Can I give admin role to Terraform for GCP? (example on Cloud Run domain mapping)

1
votes

I'm having issues giving necessary GCP roles for Terraform, with many Error 403: The caller does not have permission.

The way I'm doing it is by adding gradually permissions, but it's more a trial and error approach, and I end up over adding authorizations.

Is there a way to give a full admin role to Terraform on GCP, as we can do on AWS? Or maybe I'm missing something, but I can't find docs on that topic online.

Thanks.

--

Update:

The resource I want to create is a domain mapping for Cloud Run. This is done with:

resource "google_cloud_run_domain_mapping" "default" {
  location = "europe-west1"
  name     = "mydomain.com"

  metadata {
    namespace = "default"
  }

  spec {
    route_name = google_cloud_run_service.default.name
  }
}

P.S.: The domain was varified with Google Webmaster page.

But the returned issue on terraform apply is:

Error creating DomainMapping: googleapi: Error 403: The caller does not have permission

To solve this particular issue, I need to find which authorization I need to add to my Terraform role, but it's just a matter of time before getting into the same issue again when requiring a new GCP service.

Also, I'm perfectly able to add mapping using the GCP console, which shows I was able to pass all the required verification steps.

Isn't it better to make Terraform admin on all GCP resources and let it create all necessary resources?

1
google-cloud-platformterraformterraform-provider-gcp
What do you want to do with terraform?guillaume blaquiere
Hi @guillaumeblaquiere, I added an update on the question with more detailshtaidirt
I think it's better if you limit api access until you're absolutely sure you'll need it. Obviously the other alternative is give Terraform GodMode permission to create everythingOneCricketeer
Hi @cricket_007 I agree, we should always restrict authorizations to what is necessary. Unfortunately, it's hard to find documentation on what authorizations to add when using a new Terraform resource. The doc of Terraform is fantastic when it comes to using the resource, but there is a missing part on the required authorizations. How can you find out which ones to add? For example, on google_cloud_run_domain_mapping I go with trial and errors picking random authorizations! This is not smart :(htaidirt
I'm not super familiar with the fine grain details of GCP resources, but I'd imagine Cloud Run has its own subset of items... A domain mapping sounds like a VPC configOneCricketeer

1 Answers

0
votes

In the specific case of adding a custom domain you'll need to refer to the following section of the documentation.

Notice that you'll need to add the service account as a verified owner in order to get the correct permissions.