Incorrect state with API Activations about terraform-google-project-factory HOT 5 CLOSED

Thank you for your quick replies. Yes, we set the org_id variable. Also, we do have roles/resourcemanager.organizationViewer explicitly enabled on the Service Account which has the creds Project Factory uses to create these projects.

from terraform-google-project-factory.

Do you think you could share the full IAM roles info on one of the projects where you saw this issue? (Feel free to send privately: [email protected])

from terraform-google-project-factory.

Do you know what permission you were missing?

This unfortunately is a hard issue to resolve due to how Terraform works, but https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/docs/TROUBLESHOOTING.md#unable-to-query-status-of-default-gce-service-account should address that.

@adrienthebo One though, could we also see if running terraform plan -refresh=false lets you work through the state deadlock.

from terraform-google-project-factory.

A quick inspection of the error message indicates that the service account may have not had the resourcemanager.organizations.get permission, typically granted through roles/resourcemanager.organizationViewer. I believe that #21 allows users to bypass that requirement by directly providing the organization ID - when you invoked Terraform with the project-factory did you set the org_id variable?

@morgante will do - I'll make a note to test that path.

from terraform-google-project-factory.

FWIW, and not entirely sure whether or not this is helpful info, but I have seen this issue too. For now, I had to comment out the null_resource that removes default service accounts. I just remove the SAs manually.

from terraform-google-project-factory.