how to make google compute instance group manager to use internal IPs for VMs

[Satya Ramani]

Hello,

We are using vendor terraform scripts to launch kafka services on VMs. For creating VMs instance group manager trying to use external IPs which we don't want as our org policy doesn't allow to use external IPs. for creating VMs we use google_compute_address as below and also I am pasting here code blocks for both instance group manager and instance template.

resource "google_compute_address" "rest_proxy" {

    count = "${var.instance_count["rest_proxy"] > 0 ? var.instance_count["rest_proxy"] : 0}"

    name = "rest-proxy-address-${var.global_prefix}"

}

 resource "google_compute_region_instance_group_manager" "rest_proxy" {

    count = "${var.instance_count["rest_proxy"] > 0 ? var.instance_count["rest_proxy"] : 0}"

    name = "rest-proxy-instance-group-${var.global_prefix}"

    instance_template = "${google_compute_instance_template.rest_proxy.self_link}"

    base_instance_name = "rest-proxy"

    region = "${var.gcp_region}"

    distribution_policy_zones = "${var.gcp_availability_zones}"

    target_size = "${var.instance_count["rest_proxy"]}"

    named_port = {

        name = "http"

        port = 8082

    }

}

resource "google_compute_instance_template" "rest_proxy" {

    count = "${var.instance_count["rest_proxy"] > 0 ? var.instance_count["rest_proxy"] : 0}"

    name = "rest-proxy-template-${var.global_prefix}"

    machine_type = "n1-standard-2"

    metadata_startup_script = "${data.template_file.rest_proxy_bootstrap.rendered}"

    disk {

        source_image = "image-20190801"

        disk_size_gb = 100

    }    

    network_interface {

        subnetwork = "${google_compute_subnetwork.private_subnet.self_link}"

        access_config {}

    }

    tags = ["rest-proxy-${var.global_prefix}"]

}

when we run terraform scripts, we see below errors...

* google_compute_region_instance_group_manager.ksql_server: Error creating RegionInstanceGroupManager: googleapi: Error 403: Required 'compute.subnetworks.useExternalIp' permission for 'projects/projectid/regions/us-east1/subnetworks/private-subnet-ccloud-tools', forbidden

* google_compute_region_instance_group_manager.control_center: Error creating RegionInstanceGroupManager: googleapi: Error 403: Required 'compute.subnetworks.useExternalIp' permission for 'projects/projectid/regions/us-east1/subnetworks/private-subnet-ccloud-tools', forbidden

Looking forward to hear back from someone. Also please let me know if you need any clarifications.

Thanks,

[Alexandre Duval-Cid]

403 signifies a permission errors, are you sure you have the appropriate credentials for your service account and permissions associated to it?

This seems more of a Terraform issue, you should consult this documentation [1]. I would recommend posting this issue on Stackoverflow.com [2]. They would be better qualified to tackle this issue.

[1] https://www.terraform.io/docs/providers/google/index.html

[2] https://stackoverflow.com/questions/tagged/terraform-provider-gcp