This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Error waiting for Create Service Networking Connection: Error code 7

Posted on 02-28-2024 07:25 AM
alebeta
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi Everyone,

I have been using successfully the following Terraform code to deploy databases on GCP

 

 

 

variable "db_machine_type" {
  type        = string
  description = "machine type for db instance"
}

variable "db_password" {
  description = "The password for the database"
  type        = string
  sensitive   = true
}

resource "google_compute_global_address" "private_ip_address" {
    provider      = google-beta
    name          = "${local.stage}-private-transit-ip"
    purpose       = "VPC_PEERING"
    address_type  = "INTERNAL"
    prefix_length = 24
    network       = google_compute_network.vpc.name
    project       = var.project_id
  }

resource "google_service_networking_connection" "private_vpc_connection" {
  provider                = google-beta
  network                 = google_compute_network.vpc.id
  service                 = "servicenetworking.googleapis.com"
  reserved_peering_ranges = [google_compute_global_address.private_ip_address.name]
}

resource "google_sql_database" "database" {
  name     = "${local.stage}-db"
  instance = google_sql_database_instance.default.name
}

resource "google_sql_database_instance" "default" {
  provider            = google-beta
  name                = "${local.stage}-instance"
  project             = var.project_id
  region              = var.region
  database_version    = "POSTGRES_14"
  deletion_protection = false

  depends_on = [
    google_service_networking_connection.private_vpc_connection,
  ]

  settings {
    tier = var.db_machine_type
    ip_configuration {
      ipv4_enabled                                  = false
      private_network                               = google_compute_network.vpc.id
      enable_private_path_for_google_cloud_services = true
      require_ssl                                   = false
    }
  }
}

resource "google_sql_user" "root" {
  name     = "user"
  instance = google_sql_database_instance.default.name
  password = var.db_password
}

 

 

 

But when applying from today started receiving the following error message

 

 

google_service_networking_connection.private_vpc_connection: Creating...
google_service_networking_connection.private_vpc_connection: Still creating... [10s elapsed]
╷
│ Error: Error waiting for Create Service Networking Connection: Error code 7, message: Permission denied on resource project 1029508354172.
│ Help Token: AX4KC-h9o8vNlPdEjJVx5sPVaS1EVogSUd9r8V6nEKutfx0r91IzqE5srpA9x06tpcBvxHO1ab5C2C-j_bUdUZdtmp_ikgryte7UNYlCpnwzw3gQ
│
│   with google_service_networking_connection.private_vpc_connection,
│   on database.tf line 21, in resource "google_service_networking_connection" "private_vpc_connection":
│   21: resource "google_service_networking_connection" "private_vpc_connection" {

 

 

I was surprise to see the error pointing to a project number which does not belong to me and is not the project I specified in my terraform.

In the internet I found someone else having the same issue since yesterday. But there is not solution to the problem
https://www.reddit.com/r/googlecloud/comments/1b18zd7/permission_denied_on_different_project_number/

If anyone can give me a hint on how to solve the issue will be much appreaciated.

Thanks in advance

 

2 3 2,087
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
Marvin_Lucero
Staff
Reply posted on --/--/---- --:-- AM

Hi @alebeta , 

Based from the error below, the service account used by Terraform does have no necessary permissions to create a service networking connection. 

@alebeta wrote:

Error: Error waiting for Create Service Networking Connection: Error code 7, message: Permission denied on resource project xxxxxxxxxxxxxx.

To fix this, you will be needing to grant permission for the service account used by Terraform. You can follow these commands below :

  1. Identify the service account used by Terraform. You can find this in the Terraform configuration file or in the environment variables.

  2. Navigate to the IAM & Admin page in the GCP Console.

  3. Select the project where the service account is located.

  4. Click on the "IAM" tab.

  5. Search for the service account used by Terraform.

  6. Click on the "Edit" button next to the service account.

  7. In the "Add members" field, enter the email address of the service account.

  8. Select the "Service Account Token Creator" role from the dropdown menu.

  9. Click on "Save" to save the changes.

  10. Re-run the Terraform apply command.

You may also check this community discussion as it is related to your concern. Let me know if this helps.

 

Posted on --/--/---- --:-- AM
rkvvva
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am facing the same issue in a project that has been unchanged and stable for years.

Several other posts for the same issue were opened in the last week.

Those posters advised that creating a new project worked around the issue, but this is not a general solution.

Posted on --/--/---- --:-- AM
rkvvva
Bronze 1
Bronze 1
In response to rkvvva
Reply posted on --/--/---- --:-- AM

Update: resolved the issue by changing the name of the VPC I was trying to create and deploy.

In terraform resource "google_compute_network" I changed the 'name' element by one character.
And now resource "google_service_networking_connection" applies onto that VPC with no problem.

It seems something with the VPC name conflicted in the backend.  Maybe I deleted a VPC with that same name a few years ago?

 

Top Labels in this Space
Top Solution Authors
View all