For context, I am trying to deploy a containerized (via Docker) R application to GCP's cloud run service. As part of my stack, I wanted to use Terraform to manage and provision all necessary infrastructure. I am running into a 403 forbidden error when executing terraform plan.
Here is my terraform configuration (Assume that all other .tf files are correctly written).
terraform {
required_version = ">=0.13"
backend "gcs" {
bucket = "<project_id>-tf-states"
}
required_providers {
docker = {
source = "kreuzwerker/docker"
version = ">= 3.0.1"
}
}
}
# -- Specifies GCP Project which Terraform will manage -- #
provider "google" {
project = "<project_id>"
region = "europe-west4"
zone = "europe-west4"
}
# -- Specifies the service account that terraform will use to manage infrastructure -- #
locals {
tf_sa = "<sa_account>"
}
# ----- Artifact registry to which docker containers will be deployed ----- #
resource "google_artifact_registry_repository" "main" {
project = "<project_id>"
location = "europe-west4"
repository_id = "deploy-ml-model"
description = "Repository for Cloud Run images"
format = "DOCKER"
lifecycle {
prevent_destroy = true
}
}
# ----- Define properly formatted variable names to be used as image address ----- #
locals {
artifact_storage_address = "europe-west4-docker.pkg.dev/<project_id>/deploy-ml-model/model"
}
data "docker_registry_image" "main" {
name = "${local.artifact_storage_address}"
}
# ----- Custom action used to build & bush image when tf configuration is updated ----- #
resource "null_resource" "docker_build" {
triggers = {
always_run = timestamp()
}
provisioner "local-exec" {
working_dir = path.module
command = "docker build -t ${local.artifact_storage_address} . && docker push ${local.artifact_storage_address}"
}
}
# ----- Create GCP cloud run service on which to deploy our containerized ML model & API ----- #
resource "google_cloud_run_service" "default" {
name = "containerized-model"
location = "europe-west4"
project = "<project_id>"
metadata {
annotations = {
"run.googleapis.com/client-name" = "terraform"
}
}
template {
spec {
containers {
image = "${local.artifact_storage_address}"
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
# ----- Cloud run invoker ----- #
data "google_iam_policy" "noauth" {
binding {
role = "roles/run.invoker"
members = ["allUsers"]
}
}
resource "google_cloud_run_service_iam_policy" "noauth" {
location = "europe-west4"
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
policy_data = data.google_iam_policy.noauth.policy_data
}
The Dockerfile (which is in the same directory as my terraform config):
# Install R-version 3.6.3 as image
FROM rocker/r-ver:3.6.3
# Install required ubuntu libraries for 'mlr'
RUN apt-get update -qq && apt-get install -y \
libgdal-dev libgeos-dev libproj-dev r-cran-udunits2 libgsl-dev libgmp-dev libglu-dev r-cran-rjags libmpfr-dev libopenmpi-dev
# Install required libraries
RUN R -e "install.packages('beakr')"
RUN R -e "install.packages('mlr')"
RUN R -e "install.packages('randomForest')"
RUN R -e "install.packages('caret')"
# Expose the used port from beakr
EXPOSE 8001
# Load Script with model
# ADD . /app
# set current working directory to the added app directory
# WORKDIR /app
# Run the R script that contains the application
CMD ["Rscript", "./../src/backend.R"]
And here is the error message I am getting whenever GitHub Actions tries to execute terraform plan:
Error: Got error when attempting to fetch image version <project_id>/deploy-ml-model/model:latest from registry: Got bad response from registry: 403 Forbidden
Does anyone know if I am missing anything, or why I would be getting this error? Please let me know if I need to provide any further information. Thanks
