Reputation: 2784
I am working on a Terraform script to create a cluster (tf code below). It gets 90% done then errors. When trying to apply another change or delete this cluster, I run into lack of permission. I made every account in the project Owner and still have the issue. How do I clear this out?
Error:
(1) (1) (1) Google Compute Engine: Required 'compute.instanceGroupManagers.delete' permission for 'projects/gke-eval-319218/zones/us-east4-a/instanceGroupManagers/gke-hello-default-pool-6e16e226-grp' (2) Google Compute Engine: Required 'compute.instanceGroupManagers.delete' permission for 'projects/gke-eval-319218/zones/us-east4-b/instanceGroupManagers/gke-hello-default-pool-a00f72b6-grp' (3) Google Compute Engine: Required 'compute.instanceGroupManagers.delete' permission for 'projects/gke-eval-319218/zones/us-east4-c/instanceGroupManagers/gke-hello-default-pool-ea0634bc-grp' (2) (1) Google Compute Engine: Required 'compute.projects.get' permission for 'projects/gke-eval-319218' (2) retry budget exhausted (5 attempts): Google Compute Engine: Required 'compute.routes.list' permission for 'projects/gke-eval-319218' (3) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/gke-eval-319218/global/firewalls/gke-hello-c4849243-all' (4) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/gke-eval-319218/global/firewalls/gke-hello-c4849243-ssh' (5) Google Compute Engine: Required 'compute.firewalls.delete' permission for 'projects/gke-eval-319218/global/firewalls/gke-hello-c4849243-vms' (2) Google Compute Engine: Required 'compute.subnetworks.get' permission for 'projects/gke-eval-319218/regions/us-east4/subnetworks/default'.
Script that created this mess:
variable project_id {}
variable zones {}
variable region {}
variable name {}
variable network {}
variable subnetwork {}
variable ip_range_pods { default = null }
variable ip_range_services { default = null }
locals {
service_account = "${var.name}-sa"
}
resource "google_service_account" "service_account" {
project = var.project_id
account_id = "${local.service_account}"
display_name = "${var.name} cluster service account"
}
resource "google_project_iam_binding" "service_account_iam" {
project = var.project_id
role = "roles/container.admin"
members = [
"serviceAccount:${local.service_account}@${var.project_id}.iam.gserviceaccount.com",
]
}
module "gke" {
source = "terraform-google-modules/kubernetes-engine/google"
project_id = var.project_id
name = var.name
region = var.region
zones = var.zones
network = var.network
subnetwork = var.subnetwork
ip_range_pods = var.ip_range_pods
ip_range_services = var.ip_range_services
http_load_balancing = true
horizontal_pod_autoscaling = false
network_policy = false
service_account = "${local.service_account}@${var.project_id}.iam.gserviceaccount.com"
node_pools = [
{
name = "default-pool"
machine_type = "e2-medium"
min_count = 3
max_count = 20
local_ssd_count = 0
disk_size_gb = 100
auto_repair = true
auto_upgrade = true
preemptible = false
initial_node_count = 10
},
]
node_pools_oauth_scopes = {
all = []
default-pool = [
"https://www.googleapis.com/auth/cloud-platform",
]
}
node_pools_labels = {
all = {}
default-pool = {
default-pool = true
}
}
node_pools_metadata = {
all = {}
default-pool = {
node-pool-metadata-custom-value = "my-node-pool"
}
}
node_pools_taints = {
all = []
default-pool = [
{
key = "default-pool"
value = true
effect = "PREFER_NO_SCHEDULE"
},
]
}
node_pools_tags = {
all = []
default-pool = [
"default-pool",
]
}
}
Upvotes: 1
Views: 906
Reputation: 30208
You might require to enable API if you are forgetting any
like
gcloud services enable container.googleapis.com
also, make sure service account you are have the role or policy attached.
--role roles/compute.admin
Upvotes: 1