diff --git a/third_party/terraform/utils/config.go.erb b/third_party/terraform/utils/config.go.erb index d28482a16430..a06c7e24434f 100644 --- a/third_party/terraform/utils/config.go.erb +++ b/third_party/terraform/utils/config.go.erb @@ -566,7 +566,7 @@ func (c *Config) LoadAndValidate(ctx context.Context) error { return err } c.clientStorageTransfer.UserAgent = userAgent - c.clientStorageTransfer.BasePath = storageTransferClientBasePath + c.clientStorageTransfer.BasePath = storageTransferClientBasePath healthcareClientBasePath := removeBasePathVersion(c.HealthcareBasePath) log.Printf("[INFO] Instantiating Google Cloud Healthcare client for path %s", healthcareClientBasePath) @@ -687,7 +687,7 @@ func (c *Config) GetCredentials(clientScopes []string) (googleoauth.Credentials, defaultTS, err := googleoauth.DefaultTokenSource(context.Background(), clientScopes...) if err != nil { - return googleoauth.Credentials{}, fmt.Errorf("Error loading Default TokenSource: %s", err) + return googleoauth.Credentials{}, fmt.Errorf("Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block. No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'. Original error: %w", err) } return googleoauth.Credentials{ TokenSource: defaultTS, diff --git a/third_party/terraform/website/docs/guides/getting_started.html.markdown b/third_party/terraform/website/docs/guides/getting_started.html.markdown index ef26a2bfc821..daf474dc21c8 100644 --- a/third_party/terraform/website/docs/guides/getting_started.html.markdown +++ b/third_party/terraform/website/docs/guides/getting_started.html.markdown @@ -20,7 +20,15 @@ provider. ## Configuring the Provider -First create a Terraform config file named `"main.tf"`. Inside, you'll +First, authenticate with GCP. The easiest way to do this is to run +`gcloud auth application-default login`, if you already have gcloud +installed. If you don't already have it, gcloud can be installed with +`apt-get install google-cloud-sdk` on Debian-based machines. For a +production use-case, you will want to use service account authentication, +which you can learn about further down in this doc, but for experimenting, +gcloud authentication will work fine. + +Next, create a Terraform config file named `"main.tf"`. Inside, you'll want to include the following configuration: ```hcl @@ -45,7 +53,7 @@ Not all resources require a location. Some GCP resources are global and are automatically spread across all of GCP. -> Want to try out another location? Check out the [list of available regions and zones](https://cloud.google.com/compute/docs/regions-zones/#available). -Instances created in zones outside the US are not part of the always free tier +Instances created in zones outside the US are not necessarily part of the always free tier and could incur charges. ## Creating a VM instance @@ -168,6 +176,11 @@ You supply the key to Terraform using the environment variable export GOOGLE_APPLICATION_CREDENTIALS={{path}} ``` +If you choose to use `gcloud`-generated credentials, and you encounter +quota or billing issues which don't seem to apply to you, you may want to set +`user_project_override` to `true` in the provider block - see the +[provider reference](/docs/providers/google/guides/provider_reference.html) for more information. + -> Remember to add this line to a startup file such as `bash_profile` or `bashrc` to store your credentials across sessions! diff --git a/third_party/terraform/website/docs/guides/provider_reference.html.markdown b/third_party/terraform/website/docs/guides/provider_reference.html.markdown index 7198064426e6..fd97685d47ee 100644 --- a/third_party/terraform/website/docs/guides/provider_reference.html.markdown +++ b/third_party/terraform/website/docs/guides/provider_reference.html.markdown @@ -74,7 +74,12 @@ same configuration. * `credentials` - (Optional) Either the path to or the contents of a [service account key file] in JSON format. You can -[manage key files using the Cloud Console]. +[manage key files using the Cloud Console]. If not provided, the +application default credentials will be used. You can configure +Application Default Credentials on your personal machine by +running `gcloud auth application-default login`. If +terraform is running on a GCP machine, and this value is unset, +it will automatically use that machine's configured service account. * `project` - (Optional) The default project to manage resources in. If another project is specified on a resource, it will take precedence.