I'm attempting to use Terraform to create a keyring on GCP, but it appears that the permissions are missing.
│ Error: Error creating KeyRing: googleapi: Error 403: Permission 'cloudkms.keyRings.create' denied on resource 'projects/cs-project-366414/locations/us-west2/keyRings/keyring1' (or it may not exist).
│
│ with google_kms_key_ring.Terra,
│ on main.tf line 28, in resource "google_kms_key_ring" "Terra":
│ 28: resource "google_kms_key_ring" "Terra" {
│
╵
╷
│ Error: Error creating CryptoKey: googleapi: Error 403: Permission 'cloudkms.cryptoKeys.create' denied on resource 'projects/cs-project-366414/locations/us-west2/keyRings/keyring1/cryptoKeys/bqkey-3' (or it may not exist).
│
│ with google_kms_crypto_key.gcp_key,
│ on main.tf line 43, in resource "google_kms_crypto_key" "gcp_key":
│ 43: resource "google_kms_crypto_key" "gcp_key" { # Create a Key on GCP Keyring.
Expected:
Keyring on GCP
Key in GCP
Related
I have created a folder named terraform and created a service account with owner permission on it. I then used that service account at organization level and provide owner permission.
Now I am trying to create a folder under organization using terraform.
# Top-level folder under an organization.
resource "google_folder" "department1" {
parent = "organizations/70497122"
display_name = "department1"
}
provider "google" {
#project = "terraform-project-0"
#region = "us-central1"
credentials = file("c:/terraform/credentials/terraform-day1.json")
}
Now as per documention :
## The service account used to run Terraform when creating
## a google_folder resource must have roles/resourcemanager.folderCreator
and I am getting the below error in terraform which says about the cloudresourcemanager.googleapis.com api to be enabled on project=1003453129743. but there is no project with the project number 1003453129743.
│ Error: Error creating folder 'department1' in 'organizations/70497122': googleapi: Error 403: Cloud Resource Manager API has not been used in project 1003453129743 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1003453129743 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
│ Details:
│ [
│ {
│ "#type": "type.googleapis.com/google.rpc.Help",
│ "links": [
│ {
│ "description": "Google developers console API activation",
│ "url": "https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=1003453129743"
│ }
│ ]
│ },
│ {
│ "#type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/1003453129743",
│ "service": "cloudresourcemanager.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
│ , accessNotConfigured
│
│ with google_folder.department1,
│ on main.tf line 5, in resource "google_folder" "department1":
│ 5: resource "google_folder" "department1" {
Now solve below questions and creation folder under organization
how to assign roles/resourcemanager.folderCreator at organization level to service account.
Why is this misleading error "cloudresourcemanager.googleapis.com service disabled for projects/1003453129743" when there is no project with this number.
because of these errors I am not able to create folder under organization using terraform.
I am using terraform1.3.4.exe.
First thing to assign role on organization level , select organization in project selector and then open IAM as shown below
2nd , in the error its project number and not project id.
To provide organization access using terraform refer below documentation
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam
enabling Cloud Resource Manager API resolved the issue.
Trying to configure aws from terraform. Running terraform from ec2. Have attached AmazonEC2FullAccess policy to the role attached to ec2.
I don't have access and secret keys. Using keys for aws cli and terraform is not allowed. I need to use existing role to configure to aws and create resources using it.
Getting below error when using AmazonEC2FullAccess policy with ec2.
[ec2-user#ip-1*-1*-1*-2** terraform]$ terraform plan
╷
│ Error: error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
│
│ Please see https://registry.terraform.io/providers/hashicorp/aws
│ for more information about providing credentials.
│
│ Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request send failed, Get "http://1**.***.***.***/latest/meta-data/iam/security-credentials/": proxyconnect tcp: dial tcp 1*.*.*.*:8***: i/o timeout
│
│
│ with provider["registry.terraform.io/hashicorp/aws"],
│ on main.tf line 17, in provider "aws":
│ 17: provider "aws" {
│
Resource vpc file :-
[ec2-user#ip-1*.1*.1*.*** terraform]$ cat vpc.tf
resource "aws_vpc" "main" {
cidr_block = "1*.*.*.*/16"
}
main.tf file :-
[ec2-user#ip-1*.1*.1*.*** terraform]$ cat main.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.39.0"
}
}
required_version = ">= 1.3.0"
}
provider "aws" {
region = var.aws_region
#role_arn =var.aws_role_arn
}
Also tried using role_arn in main.tf it gives following error :-
│ Error: Unsupported argument
│
│ on main.tf line 19, in provider "aws":
│ 19: role_arn =var.aws_role_arn
│
│ An argument named "role_arn" is not expected here.
Any help is much appreciated.
I need to add a tag to an AWS Glue Database. I can successfully achieve this via AWS CLI like:
aws glue tag-resource --resource-arn arn:aws:glue:eu-east-1:0123456789:database/my_database --tags-to-add MyTag=MyValue
But I can't find how to do it via a terraform script. The following code gives me an error message
...
resource "aws_glue_catalog_database" "my_database" {
name = "my_database"
tags = {
MyTag = "MyValue"
}
}
Error:
╷
│ Error: Unsupported argument
│
│ on main.tf line 27, in resource "aws_glue_catalog_database" "my_database":
│ 27: tags = {
│
│ An argument named "tags" is not expected here.
╵
Terraform versions:
Terraform v1.2.4
+ provider registry.terraform.io/hashicorp/aws v4.31.0
Error: Unsupported block type
│
│ on ..\Terraform_1.0.0_Win_O\config\secret\secret.tf line 6, in module "secret_user_managed_replication":
│ 6: replication {
│
│ Blocks of type "replication" are not expected here.
I have written terraform code which:
Creates IAM Role
Creates lambda functions and attaches the above created role
Dynamo DB table creation
Creates API gateway, resources and adds POST method with lambda integration.
The first 3 steps works well. However while creating and configuring the API gateway, I am encountering below error in resource aws_api_gateway_integration & aws_lambda_permission, where I am trying to attach the lambda function "save_course" to the POST method under "courses" resource
│
│ on main.tf line 117, in resource "aws_api_gateway_integration" "apigateway84f0f20":
│ 117: uri = module.awsLambda["save_course.py"].lambda_invoke_urn
│ ├────────────────
│ │ module.awsLambda["save_course.py"].lambda_invoke_urn is tuple with 1 element
│
│ Inappropriate value for attribute "uri": string required.
╵
╷
│ Error: Incorrect attribute value type
│
│ on main.tf line 141, in resource "aws_lambda_permission" "lambda_permission":
│ 141: function_name = module.awsLambda["save_course.py"].function_name
│ ├────────────────
│ │ module.awsLambda["save_course.py"].function_name is tuple with 1 element
│
│ Inappropriate value for attribute "function_name": string required.
Not sure how to access the tuple and extract the invoke_arn and function_name. After going through the generated terraform.tfstate file, I have tried different combinations to extract the required value. Not sure where I am wrong.
The terraform code along with generated terraform.tfstate file is available at my location:
https://github.com/myanees284/lambda_website
git clone https://github.com/myanees284/lambda_website.git
terraform init
terraform apply -auto-approve
Change your locals from
lambda_invoke_urn=aws_lambda_function.lambda.*.invoke_arn
lambda_name=aws_lambda_function.lambda.*.function_name
to
lambda_invoke_urn=aws_lambda_function.lambda.invoke_arn
lambda_name=aws_lambda_function.lambda.function_name