Closed akirichenko1711 closed 3 months ago
Unable to impersonate SA for setup shared networking part, In step 3.15 Dual-SVPC
Run init and plan and review output for environment shared. ./tf-wrapper.sh init shared ./tf-wrapper.sh plan shared
Succesfully completed part 3.15, tf.wrapper.sh plan
Failed with 403, access denied on SA getAccessToken log.txt
module "seed_bootstrap" { source = "terraform-google-modules/bootstrap/google" version = "~> 6.3" org_id = var.org_id folder_id = google_folder.bootstrap.id project_id = "${var.project_prefix}-b-seed" state_bucket_name = "${var.bucket_prefix}-${var.project_prefix}-b-seed-tfstate" force_destroy = var.bucket_force_destroy billing_account = var.billing_account group_org_admins = local.group_org_admins group_billing_admins = local.group_billing_admins default_region = var.default_region org_project_creators = local.org_project_creators sa_enable_impersonation = true create_terraform_sa = false parent_folder = var.parent_folder == "" ? "" : local.parent org_admins_org_iam_permissions = local.org_admins_org_iam_permissions project_prefix = var.project_prefix encrypt_gcs_bucket_tfstate = true key_rotation_period = "7776000s" kms_prevent_destroy = !var.bucket_tfstate_kms_force_destroy project_labels = { environment = "bootstrap" application_name = "seed-bootstrap" billing_code = "1234" primary_contact = "example1" secondary_contact = "example2" business_code = "abcd" env_code = "b" } activate_apis = [ "serviceusage.googleapis.com", "servicenetworking.googleapis.com", "cloudkms.googleapis.com", "compute.googleapis.com", "logging.googleapis.com", "bigquery.googleapis.com", "cloudresourcemanager.googleapis.com", "cloudbilling.googleapis.com", "cloudbuild.googleapis.com", "iam.googleapis.com", "admin.googleapis.com", "appengine.googleapis.com", "storage-api.googleapis.com", "monitoring.googleapis.com", "pubsub.googleapis.com", "securitycenter.googleapis.com", "accesscontextmanager.googleapis.com", "billingbudgets.googleapis.com", "essentialcontacts.googleapis.com", "assuredworkloads.googleapis.com", "cloudasset.googleapis.com" ] sa_org_iam_permissions = [] }
v1.6.0
We use terraform cloud as state container The steps executed under user that part of gcp-organization-admins We also notice that step 3 missing information from which GCS bucket get state for local execution before copying to tf cloud
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
TL;DR
Unable to impersonate SA for setup shared networking part, In step 3.15 Dual-SVPC
Run init and plan and review output for environment shared. ./tf-wrapper.sh init shared ./tf-wrapper.sh plan shared
Expected behavior
Succesfully completed part 3.15, tf.wrapper.sh plan
Observed behavior
Failed with 403, access denied on SA getAccessToken log.txt
Terraform Configuration
Terraform Version
Additional information
We use terraform cloud as state container The steps executed under user that part of gcp-organization-admins We also notice that step 3 missing information from which GCS bucket get state for local execution before copying to tf cloud