Terraform GCP Project creation

Question

I'm trying to create a google cloud project with terraform. I'm refering to this link as a reference... https://femrtnz.medium.com/automating-gcp-projects-with-terraform-d571f0d94742

I followed the instruction on project creation and IAM roles from the medium post. From what it looks like you need a separate project and service account just for creating projects with terraform. I also refered to googles documentation on the subject... https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform

So I ended up with this in my main.tf

# This is the provider used to spin up the gcloud instance
provider "google" {
  credentials = "/path/to/seed-credentials.json"
}

# Locks the version of Terraform for this particular use case
terraform {
  required_version = "0.14.6"
}


resource "random_id" "id" {
  byte_length = 4
  prefix      = var.project_name
}

resource "google_project" "project" {
  name            = var.project_name
  project_id      = random_id.id.hex
  billing_account = var.billing_account
}

output "project_id" {
  value = google_project.project.project_id
 }

I created a remote backend

terraform {
 backend "gcs" {
   bucket  = "seed-bucket"
   prefix  = "terraform/state"
   credentials = "/path/to/seed-credentials.json"
 }
}

here's my variables.tf file

variable "project_name" {
  type = string
}

variable "billing_account" {
  type = string
}

and last but not least my terraform.tfvars

project_name = "test-project"
billing_account = "1234-5678-90xxx"

Terraform init works it configures the remote backend. Terraform plan gives me no errors. However when I run terraform apply I get the following error "Error: failed pre-requisites: missing permission on "billingAccounts/1234-5678-9xxx": billing.resourceAssociations.create" Now I have no organizations for this account. I'm assuming that's what's giving me the error? The author of the Medium blog post said something about " Firstly you need to create an Organization based in your domain" I've never used organiztions for my google projects. I go into my google console and it says I need domain verification to get an organization for my account. That seems troublesome. I don't really don't to go through the trouble of getting a new domain just for this. Now is my code correct? I'm assuming the error is from me not having an "organization". Is there an easy way to get an organization without domain verification?

Answer 1

The error missing permission on "billingAccounts/1234-5678-9xxx": billing.resourceAssociations.create" means that the service account does not have permission to link the billing account to a new project.

• Go to the Billing in the Google Cloud Console.
• In the top right of the window, click "SHOW INFO PANEL".
• Select the billing account and then click "ADD MEMBER".
• Enter the service account email address.
• Select the role Billing Account User.
• Click SAVE.

The service account now has permission to attach the billing account to new projects.

Overview of Cloud Billing access control