Example creating a Prisma cloud account for GCP

[nikki-kapil]

Documentation link

Please provide an example inserting GCP Service account keys into resource prismacloud__cloud_account

Describe the problem

I am trying to create a Service Account on GCP and then inserting its key into Prisma using this provider. Here is my code:

module "prisma_service_account" {
  source        = "terraform-google-modules/service-accounts/google"
  version       = "3.0.1"
  display_name  = "Prisma Service Account"
  description   = "SA with Prisma specific permissions"
  names         = [var.prisma_sa_name]
  project_id    = var.my_project_id
  generate_keys = true
}

resource "prismacloud_account_group" "prisma_account_group" {
    name = var.prisma_account_group_name
}

resource "prismacloud_cloud_account" "prismacloud_account" {
    gcp {
        name = var.prismacloud_account_name
        account_id = "serviceAccount:${module.prisma_service_account.email}"
        group_ids = [
            prismacloud_account_group.prisma_account_group.group_id
        ]
        credentials_json = module.prisma_service_account.key
    }
}

This is the error I get on running 'terraform apply':

Error: 400/https://api2.eu.prismacloud.io/cloud/gcp Error(msg:invalid_gcp_project_id severity:error subject:invalid_parameter_value)

  on library/organisation-bootstrap/main.tf line 188, in resource "prismacloud_cloud_account" "prismacloud_account":
 188: resource "prismacloud_cloud_account" "prismacloud_account" {

Suggested fix

What does the above error mean?

'terraform plan' seems to work fine but the 'apply' fails, please could you elaborate what parameter value is invalid, what should it be, what project id is invalid?

[ebeuerle]

A 400 error typically means it's a duplicate - was this project already added to Prisma Cloud?

[nikki-kapil]

If I go to PrismaCloud > Inventory > Cloud Account - I don't see the project to which my GCP Service account belongs.

Could there be another cause to this error, like:

1. Due to subject:invalid_parameter_value of the Json credentials? credentials_json = module.prisma_service_account.key
2. Or could it be because at the point when the Prismacloud_cloud_account is being created, the GCP Service Account does not have any permissions/roles associated with it?

[ebeuerle]

I would suggest enabling logging so we can see what API is actually returning the error. Please post the results here.

[nikki-kapil]

DEBUG logs:

[WARN] Provider "registry.terraform.io/paloaltonetworks/prismacloud" produced an invalid plan for module.organisation_bootstrap.prismacloud_cloud_account.prismacloud_account, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .gcp[0].enabled: planned value cty.True does not match config value cty.NullVal(cty.Bool)
[DEBUG] EvalApply: ProviderMeta config value set
[DEBUG] module.organisation_bootstrap.prismacloud_cloud_account.prismacloud_account: applying the planned Create change
module.organisation_bootstrap.prismacloud_cloud_account.prismacloud_account: Creating...
2020-11-03T14:42:03.664Z [DEBUG] plugin.terraform-provider-prismacloud_v1.0.4: (create) gcp cloud account
[DEBUG] module.organisation_bootstrap.prismacloud_cloud_account.prismacloud_account: apply errored, but we're indicating that via the Error pointer rather than returning it: 400/https://api2.eu.prismacloud.io/cloud/gcp Error(msg:invalid_gcp_project_id severity:error subject:invalid_parameter_value)
[ERROR] eval: *terraform.EvalApplyPost, err: 400/https://api2.eu.prismacloud.io/cloud/gcp Error(msg:invalid_gcp_project_id severity:error subject:invalid_parameter_value)
[ERROR] eval: *terraform.EvalSequence, err: 400/https://api2.eu.prismacloud.io/cloud/gcp Error(msg:invalid_gcp_project_id severity:error subject:invalid_parameter_value)
 [DEBUG] plugin.terraform-provider-google_v3.44.0_x5: 2020/11/03 14:42:04 [DEBUG] Google API Response Details:
 [DEBUG] plugin.terraform-provider-google_v3.44.0_x5: ---[ RESPONSE ]--------------------------------------
 [DEBUG] plugin.terraform-provider-google_v3.44.0_x5: HTTP/1.1 200 OK
 [DEBUG] plugin.terraform-provider-google_v3.44.0_x5: Connection: close

[ebeuerle]

Oh I see the issue - you need to pass the project id in the account_id field and you are passing the service account instead. Give that a try!

[nikki-kapil]

Still no joy:

2020-11-05T09:22:44.935Z [DEBUG] plugin: plugin process exited: path=.terraform/plugins/registry.terraform.io/hashicorp/tfe/0.22.0/linux_amd64/terraform-provider-tfe_v0.22.0_x4 pid=1866
2020-11-05T09:22:44.935Z [DEBUG] plugin: plugin exited
2020/11/05 09:22:45 [WARN] Provider "registry.terraform.io/paloaltonetworks/prismacloud" produced an invalid plan for module.organisation_bootstrap.prismacloud_cloud_account.prismacloud_account, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .gcp[0].enabled: planned value cty.True does not match config value cty.NullVal(cty.Bool)
module.organisation_bootstrap.prismacloud_cloud_account.prismacloud_account: Creating...
2020/11/05 09:22:45 [DEBUG] EvalApply: ProviderMeta config value set
2020/11/05 09:22:45 [DEBUG] module.organisation_bootstrap.prismacloud_cloud_account.prismacloud_account: applying the planned Create change
2020-11-05T09:22:45.198Z [DEBUG] plugin.terraform-provider-prismacloud_v1.0.4: 2020/11/05 09:22:45 (create) gcp cloud account
2020/11/05 09:22:45 [DEBUG] module.organisation_bootstrap.prismacloud_cloud_account.prismacloud_account: apply errored, but we're indicating that via the Error pointer rather than returning it: 400/https://api2.eu.prismacloud.io/cloud/gcp Error(msg:invalid_gcp_project_id severity:error subject:invalid_parameter_value)
2020/11/05 09:22:45 [ERROR] eval: *terraform.EvalApplyPost, err: 400/https://api2.eu.prismacloud.io/cloud/gcp Error(msg:invalid_gcp_project_id severity:error subject:invalid_parameter_value)
2020/11/05 09:22:45 [ERROR] eval: *terraform.EvalSequence, err: 400/https://api2.eu.prismacloud.io/cloud/gcp Error(msg:invalid_gcp_project_id severity:error subject:invalid_parameter_value)

Error: Error running command 'PATH=/home/thomas_s_chalmers/organisation-setup/.terraform/modules/organisation_bootstrap.seed_project.project-factory.gcloud_delete/cache/1444d067/google-cloud-sdk/bin:$PATH
gcloud info
': exit status 127. Output: /bin/sh: 2: gcloud: not found




Error: 400/https://api2.eu.prismacloud.io/cloud/gcp Error(msg:invalid_gcp_project_id severity:error subject:invalid_parameter_value)

  on library/organisation-bootstrap/main.tf line 191, in resource "prismacloud_cloud_account" "prismacloud_account":
 191: resource "prismacloud_cloud_account" "prismacloud_account" {


2020-11-05T09:22:45.628Z [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2020-11-05T09:22:45.630Z [DEBUG] plugin: plugin process exited: path=.terraform/plugins/registry.terraform.io/hashicorp/null/2.1.2/linux_amd64/terraform-provider-null_v2.1.2_x4 pid=1834

[ebeuerle]

Are you setting logging for send and receive to true? I should see more output on the actual API calls being made...

[nikki-kapil]

I am running this on TerraformCloud and have set TF_LOG to DEBUG. Is that what you are talking about?

[nikki-kapil]

Is this the way to set logging you've asked for:

provider "prismacloud" {
    url = var.prismaurl
    username = var.prismauser
    password = var.prismatoken
    customer_name = var.prismacustomername
    protocol = "https"
    skip_ssl_cert_verification = true
    logging = {
      send = "true"
      receive = "true"
    }
}

[ebeuerle]

Yes that looks correct.

[nikki-kapil]

That didn't affect the logging though. Could you provide an example of the resource prismacloud_cloud_account that is GCP specific?

[ebeuerle]

Looks like the GCP cloud API changed so the TF provider is currently broken for GCP. I will work to get that fixed.

[ebeuerle]

I fixed this so GCP should work correctly now. Syntax:

resource "prismacloud_cloud_account" "prismacloud_account" { gcp { account_id = "carbide-buckeye-239422" enabled = true group_ids = [ "e6e0e0a9-9749-4c72-9819-86a92ec83489" ] name = "Eddie test" credentials_json = file("cred.json") } }

[nikki-kapil]

Thanks Eddie. So the good news is that using v1.0.5 of the provider did create an account for me in Prisma (at project level). But I wanted to create the account at 'organisation level' rather than 'project level'. Can you provide the syntax to create an org level account too please?

[ebeuerle]

Unfortunately, the TF provider doesn't support Orgs for AWS or GCP as of yet. It's on the list to get done in the near future.

[ebeuerle]

BTW I did figure out why logging wasn't working - needs to be added via json_config_file = "config.json". If you add the logging section to that config.json, and then call using TF_LOG, then it should output correctly.

[nikki-kapil]

Unfortunately, the TF provider doesn't support Orgs for AWS or GCP as of yet. It's on the list to get done in the near future.

Can I vote for this feature somewhere? Also, any idea on it's ETA?

[nikki-kapil]

Also, if not already done could you update the docs here https://registry.terraform.io/providers/PaloAltoNetworks/prismacloud/latest/docs/resources/cloud_account to say that the TF provider doesn't support Orgs for AWS or GCP as of yet.

[ebeuerle]

Yes, if you have access to the Prisma Cloud UI, you can click on the question mark icon in bottom right, then click on Product and Submit a request for filing a feature request. Hopefully, it can be added by EOY. I am planning to update the docs today for the new options I added yesterday and I will put in a note regarding AWS/GCP orgs.

[ebeuerle]

Closing out since issue is now fixed.