-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: Request forbidden by administrative rules #23
Comments
There is a project number in GCP. Look at the projects dashboard or run: PROJECT=$(gcloud config get-value project)
gcloud projects list --filter="$PROJECT" --format="value(PROJECT_NUMBER)"
Here are the instructions on how to create a service account for CVS: https://cloud.google.com/solutions/partners/netapp-cloud-volumes/api?hl=en_US My take on your problem: The Volume Create call uses an URL like: projectNumer is the project number described aboce Since us-east1 is CVS-Software, you also need to specify: storage_class = "software"
zone = "<your_CVS_zone"
Give it a try. Hope this helps. |
Thanks for the quick response. I updated the project number as you explained and added
My TF config
Service account permissions are set correctly as far as I can tell. I am going to try the Python code to rule things out with my service account. Note, it is worth updating the docs as most GCP modules use project id and this is a different model. |
Good. This is a known error in 20.11.0. Yesterday, 20.11.1 was released, which fixes the error. Sorry for not mentioning is earlier. |
This looks like a bug we fixed yesterday. Can you try 20.11.1 ? |
Yes, that fixed it and I have it fully working. Thanks. I also had an issue in my template where I was using network id instead of name. For documentation, this worked.
Note, snapshot policy is not optional and it errors without it.
But the above error does not stop the volume from being created. If you fix the snapshot policy and re-run
Deleting the volume fixes the issue and |
Yes, we used to delete the volume on a creation error, but we found it may be better to keep it for debug purposes. We'll look into whether snapshot_policy is always required. @okrause Would you know for sure? |
Thanks. |
Hmmm, for me it works fine without a snapshot schedule. Just created a volume (on CVS-Performance) with: resource "netapp-gcp_volume" "gcp-smb-volume" {
name = local.volume_name
region = local.region
protocol_types = ["NFSv3"]
network = local.network
size = local.size
service_level = local.service_level
} The error seems to come from CVS API and not the provider. The only thing I can thing of is, that the API behaves differently for CVS-Software. We need to test this. |
I re-tried with my config and while it did not give me the same error. If you look in the the GCP console, the state shows "Error when creating - No Snapshot policy given.". The
|
I tested the issue with CVS-Software and can confirm the problem reported by @srirajan . Volume creation fails with snapshot_policy {
enabled = true
} makes it work. |
@srirajan Is this issue solved for your purposes so far? If yes, please close. |
yes, thanks for the help. |
I am getting the following error on tf apply
TF snippet
Debug Logs:
Appears to be a permissions issue but not sure where.
To confirm:
project
in the provide config is the GCP Project ID, correct? Docs say "This is the project number for NetApp_GCP API operations." There is no project number in GCP. The GCP Org has a number, but it is still named ID. Project name does not work.roles/netappcloudvolumes.admin
&roles/compute.admin
are assigned to the service account used with Terraform. Are there any other roles needed? I can create volumes in this project using my user credentials which are similarIs there a way to test create volumes using CLI/API without Terraform. This might isolate the issue to either the service account or terraform.
I am running terraform.0.13.5 & 20.11.0 of the provider.
Thanks.
The text was updated successfully, but these errors were encountered: