I am trying to spin up GCP Cloud Composer using the below set of terraform script code base:
resource "google_composer_environment" "test" {
name = "example-composer-env-tf-c2"
region = "us-central1"
config {
software_config {
image_version = "composer-2-airflow-2"
}
workloads_config {
scheduler {
cpu = 0.5
memory_gb = 1.875
storage_gb = 1
count = 1
}
web_server {
cpu = 0.5
memory_gb = 1.875
storage_gb = 1
}
worker {
cpu = 0.5
memory_gb = 1.875
storage_gb = 1
min_count = 1
max_count = 3
}
}
environment_size = "ENVIRONMENT_SIZE_SMALL"
node_config {
network = google_compute_network.test.id
subnetwork = google_compute_subnetwork.test.id
service_account = google_service_account.test.name
}
}
}
resource "google_compute_network" "test" {
name = "composer-test-network3"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "test" {
name = "composer-test-subnetwork"
ip_cidr_range = "10.2.0.0/16"
region = "us-central1"
network = google_compute_network.test.id
}
resource "google_service_account" "test" {
account_id = "composer-env-account"
display_name = "Test Service Account for Composer Environment"
}
resource "google_project_iam_member" "composer-worker" {
project = "inlaid-ally-373906"
role = "roles/composer.worker"
member = "serviceAccount:${google_service_account.test.email}"
}
resource "google_project_iam_member" "composer-service-agent-v2-ext" {
project = "inlaid-ally-373906"
role = "roles/composer.ServiceAgentV2Ext"
member = "serviceAccount:${google_service_account.test.email}"
}`
However, while executing terraform apply, I am facing below err:
╷
│ Error: googleapi: Error 400: Composer API Service Agent service account (service-197833231297#cloudcomposer-accounts.iam.gserviceaccount.com) does not have required permissions set. Cloud Composer v2 API Service Agent Extension role might be missing. Please refer to https://cloud.google.com/composer/docs/composer-2/create-environments#grant-permissions and Composer Creation Troubleshooting pages to resolve this issue., failedPrecondition
│
│ with google_composer_environment.test,
│ on main.tf line 49, in resource "google_composer_environment" "test":
│ 49: resource "google_composer_environment" "test" {
│
I referred to this document but didn't found a solution to the above issue. Any way to fix this error?
Tried to spin up GCP Cloud Composer using the below set of terraform script code base but facing the below error:
╷
│ Error: googleapi: Error 400: Composer API Service Agent service account (service-197833231297#cloudcomposer-accounts.iam.gserviceaccount.com) does not have required permissions set. Cloud Composer v2 API Service Agent Extension role might be missing. Please refer to ``https://cloud.google.com/composer/docs/composer-2/create-environments#grant-permissions`` and Composer Creation Troubleshooting pages to resolve this issue., failedPrecondition
│
│ with google_composer_environment.test,
│ on main.tf line 49, in resource "google_composer_environment" "test":
│ 49: resource "google_composer_environment" "test" {
│
When you create the Cloud Composer cluster for the first time, you have to give the roles/composer.ServiceAgentV2Ext to the Composer default Service Account, example with gcloud cli :
gcloud projects add-iam-policy-binding composer-env-account#{your_project}.iam.gserviceaccount.com \
--member service-197833231297#cloudcomposer-accounts.iam.gserviceaccount.com \
--role roles/composer.ServiceAgentV2Ext
Replace {your_project} by your project ID.
The default Composer service account for you is : service-197833231297#cloudcomposer-accounts.iam.gserviceaccount.com
The service account you gave to Composer will be used for the Airflow DAGs at runtime : composer-env-account
Related
I have setup keyless authentication for my Github Actions pipeline using Workload Identity Federation by following the official tutorial
When running a terraform init command from my pipeline I get the following error:
│ Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/lws-dev-common-bucket/o?alt=json&delimiter=%2F&pageToken=&prefix=global%2Fnetworking.state%2F&prettyPrint=false&projection=full&versions=false": oauth2/google: status code 403: {
│ "error": {
│ "code": 403,
│ "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
│ "status": "PERMISSION_DENIED",
│ "details": [
│ {
│ "#type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "reason": "IAM_PERMISSION_DENIED",
│ "domain": "iam.googleapis.com",
│ "metadata": {
│ "permission": "iam.serviceAccounts.getAccessToken"
│ }
│ }
│ ]
│ }
│ }
I have ensured that the service account that I am using has proper permissions including:
Cloud Run Admin
Cloud Run Service Agent
Below is a snippet of my pipeline code:
- id: 'auth'
name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth#v0.4.0'
with:
workload_identity_provider: 'projects/385050593732/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
service_account: 'lws-d-iac-sa#lefewaresolutions-poc.iam.gserviceaccount.com'
- name: Terraform Init
working-directory: ./Terraform/QuickStartDeployments/EKSCluster
run: terraform init
and my terraform code:
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "3.89.0"
}
}
backend "gcs" {
bucket = "lws-dev-common-bucket"
prefix = "global/networking.state"
}
required_version = ">= 0.14.9"
}
provider "google" {
project = var.project_id
region = var.region
}
module "vpc" {
source = "../../Modules/VPC"
project_id = var.project_id
region = "us-west1"
vpc_name = var.vpc_name
}
I ran into the same issue and was able to fix it by granting the service account Service Account Token Creator role in the project IAM page manually
This can also happen if your service account doesn't have permission to access the storage bucket where your terraform state file is stored, or if your service account doesn't have the Workload Identity User role set properly.
While I am able to provision a single HTTP-triggered GCP cloud function and call it publicly, I can't seem to provision my second function to be called publicly as well.
I have the editor role assigned to my Terraform service account.
google_cloudfunctions_function_iam_member.v2invoker: Creating...
╷
│ Error: Error applying IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": Error setting IAM policy for cloudfunctions cloudfunction "projects/myproject/locations/us-central1/functions/v2": googleapi: Error 403: Permission 'cloudfunctions.functions.setIamPolicy' denied on resource 'projects/myproject/locations/us-central1/functions/v2' (or resource may not exist).
│
│ with google_cloudfunctions_function_iam_member.v2invoker,
│ on main.tf line 460, in resource "google_cloudfunctions_function_iam_member" "v2invoker":
│ 460: resource "google_cloudfunctions_function_iam_member" "v2invoker" {
Clarification - the function resource itself is provisioned correctly, only the iam_member resource isn't.
My Terraform config:
resource "google_cloudfunctions_function" "v2" {
name = "v2"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "v2"
trigger_http = true
}
resource "google_cloudfunctions_function_iam_member" "v2invoker" {
project = google_cloudfunctions_function.v2.project
region = google_cloudfunctions_function.v2.region
cloud_function = google_cloudfunctions_function.v2.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-v2" {
value = google_cloudfunctions_function.v2.https_trigger_url
}
Added the terraform config for the first (successful) function:
resource "google_cloudfunctions_function" "helloWorld" {
name = "helloWorld"
runtime = "nodejs12"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.functions.name
source_archive_object = google_storage_bucket_object.nodejs_functions.name
entry_point = "helloWorld"
trigger_http = true
}
# IAM entry so all users can invoke the function
resource "google_cloudfunctions_function_iam_member" "invoker" {
project = google_cloudfunctions_function.helloWorld.project
region = google_cloudfunctions_function.helloWorld.region
cloud_function = google_cloudfunctions_function.helloWorld.name
role = "roles/cloudfunctions.invoker"
member = "allUsers"
}
output "function-helloWorld" {
value = google_cloudfunctions_function.helloWorld.https_trigger_url
}
The current service account used by terraform is one I created with "Editor" role.
According to GCP IAM documentation:
Note: The Editor role contains permissions to create and delete resources for most Google Cloud services. However, it does not contain permissions to perform all actions for all services. See the section above for more information on how to check if a role has the permissions that you need.
Your editor role definitely doesn't have access to perform the cloudfunctions.functions.setIamPolicy action on the cloud function (as the error message mentions).
Assign the Cloud Functions Admin role (roles/cloudfunctions.admin) to the service account.
It should definitely have all permissions required for anything cloud function-related, including but not limited to setting IAM policies on functions.
So I have a GCP service account that is Kubernetes Admin and Kubernetes Cluster Admin in the GCP cloud console.
I am now trying to give this terraform service account the ClusterRole role in GKE to manage all namespaces via following terraform configuration:
data "google_service_account" "terraform" {
project = var.project_id
account_id = var.terraform_sa_email
}
# Terraform needs to manage cluster
resource "google_project_iam_member" "terraform-gke-admin" {
project = var.project_id
role = "roles/container.admin"
member = "serviceAccount:${data.google_service_account.terraform.email}"
}
# Terraform needs to manage K8S RBAC
# https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#iam-rolebinding-bootstrap
resource "kubernetes_cluster_role_binding" "terraform_clusteradmin" {
depends_on = [
google_project_iam_member.terraform-gke-admin,
]
metadata {
name = "cluster-admin-binding-terraform"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "cluster-admin"
}
subject {
api_group = "rbac.authorization.k8s.io"
kind = "User"
name = data.google_service_account.terraform.email
}
# must create a binding on unique ID of SA too
subject {
api_group = "rbac.authorization.k8s.io"
kind = "User"
name = data.google_service_account.terraform.unique_id
}
}
However, this always returns the following error:
Error: clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "client" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
│
│ with module.kubernetes[0].kubernetes_cluster_role_binding.terraform_clusteradmin,
│ on kubernetes/terraform_role.tf line 15, in resource "kubernetes_cluster_role_binding" "terraform_clusteradmin":
│ 15: resource "kubernetes_cluster_role_binding" "terraform_clusteradmin" {
Any ideas what goes wrong here?
Could this be related to using Google Groups RBAC?
authenticator_groups_config {
security_group = "gke-security-groups#${var.acl_group_domain}"
}
data "google_client_config" "provider" {}
provider "kubernetes" {
cluster_ca_certificate = module.google.cluster_ca_certificate
host = module.google.cluster_endpoint
token = data.google_client_config.provider.access_token
}
I have the following terraform file
provider "google" {
project = "prj1-user"
region = "APAC"
zone = "australia-southeast1-a"
}
resource "google_pubsub_topic" "prj1-messages" {
name = "prj1Messages"
labels = {
foo = "bar"
}
}
however when I try to provision this through terraform apply I get the following error
│ Error: Error creating Topic: Put "https://pubsub.googleapis.com/v1/projects/prj1-user/topics/prj1Messages?alt=json": oauth2/google: invalid token JSON from metadata: EOF
│
│ with google_pubsub_topic.brwmessages,
│ on main.tf line 7, in resource "google_pubsub_topic" "prj1Messages":
│ 7: resource "google_pubsub_topic" "prj1Messages" {
The version I'm using is
Terraform v1.0.0
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v3.71.0
I want to deploy an infrastructure on AWS using terraform. This is the main.tf config file:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.27"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
profile = "default"
region = "us-west-2"
}
resource "aws_instance" "app_server" {
ami = "ami-830c94e3"
instance_type = "t2.micro"
tags = {
Name = "ExampleAppServerInstance"
}
}
AWS config file ~/.aws/config,:
[default]
region = us-east-1
[humboi]
region = us-east-1
Running terraform apply and entering "yes" gives:
aws_instance.app_server: Creating...
╷
│ Error: Error launching source instance: UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: r8hvTFNQzGA7k309BxQ9OYRxCaCH-0wwYvhAzbjEt77PsyOYyWItWNrOPUW4Z1CIzm8A6x6euBuSZsE8uSfb3YdPuzLXttHT3DS9IJsDs0ilX0Vxtu1OZ3nSCBowuylMuLEXY8VdaA35Hb7CaLb-ktQwb_ke0Pku-Uh2Vi_cwsYwAdXdGVeTETkiuErZ3tAU37f5DyZkaL4dVgPMynjRI3-GW0P63WJxcZVTkfNcNzuTx6PQfdv-YydIdUOSAS-RUVqK6ewiX-Mz4S0GwAaIFeJ_4SoIQVjogbzYYBC0bI4-sBSyVmySGuxNF6x-BOU0Zt2-po1mwEiPaDBVL9aOt6k_eZKMbYM9Ef8qQRcxnSLWOCiHuw6LVbmPJzaDQRFNZ2eO11Fa2oOcu8JMEOQjOtPkibQNAdO_5LZWAnc6Ye2-Ukt2_folTKN6TH6v1hmwsLAO7uGL60gQ-n9iBfCIqEE_6gfImsdbOptgz-IRtTrz5a8bfLOBVfd9oNjKGXQoA2ZKhM35m1ML1DQKY8LcDv0aULkGzoM6bRYoq1UkJBYuF-ShamtSpSlzpd4KDXztpxUdb496FR4MdOoHgS04W_3WXoN-hb_lG-Wgbkv7CEWMv2pNhBCRipBgUUw3QK-NApkeTxxJXy9vFQ4fTZQanEIQa_Bxxg
│ status code: 403, request id: 0c1f14ec-b5f4-4a3f-bf1f-40be4cf370fc
│
│ with aws_instance.app_server,
│ on main.tf line 17, in resource "aws_instance" "app_server":
│ 17: resource "aws_instance" "app_server" {
│
╵
The error is that the Operation was Unauthorized. What's the cause of the unauthorized operation if I have the ~/.aws/config and also the ~/.aws/credentials?
I have this happen when I change my backend configuration without deleting .terraform. I believe terraform caches credentials in .terraform. If you delete that directory, it will regenerate it and it might work for you.
Also, make sure you restart your machine after setting environment variables for aws.
The IAM User which you have created
doesn't have Admin access or EC2 FULL ACESS
so enable it and try it again..