Reputation: 1856
My Terraform backend state with Google Cloud Storage Buckets is created oddly? Thoughts?
I'm using Terraform setup a remote backend to manage state. I’ve setup a connection.tf file for the connection and declaration of GCS for the Terraform state files. The file contents looks like this.
provider "google" {
credentials = "${file("../../secrets/account-thrashingcode.json")}"
project = "thrashingcorecode"
region = "us-west1"
}
terraform {
backend "gcs" {
bucket = "terraform-remote-states"
path = "dev/terraform.tfstate"
project = "thrashingcorecode"
}
}
The resource I’ve setup, at least for this example, is a super simple configuration to create a default network in GCP. That configuration looks like this.
data "google_compute_network" "my-network" {
name = "default-us-west1"
}
Now when I run terraform init I get this error.
$ terraform init
Initializing the backend...
Successfully configured the backend "gcs"! Terraform will automatically
use this backend unless the backend configuration changes.
Error refreshing state: [WARN] Error retrieving object blue-world-terraform-state/dev/terraform.tfstate: googleapi: got HTTP response code 403 with body: [email protected] does not have storage.objects.get access to blue-world-terraform-state/dev/terraform.tfstate.
This leaves me with a few questions.
Where does Terraform derive the “[email protected]” email identity as the account to try to access the storage location with? It doesn’t appear to actually be the same email associated to the account I created the resource with. If I can create the resource originally with a service account that has ownership rights in phase 1, what is it using for permissions in this particular situation? It does clearly exist as shown:
My first attempt to fix this was to go to the storage resource and add this account to insure it has permission to this resource.
That fixed the issue, but I’m still not entirely sure why I had to add the member. Shouldn't Terraform have been created, when theoretically I thought I was using the connection information detailed in the connection.tf files in the connection right?
Reference: I've elaborated even further on the entire process, and multiple phases of what I'm working on here.
Upvotes: 1
Views: 8729
Answers (2)
Reputation: 6566
The key question is :
"Where does Terraform derive the “[email protected]” email identity as the account to try to access the storage location with?"
The answer is that it takes the account from the application default credentials. To switch to different default credentials, run :
gcloud auth application-default login
see also: https://cloud.google.com/docs/authentication/production
Upvotes: 5
Reputation: 1856
Ok, as fate would have it I figured it out. What needs set is an ACL which isn't particularly dictated by what creates the storage resource. What I ended up doing which fixed the problem was setup a resource in my Terraform configuration where I set the ACL to one of the predefined_acl property settings. More in the google docs on ACLs.
resource "google_storage_bucket_acl" "image-store-acl" {
bucket = "${google_storage_bucket.blue-world-tf-state.name}"
predefined_acl = "publicreadwrite"
}
Upvotes: 0
Related Questions
- Create google cloud bucket and save terraform state to it with the same terraform script?
- What is the mechanism of Terraform state locking when using Google Cloud Platform?
- Create multiple GCP storage buckets using terraform
- Terraform: Cloud Storage failed: storage: bucket doesn't exist
- Terraform - Deploying GCP Bucket With Multiple Storage Classes?
- Terraform state file locking GCP Datastore and GCS backend example
- How to reconcile the Terraform State with an existing bucket?
- Terraform Remote Backend Not Populating
- Terraform backend remote config with Google Cloud Buckets
- Unable to create google cloud storage bucket in a zone [terraform]