Terraform Apply failing

65 views
Skip to first unread message

Felipe Chamas Biondi

unread,
Nov 24, 2020, 12:21:39 PM11/24/20
to api-gateway-users
I'm facing these errors when trying to Apply my terraform Plan and create resources:



IAM resources:


Is this the necessary configuration to make a HTTP request to my Gateway? The documentation o this part of Terraform is a little unclear to me.

Thanks!!!

Felipe Chamas Biondi

unread,
Nov 24, 2020, 12:26:01 PM11/24/20
to api-gateway-users
Images did not upload...

Errors:

Error: Error applying IAM policy for apigateway api "projects/...": Error setting IAM policy for apigateway api "projects/...": googleapi: Error 400: Invalid argument: 'An invalid argument was specified. Please check the fields and try again.'

Error: Error applying IAM policy for apigateway apiconfig "projects/...": Error setting IAM policy for apigateway apiconfig "projects/...": googleapi: Error 400: Invalid argument: 'An invalid argument was specified. Please check the fields and try again.'

Error: Error applying IAM policy for apigateway gateway "projects/...": Error setting IAM policy for apigateway gateway "projects/...": googleapi: Error 400: Invalid argument: 'An invalid argument was specified. Please check the fields and try again.'


IAM Resources (text):

resource "google_api_gateway_api_iam_member" "api_viewer" {
  provider = google-beta
  api      = google_api_gateway_api.api.api_id
  role     = "roles/apigateway.viewer"
  member   = "allUsers"
}

resource "google_api_gateway_gateway_iam_member" "gateway_viewer" {
  provider = google-beta
  gateway  = google_api_gateway_gateway.api_gw.gateway_id
  region   = google_api_gateway_gateway.api_gw.region
  role     = "roles/apigateway.viewer"
  member   = "allUsers"
}

resource "google_api_gateway_api_config_iam_member" "config_viewer" {
  provider   = google-beta
  api        = google_api_gateway_api_config.api_config.api
  api_config = google_api_gateway_api_config.api_config.api_config_id
  role       = "roles/apigateway.viewer"
  member     = "allUsers"
}

Josh Einhorn

unread,
Nov 24, 2020, 1:29:44 PM11/24/20
to Felipe Chamas Biondi, api-gateway-users
Hi Felipe,

JFYI this terraform provider was not authored by Google directly (see the original PR). You may want to post something over there or try to reach the original author.

Is there some way of turning on verbose logging so Terraform prints out the actual API calls it is making? The errors are all indicating a malformed request, so without seeing API calls, I'm afraid I can't be of much help.

-Josh

--
You received this message because you are subscribed to the Google Groups "api-gateway-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to api-gateway-us...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/api-gateway-users/10fac59a-2090-4e9b-b2d0-108294466b8en%40googlegroups.com.


--
Josh Einhorn | Software Engineer | joshe...@google.com | 1-215-837-1102

Felipe Chamas Biondi

unread,
Nov 24, 2020, 4:03:33 PM11/24/20
to api-gateway-users
Oh, I see! Thank you for the clarification, I'm going to ask them and try to log the requests!

Felipe Chamas Biondi

unread,
Nov 24, 2020, 6:02:44 PM11/24/20
to api-gateway-users
Trying to add the permission to my Gateway through the console: Members of type allUsers and allAuthenticatedUsers cannot be added to this resource 

I'm starting to think adding  roles/apigateway.viewer  to allUsers  is not what I want. I want to connect to my gateway without needing to login on google. 

Josh Einhorn

unread,
Nov 25, 2020, 1:44:43 PM11/25/20
to Felipe Chamas Biondi, api-gateway-users
I'm starting to think adding  roles/apigateway.viewer  to allUsers  is not what I want. I want to connect to my gateway without needing to login on google. 

Ah, yes that is not what you want then. API Gateway is not like Cloud Run or GCF... the Gateway is open to all users by default. It is up to you to configure the security mechanism in your API Config (i.e. OpenAPI doc) e.g. API Key and/or JWT authentication.

The apigateway.viewer role is to get read-only access to the resources of the API Gateway service e.g. viewing metadata of APIs, API Configs, and Gateways.

-Josh

Reply all
Reply to author
Forward
0 new messages