Open
Description
TL;DR
If automatically creating groups, the CI/CD fails to plan because the serviceaccount doesn't have the required permissions.
This applies to both required and optional groups. Running it from local environment correctly plans (to demonstrate groups do exist)
Expected behavior
Plan and apply to happen correctly
Observed behavior
Error: Error when reading or editing CloudIdentityGroup "groups/<REDACTED>": googleapi: Error 403: Error(2028): Permission denied for resource groups/<REDACTED> (or it may not exist).
Details:
[
{
"@type": "type.googleapis.com/google.rpc.ResourceInfo",
"description": "Error(2028): Permission denied for resource groups/<REDACTED> (or it may not exist).",
"owner": "domain:cloudidentity.googleapis.com",
"resourceName": "groups/<REDACTED>",
"resourceType": "cloudidentity.googleapis.com/Group"
}
]
with module.optional_group["gcp_security_reviewer"].google_cloud_identity_group.group,
on .terraform/modules/optional_group/main.tf line 35, in resource "google_cloud_identity_group" "group":
35: resource "google_cloud_identity_group" "group" {
Terraform Configuration
terraform {
required_version = ">= 0.13"
required_providers {
google = {
// version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226
source = "hashicorp/google"
version = ">= 3.50, != 4.31.0, <= 6.10"
}
google-beta = {
// version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226
source = "hashicorp/google-beta"
version = ">= 3.50, != 4.31.0, <= 6.10"
}
// Un-comment gitlab required_providers when using gitlab CI/CD
# gitlab = {
# source = "gitlabhq/gitlab"
# version = "16.6.0"
# }
// Un-comment github required_providers when using GitHub Actions
github = {
source = "integrations/github"
version = "5.34.0"
}
// Un-comment tfe required_providers when using Terraform Cloud
# tfe = {
# source = "hashicorp/tfe"
# version = "0.48.0"
# }
}
provider_meta "google" {
module_name = "blueprints/terraform/terraform-example-foundation:bootstrap/v4.1.0"
}
}Terraform Version
(github)
Run hashicorp/setup-terraform@v3
with:
terraform_version: 1.10.5
cli_config_credentials_hostname: app.terraform.io
terraform_wrapper: true
(local)
Terraform v1.10.5
on darwin_arm64
+ provider registry.terraform.io/hashicorp/google v6.10.0
+ provider registry.terraform.io/hashicorp/google-beta v6.10.0
+ provider registry.terraform.io/hashicorp/null v3.2.3
+ provider registry.terraform.io/hashicorp/random v3.6.3
+ provider registry.terraform.io/hashicorp/time v0.12.1
+ provider registry.terraform.io/integrations/github v5.34.0Terraform Provider Versions
Providers required by configuration:
.
├── provider[registry.terraform.io/hashicorp/google] >= 3.50.0, != 4.31.0, <= 6.10.0
├── provider[registry.terraform.io/hashicorp/google-beta] >= 3.50.0, != 4.31.0, <= 6.10.0
├── provider[registry.terraform.io/integrations/github] 5.34.0
├── module.org_iam_member
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.77.0
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 3.77.0
│ └── provider[registry.terraform.io/hashicorp/random]
├── module.parent_iam_member
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 3.77.0
│ ├── provider[registry.terraform.io/hashicorp/random]
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.77.0
├── module.seed_bootstrap
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.50.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/random] >= 3.1.0
│ ├── module.enable_cross_project_service_account_usage
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.53.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/null] >= 2.1.0
│ ├── module.kms
│ └── provider[registry.terraform.io/hashicorp/google] >= 5.31.0, < 7.0.0
│ └── module.seed_project
│ ├── provider[registry.terraform.io/hashicorp/google] >= 5.41.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 5.41.0, < 7.0.0
│ ├── module.shared_vpc_access
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.43.0, < 7.0.0
│ ├── module.budget
│ └── provider[registry.terraform.io/hashicorp/google] >= 4.28.0, < 7.0.0
│ ├── module.essential_contacts
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 3.43.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ ├── module.gsuite_group
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ ├── module.project-factory
│ ├── provider[registry.terraform.io/hashicorp/google] >= 5.41.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 5.41.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/null] >= 2.1.0
│ ├── provider[registry.terraform.io/hashicorp/random] >= 2.2.0
│ ├── provider[registry.terraform.io/hashicorp/time] >= 0.5.0
│ └── module.project_services
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.43.0, < 7.0.0
│ └── module.quotas
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 4.11.0, < 7.0.0
├── module.optional_group
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.67.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.67.0, < 7.0.0
├── module.required_group
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.67.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.67.0, < 7.0.0
├── module.bootstrap_projects_remove_editor
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.77.0
├── module.gh_cicd
│ ├── provider[registry.terraform.io/hashicorp/google] >= 5.41.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 5.41.0, < 7.0.0
│ ├── module.shared_vpc_access
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.43.0, < 7.0.0
│ ├── module.budget
│ └── provider[registry.terraform.io/hashicorp/google] >= 4.28.0, < 7.0.0
│ ├── module.essential_contacts
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 3.43.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ ├── module.gsuite_group
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ ├── module.project-factory
│ ├── provider[registry.terraform.io/hashicorp/google] >= 5.41.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 5.41.0, < 7.0.0
│ ├── provider[registry.terraform.io/hashicorp/null] >= 2.1.0
│ ├── provider[registry.terraform.io/hashicorp/random] >= 2.2.0
│ ├── provider[registry.terraform.io/hashicorp/time] >= 0.5.0
│ └── module.project_services
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.43.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.43.0, < 7.0.0
│ └── module.quotas
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 4.11.0, < 7.0.0
├── module.cicd_project_iam_member
│ ├── provider[registry.terraform.io/hashicorp/random]
│ ├── provider[registry.terraform.io/hashicorp/google] >= 3.77.0
│ └── provider[registry.terraform.io/hashicorp/google-beta] >= 3.77.0
├── module.gh_oidc
│ ├── provider[registry.terraform.io/hashicorp/google-beta] >= 3.64.0, < 7.0.0
│ └── provider[registry.terraform.io/hashicorp/google] >= 3.64.0, < 7.0.0
├── module.gcp_projects_state_bucket
│ ├── provider[registry.terraform.io/hashicorp/google] >= 5.43.0, < 7.0.0
│ └── module.encryption_key
│ └── provider[registry.terraform.io/hashicorp/google] >= 5.31.0, < 7.0.0
└── module.seed_project_iam_member
├── provider[registry.terraform.io/hashicorp/google] >= 3.77.0
├── provider[registry.terraform.io/hashicorp/google-beta] >= 3.77.0
└── provider[registry.terraform.io/hashicorp/random]
Providers required by state:
provider[registry.terraform.io/hashicorp/google]
provider[registry.terraform.io/hashicorp/google-beta]
provider[registry.terraform.io/hashicorp/random]
provider[registry.terraform.io/integrations/github]Additional information
No response