CODEWITHSUNDEEP
google-cloud-platformterraformterraform-provider-gcpterraform0.12+
Leroi
Leroi

Reputation: 369

How to create a new notification configuration on a specified bucket using terraform?

I am having problems creating a new notification config for a gcp bucket using the example shown on the terraform registry.

I am using the same code but get an error when i run the command.

resource "google_storage_notification" "notification" {
  bucket         = google_storage_bucket.bucket.name
  payload_format = "JSON_API_V1"
  topic          = google_pubsub_topic.topic.id
  event_types    = ["OBJECT_FINALIZE", "OBJECT_METADATA_UPDATE"]
  custom_attributes = {
    new-attribute = "new-attribute-value"
  }
  depends_on = [google_pubsub_topic_iam_binding.binding]
}

// Enable notifications by giving the correct IAM permission to the unique service account.

data "google_storage_project_service_account" "gcs_account" {
}

resource "google_pubsub_topic_iam_binding" "binding" {
  topic   = google_pubsub_topic.topic.id
  role    = "roles/pubsub.publisher"
  members = ["serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}"]
}

// End enabling notifications

resource "google_storage_bucket" "bucket" {
  name     = "test_bucket"
  location = "US"
}

resource "google_pubsub_topic" "topic" {
  name = "test_topic"
}

Ouput on the console

Error: Error retrieving IAM policy for pubsub topic "projects/myproject/topics/test_topic": googleapi: Error 403: User not authorized to perform this action.
│
│   with google_pubsub_topic_iam_binding.binding,
│   on main.tf line 109, in resource "google_pubsub_topic_iam_binding" "binding":
│  109: resource "google_pubsub_topic_iam_binding" "binding" {

I am not sure what I am doing wrong here as i am using the exact code. Only changed the bucket name and the topic name from the original sample.

Upvotes: 1

Views: 832

Answers (1)

matsu
matsu

Reputation: 326

It seems that the credentials used by Terraform to apply your configuration do not have sufficient privileges to create the IAM binding. Have a look at the specific permissions needed to perform different operations and check that you have all required permissions.

Note that:

To create a topic you need the pubsub.topics.create permission, which is included in the editor and pubsub.editor roles.

To get/set the IAM policy for a topic, you need the pubsub.topics.getIamPolicy and pubsub.topics.setIamPolicy respectively, which is included in the owner and pubsub.admin roles, but NOT in the editor or pubsub.editor roles.

Upvotes: 2

Related Questions