Unable to link Project with Billing Account

[streetmapp]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v0.12.20

Affected Resource(s)

• google_project

Terraform Configuration Files

resource "random_id" "id" {
  byte_length = 4
  prefix      = "my-test-proj-"
}

resource "google_project" "project" {
  name            = "my-test-proj"
  project_id      = random_id.id.hex
  billing_account = "BILLING_ACCOUNT"
  org_id          = "ORG_ID"
}

Debug Output

https://gist.github.com/streetmapp/8999b6e941fe26f965ee1ff88e7d4bef

Panic Output

No Panic

Expected Behavior

I would have expected that my terraform would have created the project and associated it with my organization and set the billing account for the project.

Actual Behavior

The project is created, associated with my organization, but it fails to apply the billing account.

Error received:

Error: Error setting billing account "BILLINGACCOUNT" for project "projects/my-test-proj-b5b946d0": googleapi: Error 403: The caller does not have permission, forbidden

  on projects.tf line 11, in resource "google_project" "project":
  11: resource "google_project" "project" {

Steps to Reproduce

I have been following this guide for the purpose of having a central GCP project from which I can manage terraform from.

https://cloud.google.com/community/tutorials/managing-gcp-projects-with-terraform

My service account for this has Project Billing Manager and Billing Account User roles at the Org level and Project Billing Manager at the newly created project level. Both of which I would think would be sufficient for the task at hand.

References

• I was asked to open this issue against the provider via rileykarson in #terraform of the GCP Community Slack.

[venkykuberan]

@streetmapp Can you please try making that svc account user as "Billing Account User" & "Project Creator" at the Org level (only at the Org level) and run your config. The service account will come as just owner for the project after it gets created.

sample config

locals {
    project_id = "test-demo-project-v${random_id.id.dec}"
    org_id = "xxxxxxxxxxx"
}
resource "random_id" "id" {
  byte_length = 3
}
resource "google_project" "demo_project" {
    name = "testing-project"
    project_id = local.project_id
    org_id = local.org_id
     billing_account = var.billing_account_id
  }

I am able to create a project and assign the billing account. Please let me know if it helped

[streetmapp]

So I just tried this out, using your sample config, and I got the same error as I mentioned on my initial report.

Can confirm that my service account in use at the Org level ONLY has "Billing Account User" & "Project Creator" set.

[streetmapp]

I also tried the gcloud SDK method of linking a billing account, and this failed due to permissions as well.

[venkykuberan]

I am attaching the plan and apply output and also screen shot of my svc account access privileges of both Org and Project level.
I am outputting the service account being used to create the project to verify i am using the right svc account. Project successfully created with no issues.

Please cross verify it again with my settings with yours. Also can you verify that by changing the org level permission to Billing Administrator produce any different results for you ?

# google_project.demo_project will be created
  + resource "google_project" "demo_project" {
      + auto_create_network = true
      + billing_account     = "xxx-xxx-xxx"
      + folder_id           = (known after apply)
      + id                  = (known after apply)
      + name                = "testing-project"
      + number              = (known after apply)
      + org_id              = "xxxxxx"
      + project_id          = (known after apply)
      + skip_delete         = (known after apply)
    }

  # random_id.id will be created
  + resource "random_id" "id" {
      + b64         = (known after apply)
      + b64_std     = (known after apply)
      + b64_url     = (known after apply)
      + byte_length = 3
      + dec         = (known after apply)
      + hex         = (known after apply)
      + id          = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

random_id.id: Creating...
random_id.id: Creation complete after 0s [id=stJV]
google_project.demo_project: Creating...
google_project.demo_project: Creation complete after 9s [id=projects/test-demo-project-v11719253]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Outputs:

user_id = venky-service-account-limited@venky-external-org.iam.gserviceaccount.com

[streetmapp]

Using Billing Account Administrator does not produce any different results.

[venkykuberan]

It has to do with the roles you setup for your service account. As you get the same error from gcloud as well, i don't see any issues with terraform/provider. Once you get the gcloud working (project creation with billing account) the above given config can be used with terraform.

Please ping us back if it fails in terraform and works fine in gcloud.

[Arconapalus]

I followed from the GCP/Slack channel to here. I have a similar error. I have Terraform config file to provision a new project with gcp services. I have Terraform admin service account at an Org. level role Billing Account User and Project Creator. At project level I have custom roles, owner, and storage admin.

When I have TerraForm apply, I get this error
Error: failed pre-requisites: missing permission on “billingAccounts/AccountID”: billing.resourceAssociations.create.

Double-Checking: the service account that need the permissions of roles is the TerraForm admin service account and not the service account within the project? right or does the service account within the new provision project need to that the org/project roles and permissions?

[Arconapalus]

I have testing this will be variations, At organization level projects creator and billing account user needs to be assigned to custom service account. I'm in the process of cloud build provisions tf config files. However, cloudbuild doesn't allow permissions to be granted at project level for project creator. Cloud build doesn't allow using external service account either.
After testing, you will need to have the cloudbuild default service account have the permission for billing account user and project creator. However, from a security standpoint this isn't correct and should not be allowed to go this route.

[Arconapalus]

I did a final test. I was creating automation for the TerraForm provisioning GCP project and services. I found upon my research that for now, we will need to have a cloud build default service account (at org_level) that must have billing account user and project creator for cloud build to execute TerraForm config file to provision GCP projects from Terraform admin project. Thus, you could supplement the service account in cloudbuild.yaml with using secret but then this opens up, a new risk of vulnerabilities on top of having a cloud build service account already having organizational permission. I could supplement my writing on GitHub or stack flow to subdue the outcome of my research.

[luthes]

I was having a similar issue, where I couldn't create projects. I was nearly about to give up, and I came across a Terraform module (https://github.com/terraform-google-modules/terraform-google-project-factory) that had slightly different permissions. I removed everything that I had previously added using the above mentioned guide (including the .terraform folder) and added the permissions recommended there. Admittedly, I'm just getting started with GCP, so I'm not entirely sure all of those are needed, but something there did the trick :) Hope that helps!

[chrisst]

As is this looks like a problem with getting permissions correct and not necessarily a bug with the provider. Please let me know if I'm missing something.

In terms of getting the permissions set correctly you will need to give the service account that is being used by Terraform permission to modify the billing account in question. The IAM permissions for the billing account are configured in a different part of the UI than the project and organization level IAM permissions. Instead of being under the IAM part of the sidebar they are configured under the Billing section. https://support.google.com/cloud/answer/7283646?hl=en has a bit more detail.

Also the IAM docs have a pretty good article on understanding roles: https://cloud.google.com/iam/docs/understanding-roles#billing-roles

[chrisst]

If you think the tutorial could be improved you are welcome to open a PR that improves it. The source for the tutorial is at https://github.com/GoogleCloudPlatform/community/tree/master/tutorials/managing-gcp-projects-with-terraform. Or feel free to open up an issue against that repo and see if the author will update.

[techjacker]

I had this same issue and it turned out that it was a project quota limit - it seems you are limited to 5 projects that can be linked to a billing account by default. You only get told this if you try to link the project to a billing account in the console. It would be great if you could update the provider to give the correct error information too.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!