Error when activating a service in child project

[watsab]

Hi !

I have a question that did not find an actual answer:
I created a Terraform project which is in charge of managing other projects. Everything works fine until I want to activate services on the child projects. I keep having errors like:

Error 403: Cloud Functions API has not been used in project
[my-terraform-project] before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/cloudfunctions.googleapis.com/overview?project=[my-terraform-project]
then retry.

Or

Error 403: BigQuery API has not been used in project [my-terraform-project]
before or it is disabled. Enable it by visiting
https://console.developers.google.com/apis/api/bigquery-json.googleapis.com/overview?project=[my-terraform-project]
then retry.

So according to these errors messages I need to activate the services in my Terraform/parent project, so they can be activated in the child projects.
In other words: if I want to enable Pub/Sub on child projects A & B and BigQuery on C, and Functions on D, it would mean that I need to enable all these services first in Terraform project.
Is that actually correct ? Isn't there a workaround where I don't need to first activate these services in my Terraform project ?

Thanks !

[chrisst]

You are correct that you need those apis enabled on both the parent and child project. Unfortunately the post/get/delete operations will succeed because they are namespaced by the project id that they are operating on (POST /v1/projects/test-tf-project-f529f7cf/locations/us-central1/functions) but they return an async Operation which we poll to determine the status of the create. The cloud function Operation query doesn't allow us to specify the project id and will default to the service account metadata to determine permissions.

At this point there isn't much that terraform can do to mitigate but I've contacted the cloud functions team to see if they will allow namespacing the requests.

You can also use terraform to manage these apis using https://www.terraform.io/docs/providers/google/r/google_project_services.html . Hopefully that makes this slightly less painful.

[watsab]

Hi @chrisst,

thanks for your answer. So if I get it right, the services are actually activated, but the polling is done on the parent project which do not have the service activated? And thus raising an error?

I'm currently activating services one by one using "google_project_service". And using "google_project_services" raises the same issue. Should it be different?
Thanks

[chrisst]

You are correct, when I test with cloud functions the create/delete request is possible with only setting the credentials on the child project. However you can't see the success or failure because it's an async operation and so we have to poll the api to see what the status is. And it's that polling that errors out even if the create actually succeeded.

Those two resources will managed the same permissions so use whichever fits your use case better. But the key is that for now you'll have to enable the api on both parent and child project until the upstream API changes.

[watsab]

Thans @chrisst for your reply. I hope this will be solved soon !

[rileykarson]

https://www.terraform.io/docs/providers/google/provider_reference.html#user_project_override-1 should associate these requests with the correct project. If it doesn't, there's not really anything we can do in the provider to work around this- the service will need to be enabled in both projects.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!