I am trying to make a GCP VM through Terraform. I made a service account on Google that has the Project Owner role. Through Terraform I am trying to make a bucket to store Terraform's state. The .json for credentials is in a Gitlab variable.
Problem is that despite the service-account having Owner role, I get a 403 error saying that my service-account does not have access and is forbidden.
Things I've tried:
I've given the service-account different roles including Project Editor, Storage Admin, and Storage Object Admin.
I've deleted it and remade it (and updated the Gitlab variable).
I've made the bucket on google through the UI instead of Terraform incase that was the problem, but didn't change anything.
Gitlab's yml:
image:
name: hashicorp/terraform:light
entrypoint:
- '/usr/bin/env'
- 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
before_script:
- rm -rf .terraform
- terraform --version
- mkdir -p ./creds
- echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
- terraform init
stages:
- validate
- plan
- apply
validate:
stage: validate
script:
- terraform validate
plan:
stage: plan
script:
- terraform plan -out "planfile"
dependencies:
- validate
artifacts:
paths:
- planfile
apply:
stage: apply
script:
- terraform apply -input=false "planfile"
dependencies:
- plan
when: manual
My main.tf:
provider "google" {
project = "project-id-name"
credentials = "./creds/serviceaccount.json"
region = "europe-west1"
}
# make bucket to store terraform state into
resource "google_storage_bucket" "terraform_state" {
name = "terraform-up-and-running-state"
region = "europe-west1"
}
# config terraform to store onto cloud in bucket above
terraform {
backend "gcs" {
bucket = "terraform-up-and-running-state"
credentials = "./creds/serviceaccount.json"
}
}
# rest
resource "google_compute_instance" "vm_instance" {
name = "my-test-vm"
machine_type = "f1-micro"
boot_disk {
initialize_params {
image = "debian-cloud/debian-9"
}
}
network_interface {
# A default network is created for all GCP projects
network = "${google_compute_network.vpc_network.self_link}"
access_config {
}
}
}
resource "google_compute_network" "vpc_network" {
name = "my-test-network"
auto_create_subnetworks = "true"
}
Goal is to initialize a Google VM and everything I need for it through solely Terraform.
This is what Gitlab's validate phase shows:
Running with gitlab-runner 12.3.0 (a8a019e0)
on docker-auto-scale 72989761
Using Docker executor with image hashicorp/terraform:light ...
Pulling docker image hashicorp/terraform:light ...
Using docker image sha256:e42a20110eb49783e5f0e1594c67c8d45663fbf84303c395540b8dc94558d448 for hashicorp/terraform:light ...
Running on runner-72989761-project-14591382-concurrent-0 via runner-72989761-srm-1570020185-504ac9cf...
Fetching changes with git depth set to 50...
Initialized empty Git repository in /builds/my-project/playground-webscraper/.git/
Created fresh repository.
From https://gitlab.com/my-project/playground-webscraper
* [new branch] master -> origin/master
Checking out c183697f as master...
Skipping Git submodules setup
$ rm -rf .terraform
$ terraform --version
Terraform v0.12.9
$ mkdir -p ./creds
$ echo $SERVICEACCOUNT | base64 -d > ./creds/serviceaccount.json
$ terraform init
Initializing the backend...
Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Error: Failed to get existing workspaces: querying Cloud Storage failed: googleapi: Error 403: [email protected] does not have storage.objects.list access to terraform-up-and-running-state., forbidden
ERROR: Job failed: exit code 1
$SERVICEACCOUNTvariable is set for the gitlab build? – Travis Webb