Recent changes on GCP seem like it will break the billing account link step for the seed project:
Error: Error setting billing account "123" for project "projects/foo": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the cloudbilling.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/., accessNotConfigured
Without the seed project we cannot create a service account to run Terraform with.
Also: if you don't set the billing account field on the google_project resource and then set it manually via gcloud, etc, if you re-run the google_project deployment, it will show a diff and unlink the billing account. This implies the google_project also should be created via gcloud.
Why does gcloud bypass this permission problem while Terraform doesn't? Can we document to auth with the same way gcloud is, or pass in gcloud auth to Terraform somehow?
Recent changes on GCP seem like it will break the billing account link step for the seed project:
Without the seed project we cannot create a service account to run Terraform with.
The current alternative is to run https://cloud.google.com/sdk/gcloud/reference/beta/billing/projects/link
Also: if you don't set the billing account field on the google_project resource and then set it manually via gcloud, etc, if you re-run the google_project deployment, it will show a diff and unlink the billing account. This implies the google_project also should be created via gcloud.
Why does gcloud bypass this permission problem while Terraform doesn't? Can we document to auth with the same way gcloud is, or pass in gcloud auth to Terraform somehow?