Reputation: 14042
Plan Error: Cloud Resource Manager API has not been used
When I try to run
steps:
- id: Plan Terraform
name: hashicorp/terraform:light
args:
- plan
in Cloud Build, I get the error:
Error: Error reading Project Service foo/cloudbuild.googleapis.com: googleapi: Error 403: Cloud Resource Manager API has not been used in project 123456789 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=123456789 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured
Since the same terraform definition is working on my local machine I assume the error message is slightly misleading and it is actually a credential problem.
According to the Google Cloud docs I applied the following:
resource "google_project_iam_binding" "cloudbuild" {
project = "bar"
role = "roles/editor"
members = [
"serviceAccount:[email protected]"
]
}
The error still persists, though. Any idea what might be the problem/solution here?
Upvotes: 9
Views: 7874
Answers (4)
Reputation: 1603
We also had credentials problems where local authentication worked but service account impersonation (see TERRAFORM_SA_EMAIL) failed.
There is essentially a deadlock problem where Terraform needs certain APIs to be activated in a project but cannot activate them because, well, APIs are not activated yet. By setting user_project_override to false for a separate google provider for your seed (=quota) project where the service account was initially created, you may activate those initial APIs for the worker project. All other APIs that might be needed can be activated using the default google provider (see other_google_project_services).
provider "google" {
user_project_override = true
region = var.GCP_REGION
impersonate_service_account = var.TERRAFORM_SA_EMAIL
}
provider "google" {
alias = "seed"
user_project_override = false
region = var.GCP_REGION
impersonate_service_account = var.TERRAFORM_SA_EMAIL
}
resource "google_project_service" "cloud_serviceusage_api" {
provider = google.seed
project = google_project.worker_project.project_id
service = "serviceusage.googleapis.com"
disable_dependent_services = true
}
resource "google_project_service" "cloudresourcemanager_api" {
depends_on = [google_project_service.cloud_serviceusage_api]
provider = google.seed
project = google_project.worker_project.project_id
service = "cloudresourcemanager.googleapis.com"
disable_dependent_services = true
}
variable "GCP_SERVICES" {
type = list(string)
default = [
"bigquery.googleapis.com",
"compute.googleapis.com",
"container.googleapis.com",
"containersecurity.googleapis.com",
"dns.googleapis.com",
"logging.googleapis.com",
"monitoring.googleapis.com",
"osconfig.googleapis.com",
"pubsub.googleapis.com"
]
}
resource "google_project_service" "other_google_project_services" {
depends_on = [google_project_service.cloudresourcemanager_api]
project = google_project.worker_project.project_id
for_each = toset(var.GCP_SERVICES)
service = each.value
disable_dependent_services = true
}
Upvotes: 1
Reputation: 101
if a user logged in by
# generating /yourhome-dir/.config/gcloud/application_default_credentials.json
- gcloud auth application-default login
but run into following error at project policy or iam related action Cloud Resource Manager API has not been used
probably there is a quota project id in application_default_credentials.json introduced by command the login cmd.
try to remove "quota project id" from the application_default_credentials.json and instead do
- gcloud config set project your-project-id
retry.
Upvotes: 0
Reputation: 729
It should be possible to do:
resource "google_project_service" "gcp_resource_manager_api" {
project = var.project_id
service = "cloudresourcemanager.googleapis.com"
}
In this way you enable the API inside your Terraform script.
You could also combine it with time_sleep so that you make other resources depending on ti waiting till it is ready.
resource "time_sleep" "gcp_wait_crm_api_enabling" {
depends_on = [
google_project_service.gcp_resource_manager_api
]
create_duration = "1m"
}
Should the above not working, then you need to include in your pipeline (assuming you are executing your TF scripts from a pipeline) the following:
$> gcloud services enable cloudresourcemanager.googleapis.com
--project <PROJECT ID>
As suggested in here.
Upvotes: 2
Reputation: 14042
Had to manually enable Cloud Resource Manager API and Service Usage API to get Terraform to work.
No real idea why it works through my local machine though. Thus this is still not totally understood/solved for me.
My guess would be that perhaps locally it uses gcloud to access these things and it gets the data another way?
Or maybe user accounts have different constraints than service accounts?
Upvotes: 7
Related Questions
- Terraform: googleapi: Error 403: Permission denied on resource project
- Terraform is using wrong google project
- Error retrieving IAM policy GCP when terraform plan?
- Unable to create google project with Terraform
- Terraform and GCP composer setup
- gcp google_project_iam_member gives invalid argument message on terraform
- Error when creating gcp vm instance via terraform
- Error invalid instance URLs: resource "google_compute_instance_group" "t-compute-instance-group"
- Error - Missing resource instance key : Because google_compute_instance has "count" set, its attributes must be accessed on specific instances
- Cannot deploy public api on Cloud Run using Terraform