Unable to enable a private IP for my Postgres Cloud SQL instance

The Terraform code to create a Cloud SQL instance with Private IP has some errors. The first one is that the ${google_compute_network.private_network.self_link} variable get the entire name of the network, that means that will be something like www.googleapis.com/compute/v1/projects/PROJECT-ID/global/networks/testnw2. This value is not allowed in the field google_compute_global_address.private_ip_address.network, so, you need to change ${google_compute_network.private_network.self_link} to ${google_compute_network.private_network.name}.

Another error is that the format in google_sql_database_instance.instance.settings.ip_configuration.private_network should be projects/PROJECT_ID/global/networks/NW_ID. so you need to change the field to projects/[PROJECT_ID]/global/networks/${google_compute_network.private_network.name} in order to work.

The third error, and also, the one that you shared in your initial message, you need to set a service account in the Terraform code to have the proper privileges to avoid this error. Please, check the first lines of the shared code.

The fourth error is that you need to do this using the google-beta provider, not the google default one

As discussed in the comment that I posted, I saw the "An Unknown Error occurred" error before using that Terraform code, this error refers to an error when doing the VPC peering. I understand that is frustrating to troubleshoot this, because it doesn't show any useful information, but if you open a ticket in Google Cloud Platform Support we will be able to check the real error using our internal tools.

As promised, this is the code that I'm using to create a private network and attach it to a Google Cloud SQL instance on creation.

provider "google-beta" {
 credentials = "${file("CREDENTIALS.json")}"
 project     = "PROJECT-ID"
 region      = "us-central1"
}
resource "google_compute_network" "private_network" {
    name       = "testnw"
}

resource "google_compute_global_address" "private_ip_address" {
    provider="google-beta"
    name          = "${google_compute_network.private_network.name}"
    purpose       = "VPC_PEERING"
    address_type = "INTERNAL"
    prefix_length = 16
    network       = "${google_compute_network.private_network.name}"
}

resource "google_service_networking_connection" "private_vpc_connection" {
    provider="google-beta"
    network       = "${google_compute_network.private_network.self_link}"
    service       = "servicenetworking.googleapis.com"
    reserved_peering_ranges = ["${google_compute_global_address.private_ip_address.name}"]
}

resource "google_sql_database_instance" "instance" {
    provider="google-beta"
    depends_on = ["google_service_networking_connection.private_vpc_connection"]
    name = "privateinstance"
    region = "us-central1"
    settings {
        tier = "db-f1-micro"
        ip_configuration {
            ipv4_enabled = "false"
            private_network = "projects/PROJECT-ID/global/networks/${google_compute_network.private_network.name}"
        }
    }
}

It seems terraform messed up the permissions on the account at some point and removed the servicenetworking.serviceAgent role from all users.

Disabling and then reenabling the service networking API resolves the problem by resetting the permissions on all users of the system.

Tags:

Google Cloud Platform

Google Cloud Sql

Terraform

Related

Style "mat-sort-header-sorted" has no effect in mat-table tutorial? Rails: ActiveSupport::MessageEncryptor::InvalidMessage Module not found: Error: Can't resolve 'net' in 'node_modules/stompjs/lib' Connecting to an Azure Devops private NuGet in vs code K8s Ingress rule for multiple paths in same backend service Python sum list of dicts by key with nested dicts can not import Protocol from typing How to fix 'Static HTML elements with event handlers require a role.'? Transform a List<Object> to a Map<String, Integer> such that the String is not a duplicate value using Java 8 Streams Errno::ENOENT: No such file or directory @ rb_file_s_mtime after feature tests angular material stepper add new step items dynamically on every click "Failed to install the following Android SDK packages as some licences have not been accepted" error

Recent Posts