Terraform: Error creating App Engine application: googleapi: Error 403: The caller does not have permission, forbidden

Question

I am trying to create a simple appengine application with terraform.

Firstly I have created all the basic resources with the gcloud cli. Here I list the commands I have executed:

export PROJECT=ProjectName
export TF_VAR_billing_account=xxxxxx-xxxxxx-xxxxxx
export TF_VAR_project=${PROJECT}-terraform
export TF_CREDS=./${PROJECT}-terraform.json

gcloud projects create ${TF_VAR_project} \
  --set-as-default

gcloud beta billing projects link ${TF_VAR_project} \
  --billing-account ${TF_VAR_billing_account}

######################################################################################
##### Create the Terraform service account
######################################################################################

gcloud iam service-accounts create terraform \
  --display-name "Terraform admin account"

gcloud iam service-accounts keys create ${TF_CREDS} \
  --iam-account terraform@${TF_VAR_project}.iam.gserviceaccount.com

gcloud projects add-iam-policy-binding ${TF_VAR_project} \
  --member serviceAccount:terraform@${TF_VAR_project}.iam.gserviceaccount.com \
  --role roles/editor

gcloud projects add-iam-policy-binding ${TF_VAR_project} \
  --member serviceAccount:terraform@${TF_VAR_project}.iam.gserviceaccount.com \
  --role roles/storage.admin

gcloud projects add-iam-policy-binding ${TF_VAR_project} \
  --member serviceAccount:terraform@${TF_VAR_project}.iam.gserviceaccount.com \
  --role roles/appengine.appAdmin


gcloud services enable cloudresourcemanager.googleapis.com
gcloud services enable cloudbilling.googleapis.com
gcloud services enable iam.googleapis.com
gcloud services enable serviceusage.googleapis.com

######################################################################################
##### Set up remote state in Cloud Storage
######################################################################################

gsutil mb -p ${TF_VAR_project} gs://${TF_VAR_project}

cat > backend.tf << EOF
terraform {
 backend "gcs" {
   bucket  = "${TF_VAR_project}"
   prefix  = "terraform/state"
 }
}
EOF

gsutil versioning set on gs://${TF_VAR_project}

export GOOGLE_APPLICATION_CREDENTIALS=${TF_CREDS}
export GOOGLE_PROJECT=${TF_VAR_project}

Those commands are executed correctly. At this point I have the following terraform file:

variable "project" {}
variable "region" {}

provider "google" {
    project = var.project
    region = var.region
}

data "google_project" "project" {}

resource "google_project_service" "service" {
  for_each = toset([
    "appengine.googleapis.com",
    "appengineflex.googleapis.com",
    "firestore.googleapis.com"
  ])

  service = each.key

  disable_on_destroy = false
}

resource "google_app_engine_application" "app" {
    project     = data.google_project.project.project_id
    location_id = var.region
}

When I run the terraform plan and apply the resources 'service' are created correcly but the app engine application cannot be created and I get the follwoing error:

google_app_engine_application.app: Creating...

Error: Error creating App Engine application: googleapi: Error 403: The caller does not have permission, forbidden

  on project.tf line 24, in resource "google_app_engine_application" "app":
  24: resource "google_app_engine_application" "app" {

It seems that the service key that I have created is missing some permission but I cannot figure out what is the issue.

Answer 1

As another member of the community has pointed out, you need to have Owner permissions on the project in order to properly create applications if you are using the primitive roles. This is mentioned in the permissions documentation for App engine.