search

terraform-google-modules / terraform-google-bootstrap

Bootstraps Terraform usage and related CI/CD in a new Google Cloud organization
https://registry.terraform.io/modules/terraform-google-modules/bootstrap/google
Apache License 2.0
210 stars 145 forks source link

Billing account link failure #8

Closed umairidris closed 4 years ago

umairidris commented 4 years ago

Recent changes on GCP seem like it will break the billing account link step for the seed project:

Error: Error setting billing account "123" for project "projects/foo": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the cloudbilling.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/., accessNotConfigured

Without the seed project we cannot create a service account to run Terraform with.

The current alternative is to run https://cloud.google.com/sdk/gcloud/reference/beta/billing/projects/link

Also: if you don't set the billing account field on the google_project resource and then set it manually via gcloud, etc, if you re-run the google_project deployment, it will show a diff and unlink the billing account. This implies the google_project also should be created via gcloud.

Why does gcloud bypass this permission problem while Terraform doesn't? Can we document to auth with the same way gcloud is, or pass in gcloud auth to Terraform somehow?

morgante commented 4 years ago

I believe this is an internal issue we should fix internally. See b/144947097