Getting error while generating keyring using terraform on Google KMS - google-cloud-platform

I'm attempting to use Terraform to create a keyring on GCP, but it appears that the permissions are missing.
│ Error: Error creating KeyRing: googleapi: Error 403: Permission 'cloudkms.keyRings.create' denied on resource 'projects/cs-project-366414/locations/us-west2/keyRings/keyring1' (or it may not exist).
│
│ with google_kms_key_ring.Terra,
│ on main.tf line 28, in resource "google_kms_key_ring" "Terra":
│ 28: resource "google_kms_key_ring" "Terra" {
│
╵
╷
│ Error: Error creating CryptoKey: googleapi: Error 403: Permission 'cloudkms.cryptoKeys.create' denied on resource 'projects/cs-project-366414/locations/us-west2/keyRings/keyring1/cryptoKeys/bqkey-3' (or it may not exist).
│
│ with google_kms_crypto_key.gcp_key,
│ on main.tf line 43, in resource "google_kms_crypto_key" "gcp_key":
│ 43: resource "google_kms_crypto_key" "gcp_key" { # Create a Key on GCP Keyring.
Expected:
Keyring on GCP
Key in GCP

Related

Creating folder under organization using terraform in GCP

I have created a folder named terraform and created a service account with owner permission on it. I then used that service account at organization level and provide owner permission.
Now I am trying to create a folder under organization using terraform.
# Top-level folder under an organization.
resource "google_folder" "department1" {
parent = "organizations/70497122"
display_name = "department1"
}
provider "google" {
#project = "terraform-project-0"
#region = "us-central1"
credentials = file("c:/terraform/credentials/terraform-day1.json")
}
Now as per documention :
## The service account used to run Terraform when creating
## a google_folder resource must have roles/resourcemanager.folderCreator
and I am getting the below error in terraform which says about the cloudresourcemanager.googleapis.com api to be enabled on project=1003453129743. but there is no project with the project number 1003453129743.
│ Error: Error creating folder 'department1' in 'organizations/70497122': googleapi: Error 403: Cloud Resource Manager API has not been used in project 1003453129743 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1003453129743 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "#type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1003453129743"
│ }
│ ]
│ },
│ {
│ "#type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/1003453129743",
│ "service": "cloudresourcemanager.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│ , accessNotConfigured
│
│ with google_folder.department1,
│ on main.tf line 5, in resource "google_folder" "department1":
│ 5: resource "google_folder" "department1" {
Now solve below questions and creation folder under organization
how to assign roles/resourcemanager.folderCreator at organization level to service account.
Why is this misleading error "cloudresourcemanager.googleapis.com service disabled for projects/1003453129743" when there is no project with this number.
because of these errors I am not able to create folder under organization using terraform.
I am using terraform1.3.4.exe.
First thing to assign role on organization level , select organization in project selector and then open IAM as shown below
2nd , in the error its project number and not project id.
To provide organization access using terraform refer below documentation
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam
enabling Cloud Resource Manager API resolved the issue.

Configure terraform with aws without user credentials

Trying to configure aws from terraform. Running terraform from ec2. Have attached AmazonEC2FullAccess policy to the role attached to ec2.
I don't have access and secret keys. Using keys for aws cli and terraform is not allowed. I need to use existing role to configure to aws and create resources using it.
Getting below error when using AmazonEC2FullAccess policy with ec2.
[ec2-user#ip-1*-1*-1*-2** terraform]$ terraform plan
╷
│ Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request send failed, Get "http://1**.***.***.***/latest/meta-data/iam/security-credentials/": proxyconnect tcp: dial tcp 1*.*.*.*:8***: i/o timeout
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 17, in provider "aws":
│ 17: provider "aws" {
│
Resource vpc file :-
[ec2-user#ip-1*.1*.1*.*** terraform]$ cat vpc.tf
resource "aws_vpc" "main" {
cidr_block = "1*.*.*.*/16"
}
main.tf file :-
[ec2-user#ip-1*.1*.1*.*** terraform]$ cat main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.39.0"
}
}
required_version = ">= 1.3.0"
}
provider "aws" {
region = var.aws_region
#role_arn =var.aws_role_arn
}
Also tried using role_arn in main.tf it gives following error :-
│ Error: Unsupported argument
│
│ on main.tf line 19, in provider "aws":
│ 19: role_arn =var.aws_role_arn
│
│ An argument named "role_arn" is not expected here.
Any help is much appreciated.

Tag AWS Glue Database via terraform

I need to add a tag to an AWS Glue Database. I can successfully achieve this via AWS CLI like:
aws glue tag-resource --resource-arn arn:aws:glue:eu-east-1:0123456789:database/my_database --tags-to-add MyTag=MyValue
But I can't find how to do it via a terraform script. The following code gives me an error message
...
resource "aws_glue_catalog_database" "my_database" {
name = "my_database"
tags = {
MyTag = "MyValue"
}
}
Error:
╷
│ Error: Unsupported argument
│
│ on main.tf line 27, in resource "aws_glue_catalog_database" "my_database":
│ 27: tags = {
│
│ An argument named "tags" is not expected here.
╵
Terraform versions:
Terraform v1.2.4
+ provider registry.terraform.io/hashicorp/aws v4.31.0

Terraform module for GCP secret module

Error: Unsupported block type
│
│ on ..\Terraform_1.0.0_Win_O\config\secret\secret.tf line 6, in module "secret_user_managed_replication":
│ 6: replication {
│
│ Blocks of type "replication" are not expected here.

Terraform - how to access the tuple and extract the invoke_arn and function_name

I have written terraform code which:
Creates IAM Role
Creates lambda functions and attaches the above created role
Dynamo DB table creation
Creates API gateway, resources and adds POST method with lambda integration.
The first 3 steps works well. However while creating and configuring the API gateway, I am encountering below error in resource aws_api_gateway_integration & aws_lambda_permission, where I am trying to attach the lambda function "save_course" to the POST method under "courses" resource
│
│ on main.tf line 117, in resource "aws_api_gateway_integration" "apigateway84f0f20":
│ 117: uri = module.awsLambda["save_course.py"].lambda_invoke_urn
│ ├────────────────
│ │ module.awsLambda["save_course.py"].lambda_invoke_urn is tuple with 1 element
│
│ Inappropriate value for attribute "uri": string required.
╵
╷
│ Error: Incorrect attribute value type
│
│ on main.tf line 141, in resource "aws_lambda_permission" "lambda_permission":
│ 141: function_name = module.awsLambda["save_course.py"].function_name
│ ├────────────────
│ │ module.awsLambda["save_course.py"].function_name is tuple with 1 element
│
│ Inappropriate value for attribute "function_name": string required.
Not sure how to access the tuple and extract the invoke_arn and function_name. After going through the generated terraform.tfstate file, I have tried different combinations to extract the required value. Not sure where I am wrong.
The terraform code along with generated terraform.tfstate file is available at my location:
https://github.com/myanees284/lambda_website
git clone https://github.com/myanees284/lambda_website.git
terraform init
terraform apply -auto-approve
Change your locals from
lambda_invoke_urn=aws_lambda_function.lambda.*.invoke_arn
lambda_name=aws_lambda_function.lambda.*.function_name
to
lambda_invoke_urn=aws_lambda_function.lambda.invoke_arn
lambda_name=aws_lambda_function.lambda.function_name