Kubernetes provider errors while running terraform plan

[dfernandezm]

Task

Even though the main user or a service account with regular access is exported via GOOGLE_APPLICATION_CREDENTIALS, running terraform plan on the the crawler infra gives error:

(feature/change-cron-schedule)⚡ % terraform plan                                                                           ~/development/repos/moneycol/data-collector/crawler/infra/terraform/data-collector
kubernetes_secret.data_collector_key_secret: Refreshing state... [id=default/data-collector-key]
google_service_account.gke_resize_main_service_account: Refreshing state... [id=projects/moneycol/serviceAccounts/[email protected]]
google_service_account.data_collector_main_service_account: Refreshing state... [id=projects/moneycol/serviceAccounts/[email protected]]
google_storage_bucket.functions_bucket: Refreshing state... [id=moneycol-functions]
google_project_iam_custom_role.data_collector_role: Refreshing state... [id=projects/moneycol/roles/data_collector]
google_project_iam_custom_role.gke_resize_role: Refreshing state... [id=projects/moneycol/roles/gke_resize]
google_service_account_key.gke_resize_sa_key: Refreshing state... [id=projects/moneycol/serviceAccounts/[email protected]/keys/6230032c9b887c3a7a9ddfcbf710388397dc10b7]
google_service_account_key.data_collector_sa_key: Refreshing state... [id=projects/moneycol/serviceAccounts/[email protected]/keys/4d5c2da5d7e033e4664ae2e038e8820ddb812dce]
google_cloud_scheduler_job.start_crawler_job: Refreshing state... [id=projects/moneycol/locations/europe-west1/jobs/start-crawler]
google_project_iam_binding.data_collector_sa_project_iam_binding: Refreshing state... [id=moneycol/projects/moneycol/roles/data_collector]
google_project_iam_binding.gke_resize_sa_project_iam_binding: Refreshing state... [id=moneycol/projects/moneycol/roles/gke_resize]
google_storage_bucket_object.archive: Refreshing state... [id=moneycol-functions-resize-down-indexer.zip#fed7fa94c81ada72baba99773d40c834]
google_cloudfunctions_function.resize_function: Refreshing state... [id=projects/moneycol/locations/europe-west1/functions/resize-down-indexer]
╷
│ Error: secrets "data-collector-key" is forbidden: User "xxx" cannot get resource "secrets" in API group "" in the namespace "default": requires one of ["container.secrets.get"] permission(s).
│
│
╵

This looks like it's using some cached credentials, but that's not the case. Mainly what's happening is that terraform is failing to communicate with GKE.

Running the auth manually via gcloud makes the above plan work:

gcloud container clusters get-credentials cluster-dev2 --zone europe-west1-b --project moneycol

But this issue should be solved by correctly authenticating the terraform provider with GKE. Information is at https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/using_gke_with_terraform#interacting-with-kubernetes

Acceptance criteria

• Terraform kubernetes provider can be used against the existing GKE cluster to create a SA key without errors/extra auth

Definition of Done

1. • Can run terraform plan without issuing any other gcloud command
2. • Can run terraform plan outside local machine
3. • Can run terraform apply and resources are created in the cluster
4. • Pull Request and self review
5. • Merge
6. • Parent story linked