Google Cloud VPC Peering Issue

[tama1214]

Current Terraform Version

Terraform v0.12.17

Public Cloud Provider

provider.google-beta: version = "~> 3.26"

Description of the issue

I am trying to install VPC Peering between networks belonging to different GCP projects ("HUB VPC Project" and "Spoke VPC Project"). But I can’t do this - get the following error:

Error: Error adding network peering: googleapi: Error 403: Required 'compute.networks.addPeering' permission for 'projects/nc-iac-test-280514/global/networks/vpc-gcp-hub-vpc', forbidden
   on .terraform/modules/vpc-peering/modules/vpc-peering/main.tf line 10, in resource "google_compute_network_peering" "peering2":
   10: resource "google_compute_network_peering" "peering2" {
 ERROR: Job failed: exit code 1

The error occurs because the Terraform script is executed using the credentials of a service user owned by "Spoke VPC Project" and, accordingly, has rights only to "Spoke VPC Project" ( = do not have rights for "HUB VPC Project").

From the technical documentation, I see that at the moment there is no technical possibility to create a service user (terraform user) for the all Organization with access rights to all projects within this Organization. A service user can only be created for a specific project within the Organization (separate service users for "HUB VPC Project" and "Spoke VPC Project".

Terraform Script - Repo "Spoke VPC Project"

# "Spoke VPC Project" Variables
variable "peering_hub_name" {default = "peering-gcp-hub-vcn-project-1"}
variable "peering_spoke_name" {default = "peering-gcp-spoke-vcn-project-1"}

# Data from "HUB VPC Project"
data "terraform_remote_state" "hub_vpc" {
  backend = "gcs"
  config = {
    credentials = "secure/nc-iac-test-280514-177750b15789.json"
    bucket      = "nc-tf-state-prod"
    prefix      = "terraform/network_state"
  }
}

#  VPC Peering between "HUB VPC Project" ans "Spoke VPC Project"
module "vpc-peering" {
  source = "git::https://gitlab+deploy-token-22:**********@git.netcracker.com/Personal.Public_Cloud_Support/Google/Google_Modules.git//modules/vpc-peering"
  peering_hub_name                 = var.peering_hub_name
  peering_spoke_name              = var.peering_spoke_name
  spoke_network_id                    = module.network.vpc_network_id
  hub_network_id                  = 
 data.terraform_remote_state.hub_vpc.outputs.google_compute_network_default_id
}

Terraform Script - Repo "git.netcracker.com/Personal.Public_Cloud_Support/Google/Google_Modules.git//modules/vpc-peering"

# Module Variables
variable "peering_hub_name" {}
variable "peering_spoke_name" {}
variable "spoke_network_id" {}
variable "hub_network_id" {}

# VPC Peering Configuration
resource "google_compute_network_peering" "peering1" {
  name         = var.peering_hub_name
  network      = var.spoke_network_id
  peer_network = var.hub_network_id
  import_custom_routes = true
  export_custom_routes = true
}

resource "google_compute_network_peering" "peering2" {
  name         = var.peering_spoke_name
  network      = var.hub_network_id
  peer_network = var.spoke_network_id
  import_custom_routes = true
  export_custom_routes = true
}

Question

How to solve this issue: create VPC Peering between "HUB VPC Project" and "Spoke VPC Project" using terraform ?

[edwardmedia]

@tama1214 you can create a service account with organizational roles like Organization Administrator, which has access to different projects within the org. Here is a link you may want to review.
https://cloud.google.com/resource-manager/docs/creating-managing-organization

[edwardmedia]

@tama1214 Is this still an issue?

[edwardmedia]

@tama1214 closing this issue as not hear back from you. Feel free to reopen it if you need. Thanks

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!