Module fails to run due to billing account IAM permissions

[evberrypi]

Hey team, I just tried to run this module and am not able to create a project. It fails when attaching a billing account to a project, prior to the project getting created.

Expected result:

• The module would create a project

Actual result:

• First, I get the error: Error: failed pre-requisites: failed to check permissions on billing account "billingAccounts/<redacted> \t": googleapi: Error 403: Cloud Billing API has not been used in project <redacted> before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudbilling.googleapis.com/overview?project=<redacted> then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured

This error is specifying that the service account where the service account key was created does not have the billing API enabled. Service accounts are not created at the org level, nor are their keys downloadable from the org level, so mine was downloaded from the project where I had previously ran Terraform. After enabling the API on this project I get the following: ` Error: failed pre-requisites: missing permission on "billingAccounts/": billing.resourceAssociations.create

on .terraform/modules/project-factory/terraform-google-project-factory-8.0.1/modules/core_project_factory/main.tf line 96, in resource "google_project" "main": 96: resource "google_project" "main" { This was surprising since the same service account hasbilling account userpermission at the org level and I had ranexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/google.json` in my terminal beforehand

Steps to reproduce:

• At the org level, add the 'billing account user' role to the service account used to run this module.
• In the main.tf of a new terraform directory, add in the module call shown in the Usage section of the README for this repo, altering variables where needed (adding in the correct billing ID)
• Make sure you are logged into the right org doing 'gcloud auth list'
• export GOOGLE_APPLICATION_CREDENTIALS variable to the service account json key

[morgante]

Your billing account might not actually be attached to your org.

See this troubleshooting step: https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/docs/TROUBLESHOOTING.md#missing-rolesbillinguser-role

Please try grant Billing Account User directly on the billing account: https://cloud.google.com/billing/docs/how-to/billing-access#update-cloud-billing-permissions

[evberrypi]

The billing account was not attached to the org, just the IAM permission was added. Thanks, this fixed it.

[RyanJarv]

For anyone trying to figure out why projects are not being attached to a billing account, it appears if the billing ID is wrong (or you accidentally use the name, instead of the ID) it will silently fail. So basically a wrong billing account ID will create the project as normal, continue on, than fail on some other resource that requires the project to be linked to a billing account.

[BenJackGill]

Also for anyone else arriving here with a similar error, I am running Terraform locally and tried to re-auth using gcloud auth login but it wasn't working. Had to use gcloud auth application-default login instead and that fixed it.