I get local provisioner error when I try to set composer permissions using gloud on terraform

Question

I get local provisioner error when I try to set composer permissions using gloud on terraform

adithyaGR opened this issue 2 years ago · 1 comments

TL;DR

We are using terraform automation and deploying the code through pipeline. The pipeline is hosted in a project called prj-netw-prod-npda-common-01 and the project where we are trying to deploy the code is prj-netw-npe-npda-airflow-01.

The service account of the pipeline is named sa-datapltf-cicd-dev@prj-netw-prod-npda-common-01.iam.gserviceaccount.com, the SA has owner permission in prj-netw-npe-npda-airflow-01. But the pipeline is throwing an error when trying to execute the code in the pipeline.
Basically we are trying to do the following., but with "using terrafrom"

"gcloud composer environments run afl-datapltf-npe-nane1-cluster-01 --location northamerica-northeast1 users add-role -- -e sa-datapltf-cicd-dev@prj-netw-prod-npda-common-01.iam.gserviceaccount.com -r Admin --project prj-netw-npe-npda-airflow-01"

how do we fix this issue

Expected behavior

Set the permissions without an error

Observed behavior

Error: local-exec provisioner error
│
│ with module.composer_ui_permissions["sa-datapltf-cicd-dev@prj-netw-prod-npda-common-01.iam.gserviceaccount.com"].null_resource.run_command[0],
│ on .terraform/modules/composer_ui_permissions/main.tf line 231, in resource "null_resource" "run_command":
│ 231: provisioner "local-exec" {
│
│ Error running command 'PATH=/google-cloud-sdk/bin:$PATH
│ gcloud composer environments run afl-datapltf-npe-nane1-cluster-01
│ --location northamerica-northeast1 --project prj-netw-npe-npda-airflow-01
│ users add-role -- -e
│ sa-datapltf-cicd-dev@prj-netw-prod-npda-common-01.iam.gserviceaccount.com
│ -r Admin
│ ': exit status 1. Output: CRITICAL: ACTION REQUIRED:
│ gke-gcloud-auth-plugin, which is needed for continued use of kubectl, was
│ not found or is not executable. Install gke-gcloud-auth-plugin for use with
│ kubectl by following
│ https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
│ kubeconfig entry generated for northamerica-northeast1-afl-98925f4f-gke.
│ W0112 14:57:24.418929 406 gcp.go:119] WARNING: the gcp auth plugin is
│ deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.
│ To learn more, consult
│ https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
│ W0112 14:57:26.355941 435 gcp.go:119] WARNING: the gcp auth plugin is
│ deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.
│ To learn more, consult
│ https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
│ Executing within the following Kubernetes cluster namespace:
│ composer-2-1-2-airflow-2-3-4-98925f4f
│ W0112 14:57:26.509027 445 gcp.go:119] WARNING: the gcp auth plugin is
│ deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.
│ To learn more, consult
│ https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
│ Unable to use a TTY - input is not a terminal or the right kind of file
│ /opt/python3.8/lib/python3.8/site-packages/airflow/www/app.py:147
│ DeprecationWarning: 'app.json_encoder' is deprecated and will be removed in
│ Flask 2.3. Customize 'app.json_provider_class' or 'app.json' instead.
│ User
│ "sa-datapltf-cicd-dev@prj-netw-prod-npda-common-01.iam.gserviceaccount.com"
│ does not exist
│ command terminated with exit code 1
│ ERROR: (gcloud.composer.environments.run) kubectl returned non-zero status
│ code. Make sure you have followed
│ https://cloud.google.com/composer/docs/how-to/accessing/airflow-cli#private-ip
│ to enable access to your private Cloud Composer environment from your
│ machine.
│ [2023-01-12T14:57:48.643+0000] {providers_manager.py:215} INFO - Optional
│ provider feature disabled when importing
│ 'airflow.providers.google.leveldb.hooks.leveldb.LevelDBHook' from
│ 'apache-airflow-providers-google' package
│ [2023-01-12T14:57:49.344+0000] {providers_manager.py:215} INFO - Optional
│ provider feature disabled when importing
│ 'airflow.providers.google.leveldb.hooks.leveldb.LevelDBHook' from
│ 'apache-airflow-providers-google' package

Terraform Configuration

module "composer_ui_permissions" {
    for_each = { for k  in var.users : k.user => k }

    source = "terraform-google-modules/gcloud/google"
    version          = "~> 3.1"
    platform         = "linux"
    create_cmd_entrypoint  = "gcloud"
    create_cmd_body        = "composer environments run ${each.value.composer_name} --location northamerica-northeast1 users add-role -- -e ${each.value.user} -r ${each.value.role} --project ${var.airflow_project}"
}

#Input vars.tf(separate file) looks like this

  users=[
    {
       user =  "sa-datapltf-cicd-dev@prj-netw-prod-npda-common-01.iam.gserviceaccount.com"
       role = "Admin"
       composer_name = "afl-datapltf-npe-nane1-cluster-01"
    } 
  ],
  
  airflow_project = prj-netw-npe-npda-airflow-01

Terraform Version

terraform {
  required_version = "~> 1.2.0"
  required_providers {
    google = {
      source  = "hashicorp/google"
      version = "~> 4.32.0"
    }
    google-beta = {
      source  = "hashicorp/google-beta"
      version = "~> 4.32.0"
    }
    null = {
      source  = "hashicorp/null"
      version = "~> 3.1.1"
    }
  }
}

Additional information

No response

Answer 1 · 2023-01-16T23:12:52.000Z

the user name should be part of composer users list, if its not there then it would throw the errors of user not found