Terraform google 'compute.subnetworks.use' permission issue - terraform

I am trying to create an instance inside Google cloud using terraform and continue to run into a 'compute.subnetworks.use' permission error whenever I apply. The segement of code in question is below:
network_interface {
subnetwork_project = "hp-cof-st-core-sbx-dev"
subnetwork = "net-cof-st-core-sbx-dev-entfacing-ue4-1"
}
I want to create an instance using a subnet through "the network shared with me setting". An example of how the it is configured through the portal is given below:
Configuration within the google portal 1
Whenever I attempt to configure this within terraform i am given the following message:
Error: Error applying plan:
1 error(s) occurred:
google_compute_instance.default: 1 error(s) occurred:
google_compute_instance.default: Error creating instance: googleapi: Error 403: Required 'compute.subnetworks.use' permission for 'projects/hp-cof-st-core-sbx-dev/regions/us-east4-a/subnetworks/net-cof-st-core-sbx-dev-entfacing-ue4-1', forbidden

The service account you are using to create the instance must have the editor or admin role to create an instance. You can update this by going to the IAM and Admin menu and changing the role to Editor or Admin.

Related

Can't change instance network using terraform in gcp

I have a couple of unmanaged compute instances belonging to an instance group. I created them using terraform and when I tried to modify the instances networks (put them into another vpc) I got this error:
Error: Error updating network interface: googleapi: Error 400: The instance resource 'projects/my-varan-project/zones/europe-west1-b/instances/test-vm-1' is already being used by 'projects/my-varan-project/zones/europe-west1-b/instanceGroups/test-ig-1', resourceInUseByAnotherResource
Any thoughts?

Azure Service Principal - Terraform - Error when refreshing state

I'm working on a Terraform project in which I setup several Azure resources.
One of these Azure resources is a service principal (linked to an app registration) which I use to deploy my Terraform code in a CI/CD pipeline via Github actions.
When developing locally, I use az login to authenticate, but occasionally I'm receiving an error for the Terraform app service principal. Most of the times, when I re-run terraform apply the error is not raised. Sometimes the error persists for several terraform apply calls.
Error: Retrieving Application with object ID "fe2b93b7-e26c-402c-ab4f-87e3695c1f45" with module.app_registrations.azuread_application.terraform_app on ../modules/app_registrations/terraform.tf line 56, in resource "azuread_application" "terraform_app": 56: resource "azuread_application" "terraform_app" { ApplicationsClient.BaseClient.Get(): Get "https://graph.microsoft.com/beta/b859b851-97d8-4dc2-bf56-f2a5bc5c494b/applications/fe2b93b7-e26c-402c-ab4f-87e3695c1f45": http: RoundTripper implementation (*retryablehttp.RoundTripper) returned a nil *Response with a nil error
I'm having a hard time to understand why I'm able to generate this service principal using my user credentials via Terraform, but am receiving this retrieval error when refreshing the state of the same service principal. When I'm deploying the Terraform code via Github Actions, which uses the service principal to authenticate, this retrieval error is never raised.
Anyone can point me in the right direction?
I've already added the Application administrator role to my user credentials and added the Application.ReadWrite.All role to the Terraform service principal. Above error when refreshing the state using user credentials via az login persists.

How to enable GCP service agent account via Terraform?

I understand there is a difference between a service account and a service agent for different services such as composer.
How do you enable a service agent via terraform?
What I'm trying to do is this :
# TODO : Maybe enable this service agent somehow via gcloud? It got enabled when trying to manually create the composer env from the console
# Step 4 (Src2) - Host project GKE service account: service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com
# Need 'container.serviceAgent' in the host project
resource "google_project_iam_member" "dev-omni-orch-gke-project-lvl-roles-t2" {
provider = google.as_super_admin
for_each = toset([
"roles/container.serviceAgent",
])
role = each.value
member = "serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com"
# member = "serviceAccount:service-${google_project.main-shared-vpc-host.number}#container-engine-robot.iam.gserviceaccount.com"
# project = google_project.dev-main-code-base.project_id
project = google_project.main-shared-vpc-host.project_id
}
I get
Request `Create IAM Members roles/container.serviceAgent serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com for project "<shared-vpc-host-project-id>"` returned error: Batch request and retried single request "Create IAM Members roles/container.serviceAgent serviceAccount:service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com for project \"<shared-vpc-host-project-id>\"" both failed. Final error: Error applying IAM policy for project "<shared-vpc-host-project-id>": Error setting IAM policy for project "<shared-vpc-host-project-id>": googleapi: Error 400: Service account service-<some-numeric-id>#container-engine-robot.iam.gserviceaccount.com does not exist., badRequest
But when I try to do it via the console manually, there is a prompt that asks me if I want to enable this service agent, which I do, but I want to be able to do this on terraform.
The said prompt :
The service-[PROJECT_ID]#cloudcomposer-accounts.iam.gserviceaccount.com service agent will only exist after the Cloud Composer API has been enabled.
This can be done in Terraform using the google_project_service resource, for example:
resource "google_project_service" "project" {
project = "your-project-id"
service = "composer.googleapis.com"
}
Once the API has been enabled, the service agent should exist and you should be able to grant it the required permissions.

Error: 400-RelatedResourceNotAuthorizedOrNotFound, Unable to create integration instance in Oracle Cloud

I'm trying to create OIC instance using terraform and for idcs_at variable I have passed the IDCS Access token which has Identity Domain Administrators Access, and I'm the administrator of OCI account, but getting attached error.

Organization security policy error in terraform

I am getting the error below during terraform apply in cloud build pipeline and cloud build has these roles : Compute Organization Firewall Policy Admin
, Owner, and compute admin :
for Creating OrganizationSecurityPolicy: error while retrieving operation: googleapi: Error 403: Required 'compute.globalOperations.get' permission for 'locations/global/operations/org-66596309756-1634926613476-5cef50407b412-cf45ce60-0943c3bd', forbidden
Typically 403 error is gcp permissions error, check IAM and give cloud build account roles.
Also tell you that it is a bad practice for the cloud build role to have owner permissions. I would recommend that you make another service account and give it specific roles for what you want to do.

Resources