Search code examples
google-cloud-platformterraformvpc

Error 403: Required 'compute.organizations.enableXpnHost' permission for project when trying to set up shared VPC via terraform

I am trying to set-up a shared VPC host project with terraform and I get

│ Error: Error enabling Shared VPC Host "master-vpc": googleapi: Error 403: Required 'compute.organizations.enableXpnHost' permission for 'projects/master-vpc', forbidden
│
│   with google_compute_shared_vpc_host_project.host,
│   on main.tf line 282, in resource "google_compute_shared_vpc_host_project" "host":
│  282: resource "google_compute_shared_vpc_host_project" "host" {

I've seen this post that matches exactly my premise, but I can't seem to follow their solution as they are using some service account linked to a cloud run environment, which is not my case. I use a terraform-admin service account that has "organization admin rigths" cf. Image 1 Image 1

Since terraform-admin is the one creating resources through terraform (that i run locally via an account key), it should have ample permissions to add the resource google_compute_shared_vpc_host_project.

Here are the permissions I further assigned to the accounts network-admin (The account that I want to manage the VPC with) and the terraform-admin the general infrastructure super-admin.

resource "google_project_iam_member" "master-vpc-owner-role" {
  project = google_project.master-vpc.project_id
  member  = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
  role    = "roles/owner"
}
resource "google_project_iam_member" "master-vpc-project-iam-admin-role" {
  project = google_project.master-vpc.project_id
  role    = "roles/resourcemanager.projectIamAdmin"
  member  = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
}
# roles/compute.xpnAdmin does not seem to cascade to the project
resource "google_folder_iam_member" "net-ops-folder-compute-xpnAdmin-role-for-net-admin" {
  folder = google_folder.net-ops.name
  member  = "serviceAccount:${google_service_account.master-vpc-network-admin.email}"
  role    = "roles/compute.xpnAdmin"
}

# Create the shared VPC
resource "google_compute_shared_vpc_host_project" "host" {
  # project = google_project.master-vpc.project_id
  project = "${var.project_master_vpc.project_id}"
}

Could somebody explain to me what I'm doing wrong?

Is the fact that I'm running terraform apply locally somehow use the authenticated account via gcloud auth ?

FYI, in order to apply the infrastructure changes to my organization, I use a credentials' file

provider "google" {
  credentials = file(var.credentials_file)
  region      = var.region
  zone        = var.zone
}

  • I can't seem to assign the role "roles/compute.xpnAdmin" to the master-vpc, which is why I assign it to the parent folder Net-ops, but the error "requires" the permission on 'projects/master-vpc'. What am I missing?

  • Is enabling this role on the Net-ops folder level sufficient, or do I have to put it in the organization level? (I'm not sure if that's a good idea either, as it would grant the network-admin some organization-level actions)

Solution

  • The role roles/compute.xpnAdmin needs to be set at the organization's level... Which means the terraform-admin, which handles the creation of resources via terraform, needs to have this role.

    Here's how to grant it :

    # On the organization level :
# "roles/compute.xpnAdmin" to create the VPC
resource "google_organization_iam_member" "org-compute-xpnAdmin-role-for-terraform-admin" {
  org_id = <your organization's ID>
  role   = "roles/compute.xpnAdmin"
  member = "serviceAccount:${google_service_account.terraform_infra_admin.email}"
}

# Create the shared VPC
resource "google_compute_shared_vpc_host_project" "host" {
  # project = google_project.master-vpc.project_id
  project = var.project_master_vpc.project_id
}

    This of course means that in this case, the organization's infrastructure administrator is also the one creating the VPC.