Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

postgresql provider with gcppostgres checks wrong project for sqladmin api #359

Open
mhubig opened this issue Oct 9, 2023 · 1 comment
Open

postgresql provider with gcppostgres checks wrong project for sqladmin api #359

mhubig opened this issue Oct 9, 2023 · 1 comment

Comments

@mhubig
Copy link

mhubig commented Oct 9, 2023

I'm using a GCP Service Account from project A to provision resources to project B.

I'm providing the GOOGLE_APPLICATION_CREDENTIALS environment variable to the google and postgresql providers for authentication.

Within the google provider config I can use the project and user_project_override parameters to instruct the provider to
ignore the project of the service account. Unfortunately there are no such options for the postgresql provider while using the gcppostgres schema.

What happens now is the postgresql provider seems to check if the sqladmin.googleapis.com API is enabled for the origin project of the GCP Service Account, instead of checking the origin project of the CloudSQL database and I'm getting the following error:

googleapi: Error 403: Cloud SQL Admin API has not been used in project XXXX before or it is disabled. Enable
it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=XXXX
then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems
and retry.

If I'm enabling the Cloud SQL Admin API for the origin project of the Service account, the error goes away ...

Terraform Version

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.21.0
+ provider registry.terraform.io/hashicorp/google-beta v4.83.0
+ provider registry.terraform.io/hashicorp/random v3.5.1

Affected Resource(s)

  • postgresql_grant

Terraform Configuration Files

terraform {
  backend "http" {
  }
  required_version = ">=1.0.0"
  required_providers {
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "4.83.0"
    }
    postgresql = {
      source  = "cyrilgdn/postgresql"
      version = "1.21.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "3.5.1"
    }
  }
}

provider "google-beta" {
  project               = var.project_id
  billing_project       = var.project_id
  user_project_override = true
}

provider "postgresql" {
  scheme   = "gcppostgres"
  host     = google_sql_database_instance.default.connection_name
  username = google_sql_user.postgres.name
  password = google_sql_user.postgres.password
  port     = 5432
}

...

resource "postgresql_grant" "all_to_postgres" {
  database    = google_sql_database.default.name
  role        = google_sql_user.postgres.name
  schema      = "public"
  object_type = "table"
  privileges  = ["DELETE", "INSERT", "REFERENCES", "SELECT", "TRIGGER", "TRUNCATE", "UPDATE"]
}
@robertgmoss
Copy link

@mhubig I'm hitting this too. Were you able to find a way to get this to work or a suitable workaround?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mhubig @robertgmoss