403 with update/patch for deploymentmanager.v2.virtual.projectBillingInfo

[rockholla]

I was working from the project creation examples in this repo as a guide when encountering this issue. Seems like it's an internal deployment manager issue, so happy to file an issue elsewhere, just let me know.

Here's the initial test project and billing deployment config:

resources:
- name: test-project
  properties:
    name: test
    parent:
      id: "711348045576"
      type: folder
    projectId: test-71134804557681690
  type: cloudresourcemanager.v1.project
- metadata:
    dependsOn:
    - test-project
  name: test-project-billing-1565281690
  properties:
    billingAccountName: billingAccounts/01E9AD-725056-BA537C
    name: projects/test-71134804557681690
  type: deploymentmanager.v2.virtual.projectBillingInfo

I've timestamped the billing resource name per https://github.com/GoogleCloudPlatform/deploymentmanager-samples/issues/44 so that it could be update-able.

Initial deployment of this works fine:

But, seems there are problems with any update or patch operation. Here's the updated deployment config:

resources:
- name: test-project
  properties:
    name: test
    parent:
      id: "711348045576"
      type: folder
    projectId: test-71134804557681490
  type: cloudresourcemanager.v1.project
- metadata:
    dependsOn:
    - test-project
  name: test-project-billing-1565281490
  properties:
    billingAccountName: billingAccounts/01E9AD-725056-BA537C
    name: projects/test-71134804557681490
  type: deploymentmanager.v2.virtual.projectBillingInfo

And I get the following error

test-project-billing-1565281490: {"ResourceType":"deploymentmanager.v2.virtual.projectBillingInfo","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The caller does not have permission","status":"PERMISSION_DENIED","details":[],"statusMessage":"Forbidden","requestPath":"https://cloudbilling.googleapis.com/v1/projects/test-71134804557681490/billingInfo","httpMethod":"PUT"}}

Verified that the deployment manager service account has the owner role on the destination project: test-71134804557681490. I tried to even explicitly set the Project Billing Manager role for the service account in that test project to see if it made a difference, but same result when re-running the deployment update or patch.

Let me know if I'm missing something IAM or permission-wise here, but seems like the service account running dm should definitely be able to PUT to the billing account resource in the project to update. Thanks!

[ocsig]

I am not sure if I understand completely, but based on what I see you are calling an update on a deployment and you name every resource based on a current timestamp. Which means when you calling this update, you actually questing a new project ( becuse you set a new projectId). Can you run a dm update --preview and copy here the output. That would confirm my feeling that DM tries to delete the project and create a new one.

I would like to also highlight the high quality Cloud Foundation DM templates. It has a template for project creation which includes billing account management and many more. ( Currently the dev branch is in the best state, soon to be merged to master.)

[rockholla]

Yeah, you're totally right, this is a product of the changing project ID. Was thrown off by the failure in the billing resource specifically. The automation needs to be updated to pull in the existing project ID for a deployment, if it exists.

Would be nice actually to not have to provide the project ID to the deployment manager resource, but easily enough solved otherwise for now.

Thanks for the help and extra set of eyes @ocsig!