无法为我的Postgres Cloud SQL实例启用私有IP

时间:2019-01-20 17:04:04

标签: google-cloud-platform terraform google-cloud-sql

当我尝试在Cloud SQL实例(PostgreSQL 9.6)上启用私有IP时,出现以下错误消息:

Network association failed due to the following error: set Service Networking service account as servicenetworking.serviceAgent role on consumer project

我有一个VPC,可以从“关联的网络”(Associated Network)下拉列表中选择,我也选择了一个已经建立的托管服务网络,因此从理论上讲它应该可以正常工作。

我在IAM下找不到与错误消息相关的任何信息,无论是服务帐户还是servicenetworking.serviceAgent权限。

更新 包括相关的地形片段

## VPC Setup
resource "google_compute_network" "my_network" {
  project                 = "${var.project_id}"
  name                    = "vpc-play"
  auto_create_subnetworks = "false"
  routing_mode            = "REGIONAL"
}
# There is a bunch of subnets linked to this network which are not included here

## Managed services network

resource "google_compute_global_address" "default" {
  name = "google-managed-services-vpc-${var.project_id}"
  project = "${var.project_id}"
  provider = "google-beta"
  ip_version = "IPV4"
  prefix_length = 16
  address_type = "INTERNAL"
  purpose = "VPC_PEERING"
  network = "${google_compute_network.my_network.self_link}"
}


## Error occurs on this step
## Error is : google_service_networking_connection.private_vpc_connection: set Service Networking service account as servicenetworking.serviceAgent role on consumer project

resource "google_service_networking_connection" "private_vpc_connection" {
    provider = "google-beta"
    network       = "${google_compute_network.my_network.self_link}"
    service       = "servicenetworking.googleapis.com"
    reserved_peering_ranges = ["${google_compute_global_address.default.name}"]
}

## Database configuration <-- omitted private ip stuff for now as doesn't even get to creation of this, error in previous step

resource "google_sql_database_instance" "my_db" {
  depends_on = ["google_service_networking_connection.private_vpc_connection"]
  name             = "my_db"
  project          = "${var.project_id}"
  database_version = "POSTGRES_9_6"
  region           = "${var.region}"
  lifecycle {
    prevent_destroy = true
  }

  settings {
    tier = "db-f1-micro"

    backup_configuration {
      enabled     = true
      start_time  = "02:00"
    }

    maintenance_window {
      day = 1
      hour = 3
      update_track = "stable"
    }

    ip_configuration {
      authorized_networks = [
        {
          name  = "office"
          value = "${var.my_ip}"
        },
      ]
    }

    disk_size         = 10
    availability_type = "ZONAL"

    location_preference {
      zone = "${var.zone}"
    }
  }
}

4 个答案:

答案 0 :(得分:5)

Terraform code to create a Cloud SQL instance with Private IP有一些错误。第一个是${google_compute_network.private_network.self_link}变量获取网络的整个名称,这意味着将类似于www.googleapis.com/compute/v1/projects/PROJECT-ID/global/networks/testnw2。字段google_compute_global_address.private_ip_address.network中不允许使用此值,因此,您需要将$ {google_compute_network.private_network.self_link}更改为$ {google_compute_network.private_network.name}。

另一个错误是google_sql_database_instance.instance.settings.ip_configuration.private_network中的格式应为projects/PROJECT_ID/global/networks/NW_ID。因此您需要将字段更改为projects/[PROJECT_ID]/global/networks/${google_compute_network.private_network.name}才能正常工作。

第三个错误,也是您在初始消息中共享的一个错误,您需要在Terraform代码中设置service account,以具有适当的特权来避免此错误。请检查共享代码的前几行。

第四个错误是您需要使用google-beta提供程序来执行此操作,而不是google默认提供程序

正如我发表的评论中所讨论的那样,在使用该Terraform代码之前,我看到了"An Unknown Error occurred"错误,该错误是指进行VPC对等时出现的错误。我知道解决此问题很令人沮丧,因为它没有显示任何有用的信息,但是,如果您在Google Cloud Platform支持中打开故障单,我们将能够使用我们的内部工具检查真正的错误。

如所承诺的那样,这是我用来创建专用网络并将其在创建时附加到Google Cloud SQL实例的代码。

provider "google-beta" {
 credentials = "${file("CREDENTIALS.json")}"
 project     = "PROJECT-ID"
 region      = "us-central1"
}
resource "google_compute_network" "private_network" {
    name       = "testnw"
}

resource "google_compute_global_address" "private_ip_address" {
    provider="google-beta"
    name          = "${google_compute_network.private_network.name}"
    purpose       = "VPC_PEERING"
    address_type = "INTERNAL"
    prefix_length = 16
    network       = "${google_compute_network.private_network.name}"
}

resource "google_service_networking_connection" "private_vpc_connection" {
    provider="google-beta"
    network       = "${google_compute_network.private_network.self_link}"
    service       = "servicenetworking.googleapis.com"
    reserved_peering_ranges = ["${google_compute_global_address.private_ip_address.name}"]
}

resource "google_sql_database_instance" "instance" {
    provider="google-beta"
    depends_on = ["google_service_networking_connection.private_vpc_connection"]
    name = "privateinstance"
    region = "us-central1"
    settings {
        tier = "db-f1-micro"
        ip_configuration {
            ipv4_enabled = "false"
            private_network = "projects/PROJECT-ID/global/networks/${google_compute_network.private_network.name}"
        }
    }
}

答案 1 :(得分:1)

它似乎也与错误有关

  

错误:googleapi:错误400:前提条件检查失败。   failedPrecondition

对于这两个错误,我都禁用并启用了网络API,并且它再次可以正常工作...

答案 2 :(得分:0)

因此,这救了我

gcloud项目add-iam-policy-binding YOUR_HOST_PROJECT_NAME
--member = serviceAccount:service-HOST_PROJECT_ACCOUNT_NUMBER@service-networking.iam.gserviceaccount.com
--role = roles / servicenetworking.serviceAgent

https://thedataguy.in/cloudsql-shared-vpc-private-ip-and-servicenetworking.serviceagent-role/

答案 3 :(得分:-1)

似乎terraform在某个时候弄乱了帐户的权限,并从所有用户中删除了servicenetworking.serviceAgent角色。

禁用然后重新启用服务网络API可以通过重置系统所有用户的权限来解决此问题。

相关问题
最新问题