I am trying to create a simple appengine application with terraform.
Firstly I have created all the basic resources with the gcloud cli. Here I list the commands I have executed:
export PROJECT=ProjectName
export TF_VAR_billing_account=xxxxxx-xxxxxx-xxxxxx
export TF_VAR_project=${PROJECT}-terraform
export TF_CREDS=./${PROJECT}-terraform.json
gcloud projects create ${TF_VAR_project} \
--set-as-default
gcloud beta billing projects link ${TF_VAR_project} \
--billing-account ${TF_VAR_billing_account}
######################################################################################
##### Create the Terraform service account
######################################################################################
gcloud iam service-accounts create terraform \
--display-name "Terraform admin account"
gcloud iam service-accounts keys create ${TF_CREDS} \
--iam-account terraform@${TF_VAR_project}.iam.gserviceaccount.com
gcloud projects add-iam-policy-binding ${TF_VAR_project} \
--member serviceAccount:terraform@${TF_VAR_project}.iam.gserviceaccount.com \
--role roles/editor
gcloud projects add-iam-policy-binding ${TF_VAR_project} \
--member serviceAccount:terraform@${TF_VAR_project}.iam.gserviceaccount.com \
--role roles/storage.admin
gcloud projects add-iam-policy-binding ${TF_VAR_project} \
--member serviceAccount:terraform@${TF_VAR_project}.iam.gserviceaccount.com \
--role roles/appengine.appAdmin
gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudbilling.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable serviceusage.googleapis.com
######################################################################################
##### Set up remote state in Cloud Storage
######################################################################################
gsutil mb -p ${TF_VAR_project} gs://${TF_VAR_project}
cat > backend.tf << EOF
terraform {
backend "gcs" {
bucket = "${TF_VAR_project}"
prefix = "terraform/state"
}
}
EOF
gsutil versioning set on gs://${TF_VAR_project}
export GOOGLE_APPLICATION_CREDENTIALS=${TF_CREDS}
export GOOGLE_PROJECT=${TF_VAR_project}
Those commands are executed correctly. At this point I have the following terraform file:
variable "project" {}
variable "region" {}
provider "google" {
project = var.project
region = var.region
}
data "google_project" "project" {}
resource "google_project_service" "service" {
for_each = toset([
"appengine.googleapis.com",
"appengineflex.googleapis.com",
"firestore.googleapis.com"
])
service = each.key
disable_on_destroy = false
}
resource "google_app_engine_application" "app" {
project = data.google_project.project.project_id
location_id = var.region
}
When I run the terraform plan and apply the resources 'service' are created correcly but the app engine application cannot be created and I get the follwoing error:
google_app_engine_application.app: Creating...
Error: Error creating App Engine application: googleapi: Error 403: The caller does not have permission, forbidden
on project.tf line 24, in resource "google_app_engine_application" "app":
24: resource "google_app_engine_application" "app" {
It seems that the service key that I have created is missing some permission but I cannot figure out what is the issue.
As another member of the community has pointed out, you need to have Owner permissions on the project in order to properly create applications if you are using the primitive roles. This is mentioned in the permissions documentation for App engine.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With