jws
jws

Reputation: 2784

Unable to delete GKE cluster created by Terraform

I am working on a Terraform script to create a cluster (tf code below). It gets 90% done then errors. When trying to apply another change or delete this cluster, I run into lack of permission. I made every account in the project Owner and still have the issue. How do I clear this out?

Error:

(1) (1) (1) Google Compute Engine: Required 'compute.instanceGroupManagers.delete' permission for 'projects/gke-eval-319218/zones/us-east4-a/instanceGroupManagers/gke-hello-default-pool-6e16e226-grp' (2) Google Compute Engine: Required 'compute.instanceGroupManagers.delete' permission for 'projects/gke-eval-319218/zones/us-east4-b/instanceGroupManagers/gke-hello-default-pool-a00f72b6-grp' (3) Google Compute Engine: Required 'compute.instanceGroupManagers.delete' permission for 'projects/gke-eval-319218/zones/us-east4-c/instanceGroupManagers/gke-hello-default-pool-ea0634bc-grp' (2) (1) Google Compute Engine: Required 'compute.projects.get' permission for 'projects/gke-eval-319218' (2) retry budget exhausted (5 attempts): Google Compute Engine: Required 'compute.routes.list' permission for 'projects/gke-eval-319218' (3) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/gke-eval-319218/global/firewalls/gke-hello-c4849243-all' (4) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/gke-eval-319218/global/firewalls/gke-hello-c4849243-ssh' (5) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/gke-eval-319218/global/firewalls/gke-hello-c4849243-vms' (2) Google Compute Engine: Required 'compute.subnetworks.get' permission for 'projects/gke-eval-319218/regions/us-east4/subnetworks/default'.

Script that created this mess:

variable project_id {}
variable zones {}
variable region {}
variable name {}
variable network {}
variable subnetwork {}
variable ip_range_pods { default = null }
variable ip_range_services { default = null }

locals {
  service_account = "${var.name}-sa"
}

resource "google_service_account" "service_account" {
  project = var.project_id
  account_id   = "${local.service_account}"
  display_name = "${var.name} cluster service account"
}

resource "google_project_iam_binding" "service_account_iam" {
  project = var.project_id
  role = "roles/container.admin"

  members = [
    "serviceAccount:${local.service_account}@${var.project_id}.iam.gserviceaccount.com",
  ]
}

module "gke" {
  source                     = "terraform-google-modules/kubernetes-engine/google"
  project_id                 = var.project_id
  name                       = var.name
  region                     = var.region
  zones                      = var.zones
  network                    = var.network
  subnetwork                 = var.subnetwork
  ip_range_pods              = var.ip_range_pods
  ip_range_services          = var.ip_range_services
  http_load_balancing        = true
  horizontal_pod_autoscaling = false
  network_policy             = false
  service_account            = "${local.service_account}@${var.project_id}.iam.gserviceaccount.com"

  node_pools = [
    {
      name                      = "default-pool"
      machine_type              = "e2-medium"
      min_count                 = 3
      max_count                 = 20
      local_ssd_count           = 0
      disk_size_gb              = 100
      auto_repair               = true
      auto_upgrade              = true
      preemptible               = false
      initial_node_count        = 10
    },
  ]

  node_pools_oauth_scopes = {
    all = []

    default-pool = [
      "https://www.googleapis.com/auth/cloud-platform",
    ]
  }

  node_pools_labels = {
    all = {}

    default-pool = {
      default-pool = true
    }
  }

  node_pools_metadata = {
    all = {}

    default-pool = {
      node-pool-metadata-custom-value = "my-node-pool"
    }
  }

  node_pools_taints = {
    all = []

    default-pool = [
      {
        key    = "default-pool"
        value  = true
        effect = "PREFER_NO_SCHEDULE"
      },
    ]
  }

  node_pools_tags = {
    all = []

    default-pool = [
      "default-pool",
    ]
  }
}

Upvotes: 1

Views: 906

Answers (1)

Harsh Manvar
Harsh Manvar

Reputation: 30208

You might require to enable API if you are forgetting any

like

gcloud services enable container.googleapis.com

also, make sure service account you are have the role or policy attached.

 --role  roles/compute.admin

Upvotes: 1

Related Questions