Login/Register
Plan Error: Cloud Resource Manager API has not been used
Asked Answered
google-cloud-platformterraformdevopsgoogle-cloud-buildterraform-provider-gcp
D

4

9

When I try to run

steps:
- id: Plan Terraform
  name: hashicorp/terraform:light
  args:
  - plan

in Cloud Build, I get the error:

Error: Error reading Project Service foo/cloudbuild.googleapis.com: googleapi: Error 403: Cloud Resource Manager API has not been used in project 123456789 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=123456789 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured

Since the same terraform definition is working on my local machine I assume the error message is slightly misleading and it is actually a credential problem.

According to the Google Cloud docs I applied the following:

resource "google_project_iam_binding" "cloudbuild" {
  project = "bar"
  role    = "roles/editor"
  members = [
    "serviceAccount:[email protected]"
  ]
}

The error still persists, though. Any idea what might be the problem/solution here?

Dhyana answered 8/7, 2020 at 16:47 Comment(3)
You need first enable the api as mentioned in the error message also you can automatically enable APIs with terraform as is mentioned in this answerDenticulate
And why does the same work from my local computer then?Dhyana
I'm not sure if this is due to differences in the docker image settings "hashicorp / terraform: light". the previous answers was helpful for you? or you continue having this issue?Denticulate
D
7

Had to manually enable Cloud Resource Manager API and Service Usage API to get Terraform to work.

No real idea why it works through my local machine though. Thus this is still not totally understood/solved for me.

My guess would be that perhaps locally it uses gcloud to access these things and it gets the data another way?

Or maybe user accounts have different constraints than service accounts?

Dhyana answered 10/7, 2020 at 9:31 Comment(1)
maybe you want to take a look at my answer below? https://mcmap.net/q/1194988/-plan-error-cloud-resource-manager-api-has-not-been-usedGustie
F
2

It should be possible to do:

resource "google_project_service" "gcp_resource_manager_api" {
  project = var.project_id
  service = "cloudresourcemanager.googleapis.com"
}

In this way you enable the API inside your Terraform script. You could also combine it with time_sleep so that you make other resources depending on ti waiting till it is ready.

resource "time_sleep" "gcp_wait_crm_api_enabling" {
  depends_on = [
    google_project_service.gcp_resource_manager_api
  ]

  create_duration = "1m"
}

Should the above not working, then you need to include in your pipeline (assuming you are executing your TF scripts from a pipeline) the following:

  $> gcloud services enable cloudresourcemanager.googleapis.com
  --project <PROJECT ID>

As suggested in here.

Frederik answered 23/11, 2020 at 16:10 Comment(0)
G
1

We also had credentials problems where local authentication worked but service account impersonation (see TERRAFORM_SA_EMAIL) failed.

There is essentially a deadlock problem where Terraform needs certain APIs to be activated in a project but cannot activate them because, well, APIs are not activated yet. By setting user_project_override to false for a separate google provider for your seed (=quota) project where the service account was initially created, you may activate those initial APIs for the worker project. All other APIs that might be needed can be activated using the default google provider (see other_google_project_services).

provider "google" {
  user_project_override       = true
  region                      = var.GCP_REGION
  impersonate_service_account = var.TERRAFORM_SA_EMAIL
}

provider "google" {
  alias                       = "seed"
  user_project_override       = false
  region                      = var.GCP_REGION
  impersonate_service_account = var.TERRAFORM_SA_EMAIL
}

resource "google_project_service" "cloud_serviceusage_api" {
  provider                   = google.seed
  project                    = google_project.worker_project.project_id
  service                    = "serviceusage.googleapis.com"
  disable_dependent_services = true
}

resource "google_project_service" "cloudresourcemanager_api" {
  depends_on                 = [google_project_service.cloud_serviceusage_api]
  provider                   = google.seed
  project                    = google_project.worker_project.project_id
  service                    = "cloudresourcemanager.googleapis.com"
  disable_dependent_services = true
}

variable "GCP_SERVICES" {
  type    = list(string)
  default = [
    "bigquery.googleapis.com",
    "compute.googleapis.com",
    "container.googleapis.com",
    "containersecurity.googleapis.com",
    "dns.googleapis.com",
    "logging.googleapis.com",
    "monitoring.googleapis.com",
    "osconfig.googleapis.com",
    "pubsub.googleapis.com"
  ]
}

resource "google_project_service" "other_google_project_services" {
  depends_on                 = [google_project_service.cloudresourcemanager_api]
  project                    = google_project.worker_project.project_id
  for_each                   = toset(var.GCP_SERVICES)
  service                    = each.value
  disable_dependent_services = true
}
Gustie answered 19/7, 2023 at 12:59 Comment(0)
T
0

if a user logged in by

# generating /yourhome-dir/.config/gcloud/application_default_credentials.json

  • gcloud auth application-default login

but run into following error at project policy or iam related action Cloud Resource Manager API has not been used

probably there is a quota project id in application_default_credentials.json introduced by command the login cmd.

try to remove "quota project id" from the application_default_credentials.json and instead do

  • gcloud config set project your-project-id

retry.

Tannie answered 25/2, 2022 at 0:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.