search

cyrilgdn / terraform-provider-postgresql

Terraform PostgreSQL provider
https://www.terraform.io/docs/providers/postgresql/
Mozilla Public License 2.0
393 stars 200 forks source link

postgresql provider with gcppostgres checks wrong project for sqladmin api #359

Open mhubig opened 1 year ago

mhubig commented 1 year ago

I'm using a GCP Service Account from project A to provision resources to project B.

I'm providing the GOOGLE_APPLICATION_CREDENTIALS environment variable to the google and postgresql providers for authentication.

Within the google provider config I can use the project and user_project_override parameters to instruct the provider to ignore the project of the service account. Unfortunately there are no such options for the postgresql provider while using the gcppostgres schema.

What happens now is the postgresql provider seems to check if the sqladmin.googleapis.com API is enabled for the origin project of the GCP Service Account, instead of checking the origin project of the CloudSQL database and I'm getting the following error:

googleapi: Error 403: Cloud SQL Admin API has not been used in project XXXX before or it is disabled. Enable
it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=XXXX
then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems
and retry.

If I'm enabling the Cloud SQL Admin API for the origin project of the Service account, the error goes away ...

Terraform Version

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.21.0
+ provider registry.terraform.io/hashicorp/google-beta v4.83.0
+ provider registry.terraform.io/hashicorp/random v3.5.1

Affected Resource(s)

Terraform Configuration Files

terraform {
  backend "http" {
  }
  required_version = ">=1.0.0"
  required_providers {
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "4.83.0"
    }
    postgresql = {
      source  = "cyrilgdn/postgresql"
      version = "1.21.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "3.5.1"
    }
  }
}

provider "google-beta" {
  project               = var.project_id
  billing_project       = var.project_id
  user_project_override = true
}

provider "postgresql" {
  scheme   = "gcppostgres"
  host     = google_sql_database_instance.default.connection_name
  username = google_sql_user.postgres.name
  password = google_sql_user.postgres.password
  port     = 5432
}

...

resource "postgresql_grant" "all_to_postgres" {
  database    = google_sql_database.default.name
  role        = google_sql_user.postgres.name
  schema      = "public"
  object_type = "table"
  privileges  = ["DELETE", "INSERT", "REFERENCES", "SELECT", "TRIGGER", "TRUNCATE", "UPDATE"]
}
robertgmoss commented 3 months ago

@mhubig I'm hitting this too. Were you able to find a way to get this to work or a suitable workaround?