Terraform GCP Project creation

2
votes

I'm trying to create a google cloud project with terraform. I'm refering to this link as a reference... https://femrtnz.medium.com/automating-gcp-projects-with-terraform-d571f0d94742

I followed the instruction on project creation and IAM roles from the medium post. From what it looks like you need a separate project and service account just for creating projects with terraform. I also refered to googles documentation on the subject... https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform

So I ended up with this in my main.tf

# This is the provider used to spin up the gcloud instance
provider "google" {
  credentials = "/path/to/seed-credentials.json"
}

# Locks the version of Terraform for this particular use case
terraform {
  required_version = "0.14.6"
}


resource "random_id" "id" {
  byte_length = 4
  prefix      = var.project_name
}

resource "google_project" "project" {
  name            = var.project_name
  project_id      = random_id.id.hex
  billing_account = var.billing_account
}

output "project_id" {
  value = google_project.project.project_id
 }

I created a remote backend

terraform {
 backend "gcs" {
   bucket  = "seed-bucket"
   prefix  = "terraform/state"
   credentials = "/path/to/seed-credentials.json"
 }
}

here's my variables.tf file

variable "project_name" {
  type = string
}

variable "billing_account" {
  type = string
}

and last but not least my terraform.tfvars

project_name = "test-project"
billing_account = "1234-5678-90xxx"

Terraform init works it configures the remote backend. Terraform plan gives me no errors. However when I run terraform apply I get the following error "Error: failed pre-requisites: missing permission on "billingAccounts/1234-5678-9xxx": billing.resourceAssociations.create" Now I have no organizations for this account. I'm assuming that's what's giving me the error? The author of the Medium blog post said something about " Firstly you need to create an Organization based in your domain" I've never used organiztions for my google projects. I go into my google console and it says I need domain verification to get an organization for my account. That seems troublesome. I don't really don't to go through the trouble of getting a new domain just for this. Now is my code correct? I'm assuming the error is from me not having an "organization". Is there an easy way to get an organization without domain verification?

3
google-cloud-platformterraformterraform-provider-gcpgoogle-cloud-iamgoogle-cloud-billing

3 Answers

3
votes

The error missing permission on "billingAccounts/1234-5678-9xxx": billing.resourceAssociations.create" means that the service account does not have permission to link the billing account to a new project.

  • Go to the Billing in the Google Cloud Console.
  • In the top right of the window, click "SHOW INFO PANEL".
  • Select the billing account and then click "ADD MEMBER".
  • Enter the service account email address.
  • Select the role Billing Account User.
  • Click SAVE.

The service account now has permission to attach the billing account to new projects.

Overview of Cloud Billing access control

0
votes

I did what you said, however I get a new error when hit terraform apply.

Error: error creating project test-project12345 (test-project): googleapi: Error 403: Service accounts cannot create projects without a parent., forbidden. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission

There was something about it on stackoverflow... Unable to create google project with Terraform

I did some googling and apparently there is a roles/resourcemanager.projects.create.

Now when I go into my web console and try to add the role to the service account I see that it's not available in the dropdown menu. It appears that the role is availble. I just can't use it for some reason! I can see it with the command..

gcloud iam roles describe roles/resourcemanager.projectCreator

##output##
description: Access to create new GCP projects.
etag: AA==
includedPermissions:
- resourcemanager.organizations.get
- resourcemanager.projects.create
name: roles/resourcemanager.projectCreator
stage: GA
title: Project Creator

when I try to add the role to the service account ..

gcloud projects add-iam-policy-binding service-acct-12345 --member serviceAccount:[email protected] --role roles/resourcemanager.projectCreator

## output

ERROR: Policy modification failed. For a binding with condition, run "gcloud alpha iam policies lint-condition" to identify issues in condition.
ERROR: (gcloud.projects.add-iam-policy-binding) INVALID_ARGUMENT: Role roles/resourcemanager.projectCreator is not supported for this resource.

it's very confusing. Thanks for your help on the previous posts

0
votes

Once billing administrator permission is allocated as suggested above, Project Creator role can be granted using following flow.

Go to GCP Console and search for Manage Resource Page (Google Console) --> Select organization --> Permissions Tab (Right hand window ) --> Add Member --> Allocate Project Creator role to Terraform service account (save)

Verify : You will see Terraform service account listed in "Project Creator under Role/Member section on right side panel of this page (Resource Manager Page).