I have created a terraform script to make cloud function named master-processor and want the cloud function to be trigger with REST API, both Iam able make enable. But when I request rest api throgh postman it shows
`<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>403 Forbidden</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Forbidden</h1>
<h2>Your client does not have permission to get URL <code>/master-processor</code> from this server.</h2>
<h2></h2>
</body></html>
`
I am using this terraform script to run
provider "google" {
project = "<project-id>"
region = "us-central1"
}
resource "google_project_iam_member" "user_permissions" {
project = "<project-id>"
role = "roles/editor"
member = "user:<principal/user email>"
}
resource "google_project_iam_member" "service_account_role_assignment" {
project = "<project-id>"
role = "roles/editor"
member = "serviceAccount:<project-id>@appspot.gserviceaccount.com"
}
resource "google_storage_bucket" "bucket" {
name = "sample-bucket1"
location = "US"
}
data "archive_file" "function_code" {
type = "zip"
source_dir = "<path>/master-processor"
output_path = "/tmp/master-processor.zip"
}
resource "google_storage_bucket_object" "master_processor_function_code" {
name = "master-processor.zip"
bucket = google_storage_bucket.bucket.name
source = data.archive_file.function_code.output_path
}
resource "google_cloudfunctions_function" "master_processor_cloud_function" {
name = "master-processor"
description = "My function"
runtime = "python38"
available_memory_mb = 512
entry_point = "master_processor"
min_instances = 1
max_instances = 1
trigger_http = true
source_archive_bucket = google_storage_bucket.bucket.name
source_archive_object = google_storage_bucket_object.master_processor_function_code.name
service_account_email = "<project-id>@appspot.gserviceaccount.com"
environment_variables = {
"REGION" = "us-central1"
"PROJECT_ID" = "<project-id>"
}
ingress_settings = "ALLOW_ALL"
}
resource "google_api_gateway_api" "api_gw" {
project = "<project-id>"
provider = google-beta
api_id = "my-test-api"
}
resource "google_api_gateway_api_config" "api_gw" {
project = "<project-id>"
provider = google-beta
api = google_api_gateway_api.api_gw.api_id
api_config_id = "my-test-config"
openapi_documents {
document {
path = "spec.yaml"
contents = filebase64("<path to>/openapi.yaml")
}
}
lifecycle {
create_before_destroy = true
}
}
resource "google_api_gateway_gateway" "api_gw" {
region = "us-central1"
project = "<project-id>"
provider = google-beta
api_config = google_api_gateway_api_config.api_gw.id
gateway_id = "my-test-gateway"
}
and the openapi.yaml contains
swagger: "2.0"
info:
title: dm-service-api
version: "1.0.0"
schemes:
- "https"
paths:
"/execute":
post:
operationId: "algoPayload"
x-google-backend:
address: "https://us-central1-<project-id>.cloudfunctions.net/master-processor"
deadline: 500
responses:
200:
description: "Success."
schema:
type: string
400:
description: "The IATA code is invalid or missing."
I have tried to run manually on console it runs and sucessfully restapi is giving response. I am finding that manually api config need service account but in terraform unable to pass that service account details
