search

terraform-google-modules / terraform-example-foundation

Shows how the CFT modules can be composed to build a secure cloud foundation
https://cloud.google.com/architecture/security-foundations
Apache License 2.0
1.23k stars 720 forks source link

0-bootstrap: Error creating folder 'fldr-bootstrap' .. Error 403: Permission 'resourcemanager.folders.create' denied #745

Closed jacek-git closed 2 years ago

jacek-git commented 2 years ago

TL;DR

cannot create folder using account which has sufficient priviledges (checked from console) using org admin and dedicated terraform account - "reason": "IAM_PERMISSION_DENIED"

Expected behavior

as described in https://github.com/terraform-google-modules/terraform-example-foundation/tree/master/0-bootstrap "Bootstraps a Google Cloud organization, creating all the required resources and permissions to start using the Cloud Foundation Toolkit (CFT)"

Observed behavior

google_folder.bootstrap: Creating... ╷ │ Error: Error creating folder 'fldr-bootstrap' in 'folders/820932490523': googleapi: Error 403: Permission 'resourcemanager.folders.create' denied on resource '//cloudresourcemanager.googleapis.com/folders/820932490523' (or it may not exist). │ Details: │ [ │ { │ "@type": "type.googleapis.com/google.rpc.ErrorInfo", │ "domain": "cloudresourcemanager.googleapis.com", │ "metadata": { │ "permission": "resourcemanager.folders.create", │ "resource": "folders/820932490523" │ }, │ "reason": "IAM_PERMISSION_DENIED" │ } │ ] │ , forbidden │ │ with google_folder.bootstrap, │ on main.tf line 27, in resource "google_folder" "bootstrap": │ 27: resource "google_folder" "bootstrap" {

C:\Windows\system32>gcloud auth list Credentialed Accounts

ACTIVE: * ACCOUNT: terraform@.com

Terraform Configuration

/**
 * Copyright 2021 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

billing_account = "<removed>"
group_org_admins = "gcp-organization-admins@cloudblik.com"
group_billing_admins = "gcp-billing-admins@cloudblik.com"
default_region = "europe-central2"
org_id = "<removed>"
parent_folder = "820932490523"

// Optional - for an organization with existing projects or for development/validation.
// Uncomment this variable to place all the example foundation resources under
// the provided folder instead of the root organization.
// The variable value is the numeric folder ID
// The folder must already exist.

/* ----------------------------------------
    Specific to jenkins_bootstrap module
   ---------------------------------------- */
// Un-comment the jenkins_bootstrap module and its outputs if you want to use Jenkins instead of Cloud Build
//jenkins_agent_gce_subnetwork_cidr_range = "172.16.1.0/24"
//
//jenkins_agent_gce_private_ip_address = "172.16.1.6"
//
//jenkins_agent_gce_ssh_pub_key = "ssh-rsa [KEY_VALUE] [USERNAME]"
//
//jenkins_agent_sa_email = "jenkins-agent-gce" # service_account_prefix will be added
//
//jenkins_master_subnetwork_cidr_range = ["10.1.0.6/32"]
//
//nat_bgp_asn = "64514"
//
//vpn_shared_secret = "shared_secret"
//
//on_prem_vpn_public_ip_address = ""
//
//on_prem_vpn_public_ip_address2 = ""
//
//router_asn = "64515"
//
//bgp_peer_asn = "64513"
//
//tunnel0_bgp_peer_address = "169.254.1.1"
//
//tunnel0_bgp_session_range = "169.254.1.2/30"
//
//tunnel1_bgp_peer_address = "169.254.2.1"
//
//tunnel1_bgp_session_range = "169.254.2.2/30"

Terraform Version

C:\Windows\system32>terraform version
Terraform v1.2.3
on windows_amd64

Additional information

Verry beginning - probably first step in 0-bootstrap; friend of mine has the same issue

jacek-git commented 2 years ago

Must try using Linux machine

jketcham commented 2 years ago

I also just ran into this, and realized that the role is noted as required in the readme for the bootstrap phase (step 5, last one): https://github.com/terraform-google-modules/terraform-example-foundation/tree/master/0-bootstrap#prerequisites

One thing I also noticed, unrelated to this error, is I also needed to add the roles/orgpolicy.policyAdmin role on the organization. That is not called out in the bootstrap readme (but it does link to the bootstrap module which mentions it).

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days