updated:
I tried to run the same command as in Jenkins Pipeline terraform init -backend-config="bucket=terraform-state-bucket-project-data-sharing-prod" -migrate-stat
on cloud shell using the same service account. It worked successfully.
copy/remove text file to the backend bucket of terraform also worked
I think there is something in Jenkins that I have set it up incorrectly.
As follow up of my previous question
403 forbidden with service account from GCP
What I am trying to do:
Now I am trying to add parameters to decide which branch on Github to deploy: dev
or main
, each with corresponding GCP project, service account, backend bucket etc.
(Is there a better way to achieve this?)
Problems:
When I set parameter to dev
, the pipeline works well. But when I set it to main
. The error shown at Terraform Init
stage The error is:
+ terraform init -backend-config=bucket=terraform-state-bucket-project-data-sharing-prod -migrate-state
e[0me[1mInitializing the backend...e[0m
e[0me[0me[1mBackend configuration changed!e[0m
Terraform has detected that the configuration specified for the backend
has changed. Terraform will now check for existing state in the backends.
e[0m
e[31m╷e[0me[0m
e[31m│e[0m e[0me[1me[31mError: e[0me[0me[1mError inspecting states in the "gcs" backend:
e[31m│e[0m e[0m querying Cloud Storage failed: googleapi: Error 403: jenkins-tf-prod@open-data-v2-cicd-prod.iam.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist)., forbidden
e[31m│e[0m e[0m
e[31m│e[0m e[0mPrior to changing backends, Terraform inspects the source and destination
e[31m│e[0m e[0mstates to determine what kind of migration steps need to be taken, if any.
e[31m│e[0m e[0mTerraform failed to load the states. The data in both the source and the
e[31m│e[0m e[0mdestination remain unmodified. Please resolve the above error and try again.e[0m
e[31m│e[0m e[0m
e[31m│e[0m e[0me[0m
e[31m╵e[0me[0m
What I have tried:
- I set the permission of service account in
main
project same as indev
(both givenOwner
already) - I tried to create a new bucket and list them out on cloud shell using the same service account authenticated and success, so the account itself should be fine.
- Run same command on Cloud Shell as on Jenkins, it worked successfully on cloud shell.
here is my code: GitHub - ShihWen/data-sharing
Jenkins setup:
- Jenkins 2.492.3