terraform-provider-postgresql icon indicating copy to clipboard operation
terraform-provider-postgresql copied to clipboard

Published 20 hours ago verified publisher icon cyrilgdn

postgresql provider with gcppostgres checks wrong project for sqladmin api

Open mhubig opened this issue 1 year ago • 1 comments

I'm using a GCP Service Account from project A to provision resources to project B.

I'm providing the GOOGLE_APPLICATION_CREDENTIALS environment variable to the google and postgresql providers for authentication.

Within the google provider config I can use the project and user_project_override parameters to instruct the provider to ignore the project of the service account. Unfortunately there are no such options for the postgresql provider while using the gcppostgres schema.

What happens now is the postgresql provider seems to check if the sqladmin.googleapis.com API is enabled for the origin project of the GCP Service Account, instead of checking the origin project of the CloudSQL database and I'm getting the following error:

googleapi: Error 403: Cloud SQL Admin API has not been used in project XXXX before or it is disabled. Enable
it by visiting https://console.developers.google.com/apis/api/sqladmin.googleapis.com/overview?project=XXXX
then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems
and retry.

If I'm enabling the Cloud SQL Admin API for the origin project of the Service account, the error goes away ...

Terraform Version

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/cyrilgdn/postgresql v1.21.0
+ provider registry.terraform.io/hashicorp/google-beta v4.83.0
+ provider registry.terraform.io/hashicorp/random v3.5.1

Affected Resource(s)

  • postgresql_grant

Terraform Configuration Files

terraform {
  backend "http" {
  }
  required_version = ">=1.0.0"
  required_providers {
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "4.83.0"
    }
    postgresql = {
      source  = "cyrilgdn/postgresql"
      version = "1.21.0"
    }
    random = {
      source  = "hashicorp/random"
      version = "3.5.1"
    }
  }
}

provider "google-beta" {
  project               = var.project_id
  billing_project       = var.project_id
  user_project_override = true
}

provider "postgresql" {
  scheme   = "gcppostgres"
  host     = google_sql_database_instance.default.connection_name
  username = google_sql_user.postgres.name
  password = google_sql_user.postgres.password
  port     = 5432
}

...

resource "postgresql_grant" "all_to_postgres" {
  database    = google_sql_database.default.name
  role        = google_sql_user.postgres.name
  schema      = "public"
  object_type = "table"
  privileges  = ["DELETE", "INSERT", "REFERENCES", "SELECT", "TRIGGER", "TRUNCATE", "UPDATE"]
}

mhubig avatar Oct 09 '23 16:10 mhubig

@mhubig I'm hitting this too. Were you able to find a way to get this to work or a suitable workaround?

robertgmoss avatar Aug 16 '24 11:08 robertgmoss