ORG_NUMBER_ID>: googleapi: Error 403: The caller does not have permission, forbidden

• To try to fix this, I made my GCP account and the Service account both Org Admin and still I saw the same proble.

Second: a warning on google_project_services deprecation.

• I could not determine if the error and the warning are related or they are two separate issues.

Thank you

 $ make docker_test_prepare
docker run --rm -it \
        -e SERVICE_ACCOUNT_JSON \
        -e TF_VAR_org_id \
        -e TF_VAR_folder_id \
        -e TF_VAR_billing_account \
        -v /home/cleonardo/tech_labs_crostini/src/terraform-google-cloud-storage:/workspace \
        gcr.io/cloud-foundation-cicd/cft/developer-tools:0.10.0 \
        /usr/local/bin/execute_with_credentials.sh prepare_environment
Activated service account credentials for: [<MY_SERVICE_ACCOUNT>]
Activated service account credentials for: [<MY_SERVICE_ACCOUNT>]
Initializing modules...

Initializing the backend...

Initializing provider plugins...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.google-beta: version = "~> 3.21"
* provider.null: version = "~> 2.1"
* provider.random: version = "~> 2.2"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
module.project.module.gsuite_group.data.google_organization.org[0]: Refreshing state...

Warning: google_project_services is deprecated - many users reported issues with dependent services that were not resolvable.  Please use google_project_service or the https://github.com/terraform-google-modules/terraform-google-project-factory/tree/master/modules/project_services module.  It's recommended that you use a provider version of 2.13.0 or higher when you migrate so that requests are batched to the API, reducing the request rate. This resource will be removed in version 3.0.0.

  on .terraform/modules/project/terraform-google-project-factory-3.3.1/modules/core_project_factory/main.tf line 165, in resource "google_project_services" "project_services_authority":
 165: resource "google_project_services" "project_services_authority" {

Error: Error reading Organization Not Found : <MY_ORG_NUMBER_ID>: googleapi: Error 403: The caller does not have permission, forbidden

  on .terraform/modules/project/terraform-google-project-factory-3.3.1/modules/gsuite_group/main.tf line 26, in data "google_organization" "org":
  26: data "google_organization" "org" {

Makefile:34: recipe for target 'docker_test_prepare' failed
make: *** [docker_test_prepare] Error 1

[morgante]

I've just rewritten that section to make the steps clearer. In particular, make sure your service account also has Organization Viewer access.

Can you give it a try and see if it works?

The deprecation warning is unrelated and can be ignored.

[caleonardo]

Works perfectly now.

Thank you Morgante!