Reputation: 1571
I am trying to create a simple appengine application with terraform.
Firstly I have created all the basic resources with the gcloud cli. Here I list the commands I have executed:
export PROJECT=ProjectName
export TF_VAR_billing_account=xxxxxx-xxxxxx-xxxxxx
export TF_VAR_project=${PROJECT}-terraform
export TF_CREDS=./${PROJECT}-terraform.json
gcloud projects create ${TF_VAR_project} \
gcloud beta billing projects link ${TF_VAR_project} \
--billing-account ${TF_VAR_billing_account}
##### Create the Terraform service account
gcloud iam service-accounts create terraform \
--display-name "Terraform admin account"
gcloud iam service-accounts keys create ${TF_CREDS} \
--iam-account terraform@${TF_VAR_project}
gcloud projects add-iam-policy-binding ${TF_VAR_project} \
--member serviceAccount:terraform@${TF_VAR_project} \
--role roles/editor
gcloud projects add-iam-policy-binding ${TF_VAR_project} \
--member serviceAccount:terraform@${TF_VAR_project} \
--role roles/storage.admin
gcloud projects add-iam-policy-binding ${TF_VAR_project} \
--member serviceAccount:terraform@${TF_VAR_project} \
--role roles/appengine.appAdmin
gcloud services enable
gcloud services enable
gcloud services enable
gcloud services enable
##### Set up remote state in Cloud Storage
gsutil mb -p ${TF_VAR_project} gs://${TF_VAR_project}
cat > << EOF
terraform {
backend "gcs" {
bucket = "${TF_VAR_project}"
prefix = "terraform/state"
gsutil versioning set on gs://${TF_VAR_project}
export GOOGLE_PROJECT=${TF_VAR_project}
Those commands are executed correctly. At this point I have the following terraform file:
variable "project" {}
variable "region" {}
provider "google" {
project = var.project
region = var.region
data "google_project" "project" {}
resource "google_project_service" "service" {
for_each = toset([
service = each.key
disable_on_destroy = false
resource "google_app_engine_application" "app" {
project = data.google_project.project.project_id
location_id = var.region
When I run the terraform plan and apply the resources 'service' are created correcly but the app engine application cannot be created and I get the follwoing error: Creating...
Error: Error creating App Engine application: googleapi: Error 403: The caller does not have permission, forbidden
on line 24, in resource "google_app_engine_application" "app":
24: resource "google_app_engine_application" "app" {
It seems that the service key that I have created is missing some permission but I cannot figure out what is the issue.
Upvotes: 7
Views: 6720
Reputation: 1537
As another member of the community has pointed out, you need to have Owner permissions on the project in order to properly create applications if you are using the primitive roles. This is mentioned in the permissions documentation for App engine.
Upvotes: 6