googleapi: Error 403: Required 'compute.organizations.enableXpnHost' permission

[smunini]

Describe the bug Unable to perform the initial deployment at this point in the instructions: https://github.com/GoogleCloudPlatform/fda-mystudies/blob/v2.0.3/deployment/README.md#deploy-your-platform-infrastructure

To Reproduce Run: cd $GIT_ROOT git checkout -b initial-deployment git add $GIT_ROOT/deployment/terraform git commit -m "Perform initial deployment" git push origin initial-deployment

See this error in the Cloud Build Build details for the tf-apply trigger:

... Step #1 - "Apply": module.namida_dev16_router.google_compute_router_nat.nats["namida-dev16-nat"]: Creation complete after 22s [id=namida-dev16-networks/us-central1/namida-dev16-router/namida-dev16-nat] Step #1 - "Apply": module.bastion_vm.google_compute_instance_from_template.bastion_vm[0]: Creation complete after 12s [id=projects/namida-dev16-networks/zones/us-central1-a/instances/bastion-vm] Step #1 - "Apply": module.bastion_vm.module.iap_tunneling.google_iap_tunnel_instance_iam_binding.enable_iap["bastion-vm us-central1-a"]: Creating... Step #1 - "Apply": module.cloud_sql_private_service_access_namida_dev16_network.google_service_networking_connection.private_service_access: Still creating... [50s elapsed] Step #1 - "Apply": module.cloud_sql_private_service_access_namida_dev16_network.google_service_networking_connection.private_service_access: Creation complete after 52s [id=https%3A%2F%2Fwww.googleapis.com%2Fcompute%2Fv1%2Fprojects%2Fnamida-dev16-networks%2Fglobal%2Fnetworks%2Fnamida-dev16-network:servicenetworking.googleapis.com] Step #1 - "Apply": module.cloud_sql_private_service_access_namida_dev16_network.null_resource.dependency_setter: Creating... Step #1 - "Apply": module.cloud_sql_private_service_access_namida_dev16_network.null_resource.dependency_setter: Creation complete after 0s [id=4719947007608781733] Step #1 - "Apply": module.bastion_vm.module.iap_tunneling.google_iap_tunnel_instance_iam_binding.enable_iap["bastion-vm us-central1-a"]: Creation complete after 6s [id=projects/namida-dev16-networks/iap_tunnel/zones/us-central1-a/instances/bastion-vm/roles/iap.tunnelResourceAccessor] Step #1 - "Apply": Step #1 - "Apply": Error: Error enabling Shared VPC Host "namida-dev16-networks": googleapi: Error 403: Required 'compute.organizations.enableXpnHost' permission for 'projects/namida-dev16-networks', forbidden Step #1 - "Apply": Step #1 - "Apply": on main.tf line 87, in resource "google_compute_shared_vpc_host_project" "host": Step #1 - "Apply": 87: resource "google_compute_shared_vpc_host_project" "host" { Step #1 - "Apply": Step #1 - "Apply": Finished Step #1 - "Apply" ERROR ERROR: build step 1 "gcr.io/cloud-foundation-cicd/cft/developer-tools@sha256:47db3e958fbaa0d95881cf99501ebf4522a261ddc68d9566b7cf70e26cf7cddb" failed: step exited with non-zero status: 1

[smunini]

I researched this a bit more and confirmed that my user has the following roles:

Compute Network Admin Compute Network User Compute Shared VPC Admin

Still blocked on this issue.

[smunini]

Re-installed using a fresh new GCP account and organization, and still encountered this issue, preventing installation.

[smunini]

Asked a question on Stack Overflow to help to resolve... https://stackoverflow.com/questions/66700942/googleapi-error-403-required-compute-organizations-enablexpnhost-permission

[alanhughes]

I also ran into this issue - I had to add the user in question to roles/compute.xpnAdmin on the Organization level - adding on the folder level (which i believe has worked in the past?) no longer did the trick

[alanhughes]

Just saw the documentation has been updated on master: https://github.com/GoogleCloudPlatform/fda-mystudies/commit/48922e2dfcfe812276ee47f02bf19c68b23da479

[rpbaquing-stratusmeridian]

I also encountered this, and I was able to fix it by giving the Cloud Build service account the Compute Shared VPC Admin in the organization level. It wasn't the user running the commands in the deployment guide who will enable XPN, that's this issue happens.

Either the scripts or documentation should be updated.

[yugandhar-btc]

@rpbaquing-stratusmeridian The steps have been already mentioned in document, please refer Create your devops project and configure CICD pipelines module step 6.