obriensystems
commented
6 months ago retest main 20240509
505 cd ../tef-oldev3
506 ls
507 gcloud config set project tef-oldev3
508 git clone https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding.git
509 ls
510 cd pbmm-on-gcp-onboarding/
511 cd 0-bootstrap/
512 cd ..
513 ls
514 ./terraform --version
515 cd tef-oldev-p1gen6/
516 ls
517 cd ../tef-oldev
518 ls
519 cd terraform1310/
520 ls
521 ./terraform --version
522 cp ../../tef-oldev3
523 cp terraform ../../tef-oldev3
524 which terraform
525 sudo cp terraform /usr/bin
526 cd ../../tef-oldev3/pbmm-on-gcp-onboarding/0-bootstrap/
527 terraform --version
528 terraform init
529 terraform plan -input=false -out bootstrap.tfplan
530 terraform apply bootstrap.tfplan
531 gcloud services enable cloudidentity.googleapis.com
532 terraform apply bootstrap.tfplan
533 terraform plan -input=false -out bootstrap.tfplan
534 terraform apply bootstrap.tfplan
org_id = "583675367868" # format "000000000000"
billing_account = "019283-6F1AB5-7AD576" # format "000000-000000-000000"
// For enabling the automatic groups creation, uncoment the
// variables and update the values with the group names
groups = {
create_required_groups = true # Change to true to create the required_groups
create_optional_groups = true # Change to true to create the optional_groups
#####
# check billing_project
#####
billing_project = "tef-oldev3" # Fill with bootstrap project id (the one you are starting with) to create required or optional groups
required_groups = {
group_org_admins = "gcp-organization-admins3@obrienlabs.dev" # example "gcp-organization-admins@example.com"
group_billing_admins = "gcp-billing-admins3@obrienlabs.dev" # example "gcp-billing-admins@example.com"
billing_data_users = "gcp-billing-data3@obrienlabs.dev" # example "gcp-billing-data@example.com"
audit_data_users = "gcp-audit-data3@obrienlabs.dev" # example "gcp-audit-data@example.com"
monitoring_workspace_users = "gcp-monitoring-workspace3@obrienlabs.dev" # example "gcp-monitoring-workspace@example.com"
}
optional_groups = {
gcp_security_reviewer = "gcp_security_reviewer3@obrienlabs.dev" #"gcp_security_reviewer_local_test@example.com"
gcp_network_viewer = "gcp_network_viewer3@obrienlabs.dev" #"gcp_network_viewer_local_test@example.com"
gcp_scc_admin = "gcp_scc_admin3@obrienlabs.dev" #"gcp_scc_admin_local_test@example.com"
gcp_global_secrets_admin = "gcp_global_secrets_admin3@obrienlabs.dev" #"gcp_global_secrets_admin_local_test@example.com"
gcp_kms_admin = "gcp_kms_admin3@obrienlabs.dev" #"gcp_kms_admin_local_test@example.com"
}
}
default_region = "northamerica-northeast1"
#default_region = "northamerica-northeast2"
# Optional - for an organization with existing projects or for development/validation.
# Uncomment this variable to place all the example foundation resources under
# the provided folder instead of the root organization.
# The variable value is the numeric folder ID
# The folder must already exist.
parent_folder = "444651735300"
michael@cloudshell:~/tef-oldev3/pbmm-on-gcp-onboarding (tef-oldev3)$ gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudbilling.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable cloudkms.googleapis.com
gcloud services enable servicenetworking.googleapis.com
gcloud services enable cloudbuild.googleapis.com
Operation "operations/acat.p2-757360789205-a93b7e70-1889-46b5-a4e6-462935edf569" finished successfully.
Operation "operations/acat.p2-757360789205-0c311e1f-a178-4f5f-a12e-502e0bf9d1ea" finished successfully.
Operation "operations/acat.p2-757360789205-b922a38b-ef61-4132-adfe-e77af14a7f57" finished successfully.
Operation "operations/acat.p2-757360789205-3942a70a-0953-4378-9ec9-887186657221" finished successfully.
Operation "operations/acat.p2-757360789205-9859369c-395c-4d81-8843-2a0f7a9852d8" finished successfully.
Operation "operations/acf.p2-757360789205-3f2b8c87-675c-4ca6-bf1d-27c19644a73c" finished successfully.
michael@cloudshell:~/tef-oldev3/pbmm-on-gcp-onboarding/0-bootstrap (tef-oldev3)$ terraform --version
Terraform v1.3.10
on linux_amd64
Your version of Terraform is out of date! The latest version
is 1.8.3. You can update by downloading from https://www.terraform.io/downloads.html
michael@cloudshell:~/tef-oldev3/pbmm-on-gcp-onboarding/0-bootstrap (tef-oldev3)$ terraform init
Initializing modules...
Downloading registry.terraform.io/terraform-google-modules/gcloud/google 3.4.0 for bootstrap_csr_repo...
- bootstrap_csr_repo in .terraform/modules/bootstrap_csr_repo
- bootstrap_projects_remove_editor in modules/parent-iam-remove-role
Downloading registry.terraform.io/terraform-google-modules/gcloud/google 3.4.0 for build_terraform_image...
- build_terraform_image in .terraform/modules/build_terraform_image
- cicd_project_iam_member in modules/parent-iam-member
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for gcp_projects_state_bucket...
- gcp_projects_state_bucket in .terraform/modules/gcp_projects_state_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/group/google 0.6.1 for optional_group...
- optional_group in .terraform/modules/optional_group
- org_iam_member in modules/parent-iam-member
- parent_iam_member in modules/parent-iam-member
Downloading registry.terraform.io/terraform-google-modules/group/google 0.6.1 for required_group...
- required_group in .terraform/modules/required_group
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.2.0 for seed_bootstrap...
- seed_bootstrap in .terraform/modules/seed_bootstrap
Downloading registry.terraform.io/terraform-google-modules/org-policy/google 5.3.0 for seed_bootstrap.enable_cross_project_service_account_usage...
- seed_bootstrap.enable_cross_project_service_account_usage in .terraform/modules/seed_bootstrap.enable_cross_project_service_account_usage
Downloading registry.terraform.io/terraform-google-modules/kms/google 2.3.0 for seed_bootstrap.kms...
- seed_bootstrap.kms in .terraform/modules/seed_bootstrap.kms
Downloading registry.terraform.io/terraform-google-modules/project-factory/google 14.5.0 for seed_bootstrap.seed_project...
- seed_bootstrap.seed_project in .terraform/modules/seed_bootstrap.seed_project
- seed_bootstrap.seed_project.budget in .terraform/modules/seed_bootstrap.seed_project/modules/budget
- seed_bootstrap.seed_project.essential_contacts in .terraform/modules/seed_bootstrap.seed_project/modules/essential_contacts
- seed_bootstrap.seed_project.gsuite_group in .terraform/modules/seed_bootstrap.seed_project/modules/gsuite_group
- seed_bootstrap.seed_project.project-factory in .terraform/modules/seed_bootstrap.seed_project/modules/core_project_factory
- seed_bootstrap.seed_project.project-factory.project_services in .terraform/modules/seed_bootstrap.seed_project/modules/project_services
- seed_bootstrap.seed_project.quotas in .terraform/modules/seed_bootstrap.seed_project/modules/quota_manager
- seed_bootstrap.seed_project.shared_vpc_access in .terraform/modules/seed_bootstrap.seed_project/modules/shared_vpc_access
- seed_project_iam_member in modules/parent-iam-member
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.2.0 for tf_cloud_builder...
- tf_cloud_builder in .terraform/modules/tf_cloud_builder/modules/tf_cloudbuild_builder
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_cloud_builder.bucket...
- tf_cloud_builder.bucket in .terraform/modules/tf_cloud_builder.bucket/modules/simple_bucket
- tf_private_pool in modules/cb-private-pool
Downloading registry.terraform.io/terraform-google-modules/network/google 9.1.0 for tf_private_pool.firewall_rules...
- tf_private_pool.firewall_rules in .terraform/modules/tf_private_pool.firewall_rules/modules/firewall-rules
Downloading registry.terraform.io/terraform-google-modules/network/google 9.1.0 for tf_private_pool.peered_network...
- tf_private_pool.peered_network in .terraform/modules/tf_private_pool.peered_network
- tf_private_pool.peered_network.firewall_rules in .terraform/modules/tf_private_pool.peered_network/modules/firewall-rules
- tf_private_pool.peered_network.routes in .terraform/modules/tf_private_pool.peered_network/modules/routes
- tf_private_pool.peered_network.subnets in .terraform/modules/tf_private_pool.peered_network/modules/subnets
- tf_private_pool.peered_network.vpc in .terraform/modules/tf_private_pool.peered_network/modules/vpc
Downloading registry.terraform.io/terraform-google-modules/vpn/google 4.0.0 for tf_private_pool.vpn_ha_cb_to_onprem...
- tf_private_pool.vpn_ha_cb_to_onprem in .terraform/modules/tf_private_pool.vpn_ha_cb_to_onprem/modules/vpn_ha
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.2.0 for tf_source...
- tf_source in .terraform/modules/tf_source/modules/tf_cloudbuild_source
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_source.cloudbuild_bucket...
- tf_source.cloudbuild_bucket in .terraform/modules/tf_source.cloudbuild_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/project-factory/google 14.5.0 for tf_source.cloudbuild_project...
- tf_source.cloudbuild_project in .terraform/modules/tf_source.cloudbuild_project
- tf_source.cloudbuild_project.budget in .terraform/modules/tf_source.cloudbuild_project/modules/budget
- tf_source.cloudbuild_project.essential_contacts in .terraform/modules/tf_source.cloudbuild_project/modules/essential_contacts
- tf_source.cloudbuild_project.gsuite_group in .terraform/modules/tf_source.cloudbuild_project/modules/gsuite_group
- tf_source.cloudbuild_project.project-factory in .terraform/modules/tf_source.cloudbuild_project/modules/core_project_factory
- tf_source.cloudbuild_project.project-factory.project_services in .terraform/modules/tf_source.cloudbuild_project/modules/project_services
- tf_source.cloudbuild_project.quotas in .terraform/modules/tf_source.cloudbuild_project/modules/quota_manager
- tf_source.cloudbuild_project.shared_vpc_access in .terraform/modules/tf_source.cloudbuild_project/modules/shared_vpc_access
Downloading registry.terraform.io/terraform-google-modules/bootstrap/google 7.2.0 for tf_workspace...
- tf_workspace in .terraform/modules/tf_workspace/modules/tf_cloudbuild_workspace
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_workspace.artifacts_bucket...
- tf_workspace.artifacts_bucket in .terraform/modules/tf_workspace.artifacts_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_workspace.log_bucket...
- tf_workspace.log_bucket in .terraform/modules/tf_workspace.log_bucket/modules/simple_bucket
Downloading registry.terraform.io/terraform-google-modules/cloud-storage/google 5.0.0 for tf_workspace.state_bucket...
- tf_workspace.state_bucket in .terraform/modules/tf_workspace.state_bucket/modules/simple_bucket
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/google-beta versions matching ">= 3.43.0, >= 3.50.0, >= 3.64.0, >= 3.67.0, >= 3.77.0, >= 4.11.0, >= 4.17.0, >= 4.28.0, != 4.31.0, >= 4.64.0, >= 5.7.0, < 6.0.0"...
- Finding hashicorp/external versions matching ">= 2.2.2"...
- Finding hashicorp/null versions matching ">= 2.1.0"...
- Finding hashicorp/google versions matching ">= 3.33.0, >= 3.43.0, >= 3.50.0, >= 3.53.0, >= 3.64.0, >= 3.67.0, >= 3.77.0, >= 3.83.0, >= 4.17.0, >= 4.25.0, >= 4.28.0, != 4.31.0, >= 4.46.0, >= 4.64.0, >= 5.7.0, < 6.0.0"...
- Finding hashicorp/random versions matching ">= 2.1.0, >= 2.2.0, >= 3.1.0, ~> 3.4"...
- Finding hashicorp/time versions matching ">= 0.5.0"...
- Installing hashicorp/time v0.11.1...
- Installed hashicorp/time v0.11.1 (signed by HashiCorp)
- Installing hashicorp/google-beta v5.28.0...
- Installed hashicorp/google-beta v5.28.0 (signed by HashiCorp)
- Installing hashicorp/external v2.3.3...
- Installed hashicorp/external v2.3.3 (signed by HashiCorp)
- Installing hashicorp/null v3.2.2...
- Installed hashicorp/null v3.2.2 (signed by HashiCorp)
- Installing hashicorp/google v5.28.0...
- Installed hashicorp/google v5.28.0 (signed by HashiCorp)
- Installing hashicorp/random v3.6.1...
- Installed hashicorp/random v3.6.1 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
# module.tf_source.module.cloudbuild_project.module.project-factory.module.project_services.google_project_service.project_services["workflows.googleapis.com"] will be created
+ resource "google_project_service" "project_services" {
+ disable_dependent_services = true
+ disable_on_destroy = false
+ id = (known after apply)
+ project = (known after apply)
+ service = "workflows.googleapis.com"
}
Plan: 271 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ bootstrap_step_terraform_service_account_email = (known after apply)
+ cloud_build_peered_network_id = (known after apply)
+ cloud_build_private_worker_pool_id = (known after apply)
+ cloud_build_worker_peered_ip_range = "192.168.0.0/24"
+ cloud_build_worker_range_id = (known after apply)
+ cloud_builder_artifact_repo = (known after apply)
+ cloudbuild_project_id = (known after apply)
+ common_config = {
+ billing_account = "019283-6F1AB5-7AD576"
+ bootstrap_folder_name = (known after apply)
+ default_region = "northamerica-northeast1"
+ folder_prefix = "fldr"
+ org_id = "583675367868"
+ parent_folder = "444651735300"
+ parent_id = "folders/444651735300"
+ project_prefix = "prj"
}
+ csr_repos = {
+ gcp-bootstrap = {
+ id = (known after apply)
+ name = "gcp-bootstrap"
+ project = (known after apply)
+ url = (known after apply)
}
+ gcp-environments = {
+ id = (known after apply)
+ name = "gcp-environments"
+ project = (known after apply)
+ url = (known after apply)
}
+ gcp-networks = {
+ id = (known after apply)
+ name = "gcp-networks"
+ project = (known after apply)
+ url = (known after apply)
}
+ gcp-org = {
+ id = (known after apply)
+ name = "gcp-org"
+ project = (known after apply)
+ url = (known after apply)
}
+ gcp-policies = {
+ id = (known after apply)
+ name = "gcp-policies"
+ project = (known after apply)
+ url = (known after apply)
}
+ gcp-projects = {
+ id = (known after apply)
+ name = "gcp-projects"
+ project = (known after apply)
+ url = (known after apply)
}
+ tf-cloudbuilder = {
+ id = (known after apply)
+ name = "tf-cloudbuilder"
+ project = (known after apply)
+ url = (known after apply)
}
}
+ environment_step_terraform_service_account_email = (known after apply)
+ gcs_bucket_cloudbuild_artifacts = {
+ bootstrap = (known after apply)
+ env = (known after apply)
+ net = (known after apply)
+ org = (known after apply)
+ proj = (known after apply)
}
+ gcs_bucket_cloudbuild_logs = {
+ bootstrap = (known after apply)
+ env = (known after apply)
+ net = (known after apply)
+ org = (known after apply)
+ proj = (known after apply)
}
+ gcs_bucket_tfstate = (known after apply)
+ networks_step_terraform_service_account_email = (known after apply)
+ optional_groups = {
+ "gcp_global_secrets_admin" = "gcp_global_secrets_admin3@obrienlabs.dev"
+ "gcp_kms_admin" = "gcp_kms_admin3@obrienlabs.dev"
+ "gcp_network_viewer" = "gcp_network_viewer3@obrienlabs.dev"
+ "gcp_scc_admin" = "gcp_scc_admin3@obrienlabs.dev"
+ "gcp_security_reviewer" = "gcp_security_reviewer3@obrienlabs.dev"
}
+ organization_step_terraform_service_account_email = (known after apply)
+ projects_gcs_bucket_tfstate = (known after apply)
+ projects_step_terraform_service_account_email = (known after apply)
+ required_groups = {
+ "audit_data_users" = "gcp-audit-data3@obrienlabs.dev"
+ "billing_data_users" = "gcp-billing-data3@obrienlabs.dev"
+ "group_billing_admins" = "gcp-billing-admins3@obrienlabs.dev"
+ "group_org_admins" = "gcp-organization-admins3@obrienlabs.dev"
+ "monitoring_workspace_users" = "gcp-monitoring-workspace3@obrienlabs.dev"
}
+ seed_project_id = (known after apply)
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Saved the plan to: bootstrap.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "bootstrap.tfplan"
michael@cloudshell:~/tef-oldev3/pbmm-on-gcp-onboarding/0-bootstrap (tef-oldev3)$ terraform apply bootstrap.tfplan
module.bootstrap_csr_repo.null_resource.run_destroy_command[0]: Creating...
module.bootstrap_csr_repo.null_resource.run_destroy_command[0]: Creation complete after 0s [id=8231255537637410667]
random_string.suffix: Creating...
module.seed_bootstrap.random_id.suffix: Creating...
module.tf_private_pool.random_string.suffix: Creating...
module.seed_bootstrap.module.seed_project.module.project-factory.random_id.random_project_id_suffix: Creating...
module.seed_bootstrap.random_id.suffix: Creation complete after 0s [id=i-o]
module.seed_bootstrap.module.seed_project.module.project-factory.random_id.random_project_id_suffix: Creation complete after 0s [id=zyA]
module.tf_private_pool.random_string.suffix: Creation complete after 0s [id=ymbi]
random_string.suffix: Creation complete after 0s [id=fgbs]
module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/billing.user"]: Creating...
module.required_group["group_org_admins"].google_cloud_identity_group.group: Creating...
module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0]: Creating...
module.seed_bootstrap.google_folder_iam_member.org_admin_service_account_user[0]: Creating...
module.seed_bootstrap.google_organization_iam_member.org_billing_admin: Creating...
module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/resourcemanager.organizationAdmin"]: Creating...
module.seed_bootstrap.google_organization_iam_binding.billing_creator: Creating...
module.seed_bootstrap.google_folder_iam_member.org_admin_serviceusage_consumer[0]: Creating...
google_folder.bootstrap: Creating...
module.required_group["monitoring_workspace_users"].google_cloud_identity_group.group: Creating...
module.required_group["group_billing_admins"].google_cloud_identity_group.group: Creating...
module.required_group["audit_data_users"].google_cloud_identity_group.group: Creating...
module.required_group["billing_data_users"].google_cloud_identity_group.group: Creating...
module.optional_group["gcp_network_viewer"].google_cloud_identity_group.group: Creating...
module.optional_group["gcp_kms_admin"].google_cloud_identity_group.group: Creating...
module.optional_group["gcp_global_secrets_admin"].google_cloud_identity_group.group: Creating...
module.optional_group["gcp_security_reviewer"].google_cloud_identity_group.group: Creating...
module.optional_group["gcp_scc_admin"].google_cloud_identity_group.group: Creating...
google_folder.bootstrap: Still creating... [10s elapsed]
google_folder.bootstrap: Creation complete after 12s [id=folders/236258101664]
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.optional_group["gcp_scc_admin"].google_cloud_identity_group.group,
│ on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.optional_group["gcp_network_viewer"].google_cloud_identity_group.group,
│ on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.optional_group["gcp_security_reviewer"].google_cloud_identity_group.group,
│ on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.optional_group["gcp_global_secrets_admin"].google_cloud_identity_group.group,
│ on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.optional_group["gcp_kms_admin"].google_cloud_identity_group.group,
│ on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.required_group["group_org_admins"].google_cloud_identity_group.group,
│ on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.required_group["billing_data_users"].google_cloud_identity_group.group,
│ on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.required_group["audit_data_users"].google_cloud_identity_group.group,
│ on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.required_group["monitoring_workspace_users"].google_cloud_identity_group.group,
│ on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error creating Group: googleapi: Error 403: Cloud Identity API has not been used in project tef-oldev3 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudidentity.googleapis.com/overview?project=tef-oldev3"
│ }
│ ]
│ },
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/tef-oldev3",
│ "service": "cloudidentity.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│
│ with module.required_group["group_billing_admins"].google_cloud_identity_group.group,
│ on .terraform/modules/required_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
│ 35: resource "google_cloud_identity_group" "group" {
│
╵
╷
│ Error: Error applying IAM policy for folder "folders/444651735300": Error setting IAM policy for folder "folders/444651735300": googleapi: Error 400: Group gcp-organization-admins3@obrienlabs.dev does not exist., badRequest
│
│ with module.seed_bootstrap.google_folder_iam_member.tmp_project_creator[0],
│ on .terraform/modules/seed_bootstrap/main.tf line 47, in resource "google_folder_iam_member" "tmp_project_creator":
│ 47: resource "google_folder_iam_member" "tmp_project_creator" {
│
╵
╷
│ Error: Error applying IAM policy for organization "583675367868": Error setting IAM policy for organization "583675367868": googleapi: Error 400: Group gcp-billing-admins3@obrienlabs.dev does not exist., badRequest
│
│ with module.seed_bootstrap.google_organization_iam_binding.billing_creator,
│ on .terraform/modules/seed_bootstrap/main.tf line 156, in resource "google_organization_iam_binding" "billing_creator":
│ 156: resource "google_organization_iam_binding" "billing_creator" {
│
╵
╷
│ Error: Error applying IAM policy for organization "583675367868": Error setting IAM policy for organization "583675367868": googleapi: Error 400: Group gcp-organization-admins3@obrienlabs.dev does not exist., badRequest
│
│ with module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/billing.user"],
│ on .terraform/modules/seed_bootstrap/main.tf line 184, in resource "google_organization_iam_member" "org_admins_group":
│ 184: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error applying IAM policy for organization "583675367868": Error setting IAM policy for organization "583675367868": googleapi: Error 400: Group gcp-organization-admins3@obrienlabs.dev does not exist., badRequest
│
│ with module.seed_bootstrap.google_organization_iam_member.org_admins_group["roles/resourcemanager.organizationAdmin"],
│ on .terraform/modules/seed_bootstrap/main.tf line 184, in resource "google_organization_iam_member" "org_admins_group":
│ 184: resource "google_organization_iam_member" "org_admins_group" {
│
╵
╷
│ Error: Error applying IAM policy for organization "583675367868": Error setting IAM policy for organization "583675367868": googleapi: Error 400: Group gcp-billing-admins3@obrienlabs.dev does not exist., badRequest
│
│ with module.seed_bootstrap.google_organization_iam_member.org_billing_admin,
│ on .terraform/modules/seed_bootstrap/main.tf line 196, in resource "google_organization_iam_member" "org_billing_admin":
│ 196: resource "google_organization_iam_member" "org_billing_admin" {
│
╵
╷
│ Error: Error applying IAM policy for folder "folders/444651735300": Error setting IAM policy for folder "folders/444651735300": googleapi: Error 400: Group gcp-organization-admins3@obrienlabs.dev does not exist., badRequest
│
│ with module.seed_bootstrap.google_folder_iam_member.org_admin_service_account_user[0],
│ on .terraform/modules/seed_bootstrap/main.tf line 259, in resource "google_folder_iam_member" "org_admin_service_account_user":
│ 259: resource "google_folder_iam_member" "org_admin_service_account_user" {
│
╵
╷
│ Error: Error applying IAM policy for folder "folders/444651735300": Error setting IAM policy for folder "folders/444651735300": googleapi: Error 400: Group gcp-organization-admins3@obrienlabs.dev does not exist., badRequest
│
│ with module.seed_bootstrap.google_folder_iam_member.org_admin_serviceusage_consumer[0],
│ on .terraform/modules/seed_bootstrap/main.tf line 267, in resource "google_folder_iam_member" "org_admin_serviceusage_consumer":
│ 267: resource "google_folder_iam_member" "org_admin_serviceusage_consumer" {
│
╵
fmichaelobrien
github-actions[bot]
Pending to check
Todo
Status
gcloud source repos clone "${CSR_NAME}" "${tmp_dir}" --project "${CSR_PROJECT_ID}"
ERROR: (gcloud.source.repos.clone) Command '['git', 'clone', 'https://source.developers.google.com/p/prj-b-cicd-orcl/r/tf-cloudbuilder', '/home/USER/lz-tef-dev-.../temp/tf-cloudbuilder', '--config', 'credential.https://source.developers.google.com/.helper=', '--config', 'credential.https://source.developers.google.com/.helper=!gcloud auth git-helper --account=USER@gcp.....ca --ignore-unknown $@']' returned non-zero exit status 128.
USER@cloudshell:~/lz-tef-dev-.../temp (lz-tef-dev-...)$ gcloud config set project prj-b-cicd-orcl Updated property [core/project].
USER@cloudshell:~/lz-tef-dev-...2/temp (prj-b-cicd-orcl)$ gcloud source repos clone tf-cloudbuilder --project prj-b-cicd-orcl Cloning into '/home/USER/lz-tef-dev-...2/temp/tf-cloudbuilder'... remote: INVALID_ARGUMENT: Request contains an invalid argument
remote: [type.googleapis.com/google.rpc.LocalizedMessage] remote: locale: "en-US" remote: message: "Invalid authentication credentials. Please generate a new identifier: https://source.developers.google.com/new-password"
remote: remote: [type.googleapis.com/google.rpc.RequestInfo] remote: request_id: "9fe7..2308"
fatal: unable to access 'https://source.developers.google.com/p/prj-b-cicd-orcl/r/tf-cloudbuilder/': The requested URL returned error: 400
ERROR: (gcloud.source.repos.clone) Command '['git', 'clone', 'https://source.developers.google.com/p/prj-b-cicd-orcl/r/tf-cloudbuilder', '/home/USER/lz-tef-dev-...2/temp/tf-cloudbuilder', '--config', 'credential.https://source.developers.google.com/.helper=', '--config', 'credential.https://source.developers.google.com/.helper=!gcloud auth git-helper --account=USER@gcp....ca --ignore-unknown $@']' returned non-zero exit status 128.
USER@cloudshell:~/lz-tef-dev-...2/temp (prj-b-cicd-orcl)$ ^C
module.tf_workspace["proj"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/a1129dc9-c1e6-47d5-9a20-7518c82fe900] module.tf_workspace["bootstrap"].google_cloudbuild_trigger.triggers["apply"]: Creation complete after 1s [id=projects/prj-b-cicd-82vv/locations/us-central1/triggers/70966480-5d2c-4aa4-a7aa-1e0aaeb711f1] module.tf_workspace["proj"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-projects-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-proj@prj-b-seed-8919.iam.gserviceaccount.com] module.tf_workspace["org"].google_storage_bucket_iam_member.artifacts_admin: Creation complete after 4s [id=b/bkt-prj-b-cicd-82vv-gcp-org-build-artifacts/roles/storage.admin/serviceAccount:sa-terraform-org@prj-b-seed-8919.iam.gserviceaccount.com] ╷ │ Error: local-exec provisioner error │ │ with module.bootstrap_csr_repo.null_resource.run_command[0], │ on .terraform/modules/bootstrap_csr_repo/main.tf line 232, in resource "null_resource" "run_command": │ 232: provisioner "local-exec" { │ │ Error running command 'PATH=/google-cloud-sdk/bin:$PATH │ ./scripts/push-to-repo.sh prj-b-cicd-82vv tf-cloudbuilder ./Dockerfile │ ': exit status 1. Output: + '[' 3 -lt 3 ']' │ + CSR_PROJECT_ID=prj-b-cicd-82vv │ + CSR_NAME=tf-cloudbuilder │ + DOCKERFILE_PATH=./Dockerfile │ ++ mktemp -d │ + tmp_dir=/tmp/tmp.xMNfsxhn6Q │ + gcloud source repos clone tf-cloudbuilder /tmp/tmp.xMNfsxhn6Q --project prj-b-cicd-82vv │ ERROR: (gcloud.source.repos.clone) UNAUTHENTICATED: Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication │ credential. See https://developers.google.com/identity/sign-in/web/devconsole-project. │
michael@cloudshell:~/tef-oldev3 (tef-oldev2)$ gcloud config set project tef-oldev3 Updated property [core/project]. michael@cloudshell:~/tef-oldev3 (tef-oldev3)$ ls pbmm-on-gcp-onboarding terraform michael@cloudshell:~/tef-oldev3 (tef-oldev3)$ mkdir _test_repo michael@cloudshell:~/tef-oldev3 (tef-oldev3)$ cd _test_repo michael@cloudshell:~/tef-oldev3/_test_repo (tef-oldev3)$ gcloud source repos clone gcp-policies --project=prj-b-cicd-fgbs Cloning into '/home/michael/tef-oldev3/_test_repo/gcp-policies'... warning: You appear to have cloned an empty repository. Project [prj-b-cicd-fgbs] repository [gcp-policies] was cloned to [/home/michael/tef-oldev3/_test_repo/gcp-policies].
odule.tf_source.google_project_iam_member.org_admins_source_repo_admin[0]: Creation complete after 8s [id=prj-b-cicd-fgbs/roles/source.admin/group:gcp-organization-admins3@obrienlabs.dev] google_sourcerepo_repository_iam_member.member["org"]: Creating... module.bootstrap_csr_repo.null_resource.run_command[0]: Creating... module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/dns.admin"]: Creating... module.bootstrap_csr_repo.null_resource.run_command[0]: Provisioning with 'local-exec'... module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Executing: ["/bin/sh" "-c" "PATH=/google-cloud-sdk/bin:$PATH\n./scripts/push-to-repo.sh prj-b-cicd-fgbs tf-cloudbuilder ./Dockerfile\n"] google_sourcerepo_repository_iam_member.member["env"]: Creating... google_sourcerepo_repository_iam_member.member["net"]: Creating... google_sourcerepo_repository_iam_member.member["bootstrap"]: Creating... module.tf_cloud_builder.google_service_account.workflow_sa[0]: Creating... google_sourcerepo_repository_iam_member.member["proj"]: Creating... module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/artifactregistry.admin"]: Creating... module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/compute.networkAdmin"]: Creating... module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + '[' 3 -lt 3 ']' module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + CSR_PROJECT_ID=prj-b-cicd-fgbs module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + CSR_NAME=tf-cloudbuilder module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + DOCKERFILE_PATH=./Dockerfile module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): ++ mktemp -d module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + tmp_dir=/tmp/tmp.UPb5Ov3BbM module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + gcloud source repos clone tf-cloudbuilder /tmp/tmp.UPb5Ov3BbM --project prj-b-cicd-fgbs module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Cloning into '/tmp/tmp.UPb5Ov3BbM'... module.tf_cloud_builder.google_service_account.workflow_sa[0]: Creation complete after 0s [id=projects/prj-b-cicd-fgbs/serviceAccounts/terraform-runner-workflow-sa@prj-b-cicd-fgbs.iam.gserviceaccount.com] module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/cloudscheduler.admin"]: Creating... module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): warning: You appear to have cloned an empty repository. module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Project [prj-b-cicd-fgbs] repository [tf-cloudbuilder] was cloned to [/tmp/tmp.UPb5Ov3BbM]. module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + cp ./Dockerfile /tmp/tmp.UPb5Ov3BbM module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + pushd /tmp/tmp.UPb5Ov3BbM module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): /tmp/tmp.UPb5Ov3BbM ~/tef-oldev3/pbmm-on-gcp-onboarding/0-bootstrap module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git config credential.helper gcloud.sh module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git config init.defaultBranch main module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git config user.email terraform-robot@example.com module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git config user.name 'TF Robot' module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git checkout main module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): error: pathspec 'main' did not match any file(s) known to git module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git checkout -b main module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): Switched to a new branch 'main' module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git add Dockerfile module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git commit -m 'Initialize tf dockerfile repo' module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): [main (root-commit) c1c0f29] Initialize tf dockerfile repo module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): 1 file changed, 39 insertions(+) module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): create mode 100644 Dockerfile module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): + git push origin main -f google_sourcerepo_repository_iam_member.member["org"]: Creation complete after 4s [id=projects/prj-b-cicd-fgbs/repos/gcp-policies/roles/viewer/serviceAccount:sa-terraform-org@prj-b-seed-cf20.iam.gserviceaccount.com] module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/workflows.admin"]: Creating... module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): remote: Waiting for private key checker: 1/1 objects left module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): To https://source.developers.google.com/p/prj-b-cicd-fgbs/r/tf-cloudbuilder module.bootstrap_csr_repo.null_resource.run_command[0] (local-exec): * [new branch] main -> main module.bootstrap_csr_repo.null_resource.run_command[0]: Creation complete after 6s [id=5317162065932165996] module.cicd_project_iam_member["bootstrap"].google_project_iam_member.project_parent_iam["roles/iam.workloadIdentityPoolAdmin"]: Creating...