CODEWITHSUNDEEP
google-cloud-platformgoogle-cloud-sqlhclopentofu
Christoph
Christoph

Reputation: 1

OpenTofu google_sql_database.sql_database creation leads to Error 403

I create a GCP Cloud-SQL instance with Open Tofu & Terragrunt in a GitHub Action with:

resource "google_sql_database_instance" "sql_instance" {
  name             = var.sql_instance_name
  database_version = "POSTGRES_13"
  project          = var.project_id
  region           = var.region

  settings {
    tier = var.sql_tier

    ip_configuration {
      ipv4_enabled    = false
      private_network = "projects/${var.project_id}/global/networks/${var.network_name}" 
    }
  }

  depends_on = [google_service_networking_connection.private_vpc_connection]
}

by a service account (WIF). The account is owner of the target project and also has the "roles/cloudsql.admin" role. The instance is created successfully, but when it comes to create the database with

resource "google_sql_database" "sql_database" {
  name     = var.sql_database_name
  instance = google_sql_database_instance.sql_instance.name

  depends_on = [google_sql_database_instance.sql_instance]
}

a error is thrown:

17:28:31.970 STDOUT [cloud-sql] tofu: google_sql_database_instance.sql_instance: Creation complete after 10m10s [id=sql-dev]
17:28:31.975 STDOUT [cloud-sql] tofu: google_sql_database.sql_database: Creating...
17:28:32.100 STDERR [cloud-sql] tofu: ╷
17:28:32.100 STDERR [cloud-sql] tofu: │ Error: Error creating Database: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
17:28:32.100 STDERR [cloud-sql] tofu: │ 
17:28:32.100 STDERR [cloud-sql] tofu: │   with google_sql_database.sql_database,
17:28:32.100 STDERR [cloud-sql] tofu: │   on main.tf line 47, in resource "google_sql_database" "sql_database":
17:28:32.100 STDERR [cloud-sql] tofu: │   47: resource "google_sql_database" "sql_database" {
17:28:32.100 STDERR [cloud-sql] tofu: │ 
17:28:32.100 STDERR [cloud-sql] tofu: ╵
17:28:32.120 ERROR  [cloud-sql] tofu invocation failed in ./cloud-sql/.terragrunt-cache/SguRpGWmSN0zieEs-MOkmn3OQ5c/9XKl4QjKl-n4tTV9j_wBH9arirY
17:28:32.120 ERROR  [cloud-sql] Module ./cloud-sql has finished with an error
17:28:32.120 ERROR  error occurred:
* Failed to execute "tofu apply -auto-approve -input=false -auto-approve" in ./cloud-sql/.terragrunt-cache/SguRpGWmSN0zieEs-MOkmn3OQ5c/9XKl4QjKl-n4tTV9j_wBH9arirY
  ╷
  │ Error: Error creating Database: googleapi: Error 403: The client is not authorized to make this request., notAuthorized
  │ 
  │   with google_sql_database.sql_database,
  │   on main.tf line 47, in resource "google_sql_database" "sql_database":
  │   47: resource "google_sql_database" "sql_database" {
  │ 
  ╵

I enable these API's in my action before:

      - name: Enable required APIs
        run: |
          gcloud services enable serviceusage.googleapis.com servicenetworking.googleapis.com compute.googleapis.com iam.googleapis.com secretmanager.googleapis.com firebase.googleapis.com sqladmin.googleapis.com analytics.googleapis.com cloudresourcemanager.googleapis.com --project=$PROJECT_ID

I expect the database to be created inside the cloud-sql instance.

I tried to impersonate my service account in the shell to create a database and that works:

gcloud sql databases create my-database --instance=sql-dev --impersonate-service-account=my@service-account.iam.gserviceaccount.com

I tried to add waiting time, but this did not change anything:

resource "time_sleep" "wait_for_cloudsqlinstance" {

  depends_on      = [google_sql_database_instance.sql_instance]
  create_duration = "60s"
}

resource "google_sql_database" "sql_database" {
  name     = var.sql_database_name
  instance = google_sql_database_instance.sql_instance.name

  depends_on = [time_sleep.wait_for_cloudsqlinstance]
}

I have also run a query with the Policy Analyzer. It says that the given service account has the right for "cloudsql.databases.create".

The versions I use:

Why does this happen? I'm running out of ideas.

Upvotes: 0

Views: 61

Answers (0)

Related Questions