fix(terraform): ensure consistent IAM permission #165

grayside · 2021-09-03T21:50:23Z

This attempts to fix the need to retry terraform apply. I'm consistently getting success with this change, even though my changes have been related to IAM permissions instead of artifact registry setup.

I suspect the slow setup of Pub/Sub topics might also be fixed with the right explicit dependency, as the timing output looks like exponential backoff.

The key change I've made here is to modify IAM policy resources to depend on Cloud Build API enablement. When that step is complete, we know the Cloud Build service account will be available.

Fixes #164

terraform provisioning logs

google_project.prod_project: Creating... google_project.ops_project: Creating... google_project.stage_project: Creating... google_project.ops_project: Still creating... [10s elapsed] google_project.prod_project: Still creating... [10s elapsed] google_project.stage_project: Still creating... [10s elapsed] google_project.prod_project: Still creating... [20s elapsed] google_project.stage_project: Still creating... [20s elapsed] google_project.ops_project: Still creating... [20s elapsed] google_project.ops_project: Creation complete after 24s [id=projects/emblem-ops-jellybeandiet2] google_project.stage_project: Creation complete after 24s [id=projects/emblem-stage-jellybeandiet2] google_project.prod_project: Creation complete after 24s [id=projects/emblem-prod-jellybeandiet2] google_project_service.ops_pubsub_api: Creating... google_pubsub_topic.ops_gcr_pubsub: Creating... google_pubsub_topic.ops_cloudbuilds_pubsub: Creating... google_project_service.ops_cloudbuild_api: Creating... google_pubsub_topic.stage_canary_pubsub: Creating... google_project_service.stage_run_api: Creating... google_project_service.stage_pubsub_api: Creating... google_service_account.stage_cloud_run_manager: Creating... google_project_service.stage_firestore_api: Creating... google_pubsub_topic.stage_cloudbuilds_pubsub: Creating... google_service_account.stage_cloud_run_manager: Creation complete after 2s [id=projects/emblem-stage-jellybeandiet2/serviceAccounts/cloud-run-manager@emblem-stage-jellybeandiet2.iam.gserviceaccount.com] google_project_service.stage_cloudbuild_api: Creating... google_project_service.ops_pubsub_api: Still creating... [10s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [10s elapsed] google_project_service.ops_cloudbuild_api: Still creating... [10s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [10s elapsed] google_project_service.stage_run_api: Still creating... [10s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [10s elapsed] google_project_service.stage_pubsub_api: Still creating... [10s elapsed] google_project_service.stage_firestore_api: Still creating... [10s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [10s elapsed] google_project_service.stage_cloudbuild_api: Still creating... [10s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [20s elapsed] google_project_service.ops_pubsub_api: Still creating... [20s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [20s elapsed] google_project_service.ops_cloudbuild_api: Still creating... [20s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [20s elapsed] google_project_service.stage_run_api: Still creating... [20s elapsed] google_project_service.stage_pubsub_api: Still creating... [20s elapsed] google_project_service.stage_firestore_api: Still creating... [20s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [20s elapsed] google_project_service.stage_cloudbuild_api: Still creating... [20s elapsed] google_project_service.ops_cloudbuild_api: Creation complete after 22s [id=emblem-ops-jellybeandiet2/cloudbuild.googleapis.com] google_project_service.ops_pubsub_api: Creation complete after 22s [id=emblem-ops-jellybeandiet2/pubsub.googleapis.com] google_project_service.stage_appengine_api: Creating... google_project_iam_member.ops_cloudbuild_pubsub_iam_stage: Creating... google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [30s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [30s elapsed] google_project_service.stage_pubsub_api: Still creating... [30s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [30s elapsed] google_project_service.stage_run_api: Still creating... [30s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [30s elapsed] google_project_service.stage_firestore_api: Still creating... [30s elapsed] google_project_iam_member.ops_cloudbuild_pubsub_iam_stage: Creation complete after 9s [id=emblem-stage-jellybeandiet2/roles/pubsub.publisher/serviceAccount:75133325569@cloudbuild.gserviceaccount.com] google_project_iam_member.ops_cloudbuild_run_admin_iam_stage: Creating... google_project_service.stage_cloudbuild_api: Still creating... [30s elapsed] google_project_service.stage_appengine_api: Still creating... [10s elapsed] google_project_service.stage_firestore_api: Creation complete after 33s [id=emblem-stage-jellybeandiet2/firestore.googleapis.com] google_project_service.stage_cloudbuild_api: Creation complete after 31s [id=emblem-stage-jellybeandiet2/cloudbuild.googleapis.com] google_project_service.stage_run_api: Creation complete after 33s [id=emblem-stage-jellybeandiet2/run.googleapis.com] google_project_service.stage_pubsub_api: Creation complete after 33s [id=emblem-stage-jellybeandiet2/pubsub.googleapis.com] google_project_iam_member.ops_cloudbuild_service_account_user_iam_stage: Creating... google_project_iam_member.ops_ar_admin_iam: Creating... google_project_service.ops_artifact_registry_api: Creating... google_project_iam_member.ops_cloudbuild_run_admin_iam_prod: Creating... google_project_iam_member.ops_cloudbuild_service_account_user_iam_stage: Creation complete after 6s [id=emblem-stage-jellybeandiet2/roles/iam.serviceAccountUser/serviceAccount:75133325569@cloudbuild.gserviceaccount.com] google_project_iam_member.ops_cloudbuild_pubsub_iam_prod: Creating... google_project_iam_member.ops_cloudbuild_run_admin_iam_stage: Creation complete after 8s [id=emblem-stage-jellybeandiet2/roles/run.admin/serviceAccount:75133325569@cloudbuild.gserviceaccount.com] google_pubsub_topic.prod_canary_pubsub: Creating... google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [40s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [40s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [40s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [40s elapsed] google_project_iam_member.ops_cloudbuild_run_admin_iam_prod: Creation complete after 8s [id=emblem-prod-jellybeandiet2/roles/run.admin/serviceAccount:75133325569@cloudbuild.gserviceaccount.com] google_project_service.prod_firestore_api: Creating... google_project_iam_member.ops_ar_admin_iam: Creation complete after 8s [id=emblem-ops-jellybeandiet2/roles/artifactregistry.writer/serviceAccount:75133325569@cloudbuild.gserviceaccount.com] google_project_service.prod_appengine_api: Creating... google_pubsub_topic.prod_canary_pubsub: Creation complete after 3s [id=projects/emblem-prod-jellybeandiet2/topics/canary] google_project_service.prod_run_api: Creating... google_project_service.stage_appengine_api: Still creating... [20s elapsed] google_project_service.ops_artifact_registry_api: Still creating... [10s elapsed] google_project_service.stage_appengine_api: Creation complete after 21s [id=emblem-stage-jellybeandiet2/appengine.googleapis.com] google_service_account.prod_cloud_run_manager: Creating... google_service_account.prod_cloud_run_manager: Creation complete after 1s [id=projects/emblem-prod-jellybeandiet2/serviceAccounts/cloud-run-manager@emblem-prod-jellybeandiet2.iam.gserviceaccount.com] google_pubsub_topic.prod_cloudbuilds_pubsub: Creating... google_pubsub_topic.prod_cloudbuilds_pubsub: Creation complete after 2s [id=projects/emblem-prod-jellybeandiet2/topics/cloud-builds] google_project_iam_member.ops_cloudbuild_service_account_user_iam_prod: Creating... google_project_iam_member.ops_cloudbuild_pubsub_iam_prod: Creation complete after 8s [id=emblem-prod-jellybeandiet2/roles/pubsub.publisher/serviceAccount:75133325569@cloudbuild.gserviceaccount.com] google_project_service.prod_cloudbuild_api: Creating... google_pubsub_topic.ops_gcr_pubsub: Still creating... [50s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [50s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [50s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [50s elapsed] google_project_service.prod_firestore_api: Still creating... [10s elapsed] google_project_service.prod_appengine_api: Still creating... [10s elapsed] google_project_service.prod_run_api: Still creating... [10s elapsed] google_project_service.ops_artifact_registry_api: Still creating... [20s elapsed] google_project_iam_member.ops_cloudbuild_service_account_user_iam_prod: Creation complete after 8s [id=emblem-prod-jellybeandiet2/roles/iam.serviceAccountUser/serviceAccount:75133325569@cloudbuild.gserviceaccount.com] google_project_service.prod_pubsub_api: Creating... google_project_service.ops_artifact_registry_api: Creation complete after 22s [id=emblem-ops-jellybeandiet2/artifactregistry.googleapis.com] google_project_iam_member.stage_cloudbuild_service_account_user_iam: Creating... google_project_service.prod_cloudbuild_api: Still creating... [10s elapsed] google_project_service.prod_pubsub_api: Creation complete after 3s [id=emblem-prod-jellybeandiet2/pubsub.googleapis.com] google_project_iam_member.stage_cloudbuild_run_admin_iam: Creating... google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [1m0s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [1m0s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [1m0s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [1m0s elapsed] google_project_service.prod_firestore_api: Still creating... [20s elapsed] google_project_service.prod_appengine_api: Still creating... [20s elapsed] google_project_service.prod_run_api: Still creating... [20s elapsed] google_project_service.prod_appengine_api: Creation complete after 21s [id=emblem-prod-jellybeandiet2/appengine.googleapis.com] google_project_service.prod_run_api: Creation complete after 20s [id=emblem-prod-jellybeandiet2/run.googleapis.com] google_project_service.prod_firestore_api: Creation complete after 21s [id=emblem-prod-jellybeandiet2/firestore.googleapis.com] google_artifact_registry_repository.ops_api_docker: Creating... google_artifact_registry_repository.ops_website_docker: Creating... google_app_engine_application.stage_app: Creating... google_project_iam_member.stage_cloudbuild_service_account_user_iam: Creation complete after 8s [id=emblem-stage-jellybeandiet2/roles/iam.serviceAccountUser/serviceAccount:946058332494@cloudbuild.gserviceaccount.com] google_app_engine_application.prod_app: Creating... google_project_iam_member.stage_cloudbuild_run_admin_iam: Creation complete after 6s [id=emblem-stage-jellybeandiet2/roles/run.admin/serviceAccount:946058332494@cloudbuild.gserviceaccount.com] google_project_service.prod_cloudbuild_api: Still creating... [20s elapsed] google_project_service.prod_cloudbuild_api: Creation complete after 21s [id=emblem-prod-jellybeandiet2/cloudbuild.googleapis.com] google_project_iam_member.prod_cloudbuild_service_account_user_iam: Creating... google_project_iam_member.prod_cloudbuild_run_admin_iam: Creating... google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [1m10s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [1m10s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [1m10s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [1m10s elapsed] google_artifact_registry_repository.ops_api_docker: Still creating... [10s elapsed] google_artifact_registry_repository.ops_website_docker: Still creating... [10s elapsed] google_app_engine_application.stage_app: Still creating... [10s elapsed] google_app_engine_application.prod_app: Still creating... [10s elapsed] google_app_engine_application.stage_app: Creation complete after 11s [id=emblem-stage-jellybeandiet2] google_artifact_registry_repository.ops_website_docker: Creation complete after 11s [id=projects/emblem-ops-jellybeandiet2/locations/us-central1/repositories/website] google_artifact_registry_repository_iam_member.stage_iam_website_ar: Creating... google_artifact_registry_repository_iam_member.prod_iam_website_ar: Creating... google_app_engine_application.prod_app: Creation complete after 10s [id=emblem-prod-jellybeandiet2] google_artifact_registry_repository.ops_api_docker: Creation complete after 12s [id=projects/emblem-ops-jellybeandiet2/locations/us-central1/repositories/content-api] google_artifact_registry_repository_iam_member.stage_iam_api_ar: Creating... google_artifact_registry_repository_iam_member.prod_iam_api_ar: Creating... google_project_iam_member.prod_cloudbuild_run_admin_iam: Creation complete after 7s [id=emblem-prod-jellybeandiet2/roles/run.admin/serviceAccount:746609011029@cloudbuild.gserviceaccount.com] google_project_iam_member.prod_cloudbuild_service_account_user_iam: Creation complete after 7s [id=emblem-prod-jellybeandiet2/roles/iam.serviceAccountUser/serviceAccount:746609011029@cloudbuild.gserviceaccount.com] google_pubsub_topic.ops_gcr_pubsub: Still creating... [1m20s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [1m20s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [1m20s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [1m20s elapsed] google_artifact_registry_repository_iam_member.stage_iam_website_ar: Creation complete after 10s [id=projects/emblem-ops-jellybeandiet2/locations/us-central1/repositories/website/roles/artifactregistry.reader/serviceAccount:service-946058332494@serverless-robot-prod.iam.gserviceaccount.com] google_artifact_registry_repository_iam_member.prod_iam_website_ar: Still creating... [10s elapsed] google_artifact_registry_repository_iam_member.prod_iam_website_ar: Creation complete after 10s [id=projects/emblem-ops-jellybeandiet2/locations/us-central1/repositories/website/roles/artifactregistry.reader/serviceAccount:service-746609011029@serverless-robot-prod.iam.gserviceaccount.com] google_artifact_registry_repository_iam_member.prod_iam_api_ar: Still creating... [10s elapsed] google_artifact_registry_repository_iam_member.stage_iam_api_ar: Still creating... [10s elapsed] google_artifact_registry_repository_iam_member.prod_iam_api_ar: Creation complete after 10s [id=projects/emblem-ops-jellybeandiet2/locations/us-central1/repositories/content-api/roles/artifactregistry.reader/serviceAccount:service-746609011029@serverless-robot-prod.iam.gserviceaccount.com] google_artifact_registry_repository_iam_member.stage_iam_api_ar: Creation complete after 10s [id=projects/emblem-ops-jellybeandiet2/locations/us-central1/repositories/content-api/roles/artifactregistry.reader/serviceAccount:service-946058332494@serverless-robot-prod.iam.gserviceaccount.com] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [1m30s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [1m30s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [1m30s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [1m30s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [1m40s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [1m40s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [1m40s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [1m40s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [1m50s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [1m50s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [1m50s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [1m50s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [2m0s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [2m0s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [2m0s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [2m0s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [2m10s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [2m10s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [2m10s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [2m10s elapsed] google_pubsub_topic.ops_gcr_pubsub: Still creating... [2m20s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [2m20s elapsed] google_pubsub_topic.stage_canary_pubsub: Still creating... [2m20s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [2m20s elapsed] google_pubsub_topic.ops_gcr_pubsub: Creation complete after 2m27s [id=projects/emblem-ops-jellybeandiet2/topics/gcr] google_pubsub_topic.stage_canary_pubsub: Creation complete after 2m28s [id=projects/emblem-stage-jellybeandiet2/topics/canary] google_pubsub_topic.ops_cloudbuilds_pubsub: Still creating... [2m30s elapsed] google_pubsub_topic.stage_cloudbuilds_pubsub: Still creating... [2m30s elapsed] google_pubsub_topic.ops_cloudbuilds_pubsub: Creation complete after 2m37s [id=projects/emblem-ops-jellybeandiet2/topics/cloud-builds] google_pubsub_topic.stage_cloudbuilds_pubsub: Creation complete after 2m38s [id=projects/emblem-stage-jellybeandiet2/topics/cloud-builds]

dinagraves · 2021-09-07T23:11:10Z

Thanks for figuring this out!

ace-n · 2021-09-07T23:33:27Z

terraform/ops.tf

@@ -13,6 +13,7 @@ provider "google" {
 resource "google_pubsub_topic" "ops_gcr_pubsub" {
  provider = google.ops
  name     = "gcr"
+


Nit: extra line?

chore(terraform): ensure consistent IAM permissioning

54f3e17

grayside added the component: delivery Related to automation, testing, deployment of the application. label Sep 3, 2021

grayside requested a review from dinagraves September 3, 2021 21:50

grayside self-assigned this Sep 3, 2021

google-cla bot added the cla: yes This human has signed the Contributor License Agreement. label Sep 3, 2021

grayside changed the title ~~chore(terraform): ensure consistent IAM permission~~ fix(terraform): ensure consistent IAM permission Sep 3, 2021

grayside added this to the v0.5.0 milestone Sep 7, 2021

dinagraves approved these changes Sep 7, 2021

View reviewed changes

Merge branch 'main' into deflake-terraform

90927be

dinagraves requested a review from a team as a code owner September 7, 2021 23:08

ace-n approved these changes Sep 7, 2021

View reviewed changes

Merge branch 'main' into deflake-terraform

76c4200

grayside merged commit 4fdc7b2 into main Sep 9, 2021

grayside deleted the deflake-terraform branch September 9, 2021 16:19

dinagraves mentioned this pull request Jan 11, 2022

fix(terraform): fix tf apply failures #305

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(terraform): ensure consistent IAM permission #165

fix(terraform): ensure consistent IAM permission #165

grayside commented Sep 3, 2021 •

edited

Loading

dinagraves commented Sep 7, 2021

ace-n Sep 7, 2021

fix(terraform): ensure consistent IAM permission #165

fix(terraform): ensure consistent IAM permission #165

Conversation

grayside commented Sep 3, 2021 • edited Loading

dinagraves commented Sep 7, 2021

ace-n Sep 7, 2021

Choose a reason for hiding this comment

grayside commented Sep 3, 2021 •

edited

Loading