Open lpezet opened 1 month ago
In the Observed Behavior section, the same error shows up for every resource type under Debug logs, which makes me suspect that Auth is misconfigured. I'm not able to reproduce in our CI pipelines, which successfully pass the plan and validate stages in from tf-wrapper.sh.
Is this a persistent blocker, or transient?
The sa-terraform-org@prj-b-seed-xxxx.iam.gserviceaccount.com
service account should have these roles in the Organization:
The role Browser
has the two permissions needed to access the project
Cloud you please check if the Service Account has the correct roles?
@eeaton It's a persistent blocker.
@daniel-cit My sa-terraform-org@prj-b-seed-xxxx.iam.gserviceaccount.com
has those roles (and even an extra one: Storage Object Admin).
I'll destroy everything and start from scratch (once quota issue resolved). Thanks for the help!
Hi all, I think I may be able to shed some light on the problem here.
I've just had almost the exact same thing happen while adding a new project in this stage, and after a few hours of banging my head against it I managed to resolve it.
The issue occurred for me when there had been a previously failed apply (I ran out of Project Quota). I was using the project-factory
module with the random_project_id
setting enabled. In the first apply, it managed to create only the module.my_new_project.module.project-factory.random_id.random_project_id_suffix
and module.my_new_project.module.project-factory.random_string.random_project_id_suffix[0]
resources, and then failed due to the quota issue when attempting to create the project itself.
After getting the quota expanded I attempted to re-run the GitHub pipeline and received this same type of error, directed at the module.my_new_project.module.project-factory.google_service_account.default_service_account[0]
resource. No amount of validating and/or increasing permissions made any difference.
Eventually I noticed that the random_id
/random_string
resources had been created and stored in the state file, and because of that Terraform now knew the final name of the project. On a hunch I ran terraform destroy -target module.my_new_project
to remove only the two created resources. After that I was able to run a full plan/validate/apply cycle with no further issues.
Hopefully this detail will aid in finding the root cause! 🤞
TL;DR
When running
./tf-wrapper.sh plan_validate_all
as part of the Github tf-pull-request after creating PR, the following error is raised:Expected behavior
No errors
Observed behavior
Command and full output (loosely obfuscated):
Terraform Configuration
Terraform Version
Additional information
As mentioned in (provided link from error message)[https://cloud.google.com/docs/terraform/policy-validation/troubleshooting#ProjectCallerForbidden], I added
--verbosity=debug
to find the identity used during thegcloud beta terraform vet
call in thetf-wrapper.sh
script. Problem is that in Github will obfuscate that kind of thing and I end up with:I then ran (what I believe is) the same
gcloud beta terraform vet
command using thesa-terraform-org@prof-b-seed-xxxx.iam.gserviceaccount.com
but I get the same error.I noticed 2 (much) earlier issues somewhat related to this permission issue: #620 and #546