I understand there is a difference between a service account and a service agent for different services such as composer.
How do you enable a service agent via terraform?
What I'm trying to do is this :
# TODO : Maybe enable this service agent somehow via gcloud? It got enabled when trying to manually create the composer env from the console
# Step 4 (Src2) - Host project GKE service account: service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com
# Need 'container.serviceAgent' in the host project
resource "google_project_iam_member" "dev-omni-orch-gke-project-lvl-roles-t2" {
provider = google.as_super_admin
for_each = toset([
"roles/container.serviceAgent",
])
role = each.value
member = "serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com"
# member = "serviceAccount:service-${google_project.main-shared-vpc-host.number}#container-engine-robot.iam.gserviceaccount.com"
# project = google_project.dev-main-code-base.project_id
project = google_project.main-shared-vpc-host.project_id
}
I get
Request `Create IAM Members roles/container.serviceAgent serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com for project "<shared-vpc-host-project-id>"` returned error: Batch request and retried single request "Create IAM Members roles/container.serviceAgent serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com for project \"<shared-vpc-host-project-id>\"" both failed. Final error: Error applying IAM policy for project "<shared-vpc-host-project-id>": Error setting IAM policy for project "<shared-vpc-host-project-id>": googleapi: Error 400: Service account service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com does not exist., badRequest
But when I try to do it via the console manually, there is a prompt that asks me if I want to enable this service agent, which I do, but I want to be able to do this on terraform.
The said prompt :
The service-[PROJECT_ID]#cloudcomposer-accounts.iam.gserviceaccount.com service agent will only exist after the Cloud Composer API has been enabled.
This can be done in Terraform using the google_project_service resource, for example:
resource "google_project_service" "project" {
project = "your-project-id"
service = "composer.googleapis.com"
}
Once the API has been enabled, the service agent should exist and you should be able to grant it the required permissions.
Related
I'd like to create the following resource via Terraform:
resource "google_storage_bucket" "tf_state_bucket" {
name = var.bucket-name
location = "EUROPE-WEST3"
storage_class = "STANDARD"
versioning {
enabled = true
}
force_destroy = false
public_access_prevention = "enforced"
}
Unfortunately, during the execution of terraform apply, I got the following error:
googleapi: Error 403: X#gmail.com does not have storage.buckets.create access to the Google Cloud project. Permission 'storage.buckets.create' denied on resource (or it may not exist)., forbidden
Here's the list of things I tried and checked:
Verified that Google Cloud Storage (JSON) API is enabled on my project.
Checked the IAM roles and permissions: X#gmail.com has the Owner and the Storage Admin roles.
I can create a bucket manually via the Google Console.
Terraform is generally authorised to create resources, for example, I can create a VM using it.
What else can be done to authenticate Terraform to create Google Storage Buckets?
I think you run the Terraform code in a Shell session from your local machine and use an User identity instead of a Service Account identity.
In this case to solve your issue from your local machine :
Create a Service Account in GCP IAM console for Terraform with Storage Admin roles role.
Download a Service Account token key from IAM.
Set the GOOGLE_APPLICATION_CREDENTIALS env var in your Shell session to the Service Account token key file path.
If you run your Terraform code in other place, you need to check if Terraform is correctly authenticated to GCP.
The use of a token key is not recommended because it's not the more secure way, that's why it is better to launch Terraform from a CI tool like Cloud Build instead of launch it from your local machine.
From Cloud Build no need to download and set a token key.
I'm working on a Terraform project in which I setup several Azure resources.
One of these Azure resources is a service principal (linked to an app registration) which I use to deploy my Terraform code in a CI/CD pipeline via Github actions.
When developing locally, I use az login to authenticate, but occasionally I'm receiving an error for the Terraform app service principal. Most of the times, when I re-run terraform apply the error is not raised. Sometimes the error persists for several terraform apply calls.
Error: Retrieving Application with object ID "fe2b93b7-e26c-402c-ab4f-87e3695c1f45" with module.app_registrations.azuread_application.terraform_app on ../modules/app_registrations/terraform.tf line 56, in resource "azuread_application" "terraform_app": 56: resource "azuread_application" "terraform_app" { ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/beta/b859b851-97d8-4dc2-bf56-f2a5bc5c494b/applications/fe2b93b7-e26c-402c-ab4f-87e3695c1f45": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
I'm having a hard time to understand why I'm able to generate this service principal using my user credentials via Terraform, but am receiving this retrieval error when refreshing the state of the same service principal. When I'm deploying the Terraform code via Github Actions, which uses the service principal to authenticate, this retrieval error is never raised.
Anyone can point me in the right direction?
I've already added the Application administrator role to my user credentials and added the Application.ReadWrite.All role to the Terraform service principal. Above error when refreshing the state using user credentials via az login persists.
I am trying to create a service account using terraform and I also want to apply multiple permissions to that account using terraform.
# create artifact register
resource "google_artifact_registry_repository" "yacht-away" {
provider = google-beta
location = "asia-south1"
repository_id = "yacht-away"
description = "yacht-away docker repository with iam"
format = "DOCKER"
}
# create service account
resource "google_service_account" "yacht-away-service-acc" {
provider = google-beta
account_id = "yacht-away-service-ac"
display_name = "Yacht Away Service Account"
}
However, I constantly see this error. I have verified the value of location everywhere it is the same as mentioned above. So probably that is not the issue. The service account being used by the terraform has project editor access and I have also tried after providing it owner access.
Error: Error when reading or editing Resource "artifactregistry repository \"projects/dhb-222614/locations/asia-south1/repositories/yacht-away\"" with IAM Member: Role "roles/artifactregistry.reader" Member "serviceAccount:yacht-away-service-ac#dhb-222614.iam.gserviceaccount.com": Error retrieving IAM policy for artifactregistry repository "projects/dhb-222614/locations/asia-south1/repositories/yacht-away": googleapi: Error 403: The caller does not have permission
So I don't understand where am I going wrong.
I am trying to provision some IBM Watson Assistant services using the terraform provider for IBM.
I am currently using the ibm_service_instance along with ibm_service_key resources from the IBM provider.
The relevant piece of terraform code can be found below.
# create service
resource "ibm_service_instance" "wa_test_service_instance_name" {
count = var.wa_template_service_counter
name = "Test-${var.wa_test_service_instance_name}-${var.app_name}-${count.index + 1}"
space_guid = var.space_guid
service = var.service_offering
plan = var.plan
}
# create credentials
resource "ibm_service_key" "wa_test_service_key" {
count = var.wa_template_service_counter
name = var.service_key_name
service_instance_guid = ibm_service_instance.wa_test_service_instance_name[count.index].id
depends_on = [ibm_service_instance.wa_test_service_instance_name]
}
The service instance is created successfully along with the credentials and the CF alias. The problem is that for the CF alias, the created credentials are not having iam_role_crn manager which is the required setup in my configuration.
If I manually add the credentials from IBM cloud dashboard for the CF alias, they are created with the iam_role_crn Manager. Also, the resource instance for which is this alias has in its credentials iam_role_crn = Manager.
I could not find a way of specifying such a parameter when the ibm_service_key or ibm_service_instance gets created.
https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/service_key
Is there a way to create the credentials for the alias of the service with this parameter iam_role_crn setup as Manager or is there a work-around to achieve this?
I have a use-case where I need to enable cloud build access on GKE but I did not found a terraform resource to do that, also not found gcloud CLI command to do the same.
Yes, you can do this in Terraform by creating a google_project_iam_member for the Cloud Build service account that's created by default when you enable the Cloud Build API. For example:
resource "google_project_iam_member" "cloudbuild_kubernetes_policy" {
project = var.project_id
role = "roles/container.developer"
member = "serviceAccount:${var.project_number}#cloudbuild.gserviceaccount.com"
}
The value declared in the role attribute/key corresponds to a role in the console user interface (an image of which you have included above).