Troubleshooting
This guide provides troubleshooting steps for common issues encountered during GCP organization integration.
Pre-deployment Checklist
Before attempting to troubleshoot deployment issues, verify the following prerequisites:
- If the GCP organization was previously connected via older methods, all relevant resources have been destroyed
- Upwind Cloud Account Credentials have been deleted from the Settings/Credentials page
- Projects have been revoked from the Inventory/Accounts page
- Cloud Scanners have been deleted from the Inventory/Upwind Components/Cloud Scanners page
- Required APIs are enabled for the GCP organization:
- Secret Manager API
- Identity and Access Management (IAM) API
- IAM Service Account Credentials API
- Compute Engine API
- Cloud Run Admin API
- Cloud Scheduler API
- Deployment is being performed using a GCP organization administrator account
- Terraform is being deployed from a clean environment (no other files that may affect configuration)
- Optional Terraform variables (
resource_suffixandgoogle_service_account_display_name) are defined if desired
Common Issues & Solutions
Issue: Permissions errors reported by Terraform
Possible Causes:
-
Terraform is not authenticated by gcloud
Verify that the gcloud CLI is authenticated with the correct GCP organization administrator account. Use the following command to check the current account:
gcloud auth listTo authenticate, use:
gcloud auth login
gcloud auth application-default login -
Google account does not have organization administrator permissions
Ensure that the Google account used to authenticate with gcloud has the necessary permissions to create service accounts and manage IAM roles within the GCP organization.
Issue: Failure to create resources that already exist
Possible Causes:
- Existing resources from previous integration attempts
If the integration has already been attempted, some resources may already exist. In this case, you can either:
- Delete the existing resources manually from the GCP console
- Use the
terraform destroycommand to remove all resources created by Terraform
If you choose to delete resources manually, ensure that you remove all relevant Upwind resources, including:
- Service accounts
- IAM roles and bindings
- Secret Manager secrets
- Cloud Scheduler jobs
- Managed Instance Groups
- VPC Networks, Subnets, Routers, and Firewall rules
-
Terraform state file issues
If the Terraform state file is corrupted or not in sync with the actual resources, you may encounter errors. In this case, you can try:
- Running
terraform refreshto update the state file - Manually removing the problematic resources from the state file using
terraform state rm <resource_name>
- Running
Issue: Google Cloud APIs are not enabled
If the required APIs are not enabled, you may encounter errors during deployment. The error message will typically indicate which API is missing. To enable the required API, simply follow the URL provided in the error message or use the following command:
gcloud services enable <api_name>
To check the status of all APIs in your GCP organization, use the following command:
gcloud services list
The following APIs are required for the integration:
- Secret Manager API
- Identity and Access Management API
- IAM Service Account Credentials API
- Compute Engine API
- Cloud Run Admin API
- Cloud Scheduler API
Issue: Project scopes do not load
If the project scopes do not load in the Upwind Management Console, it signifies that Upwind was unable to authenticate with the GCP organization using the provided credentials. This can occur if:
- The Workload Identity Federation (WIF) configuration was not generated correctly
- The WIF configuration file was not uploaded to the Upwind successfully
To resolve this issue, ensure that you have followed the steps to generate the WIF configuration file correctly and uploaded it to Upwind. If you encounter issues during this process, refer to the Workload Identity Federation documentation for guidance on generating and configuring WIF.