Skip to main content

Troubleshooting

This guide provides troubleshooting steps for common issues encountered during GCP organization integration.

Pre-deployment Checklist

Before attempting to troubleshoot deployment issues, verify the following prerequisites:

  • If the GCP organization was previously connected via older methods, all relevant resources have been destroyed
    • Upwind Cloud Account Credentials have been deleted from the Settings/Credentials page
    • Projects have been revoked from the Inventory/Accounts page
    • Cloud Scanners have been deleted from the Inventory/Upwind Components/Cloud Scanners page
  • Required APIs are enabled for the GCP organization:
    • Secret Manager API
    • Identity and Access Management (IAM) API
    • IAM Service Account Credentials API
    • Compute Engine API
    • Cloud Run Admin API
    • Cloud Scheduler API
  • Deployment is being performed using a GCP organization administrator account
  • Terraform is being deployed from a clean environment (no other files that may affect configuration)
  • Optional Terraform variables (resource_suffix and google_service_account_display_name) are defined if desired

Common Issues & Solutions

Issue: Permissions errors reported by Terraform

Possible Causes:

  1. Terraform is not authenticated by gcloud

    Verify that the gcloud CLI is authenticated with the correct GCP organization administrator account. Use the following command to check the current account:

    gcloud auth list

    To authenticate, use:

    gcloud auth login
    gcloud auth application-default login
  2. Google account does not have organization administrator permissions

    Ensure that the Google account used to authenticate with gcloud has the necessary permissions to create service accounts and manage IAM roles within the GCP organization.

Issue: Failure to create resources that already exist

Possible Causes:

  1. Existing resources from previous integration attempts

If the integration has already been attempted, some resources may already exist. In this case, you can either:

  • Delete the existing resources manually from the GCP console
  • Use the terraform destroy command to remove all resources created by Terraform

If you choose to delete resources manually, ensure that you remove all relevant Upwind resources, including:

  • Service accounts
  • IAM roles and bindings
  • Secret Manager secrets
  • Cloud Scheduler jobs
  • Managed Instance Groups
  • VPC Networks, Subnets, Routers, and Firewall rules
  1. Terraform state file issues

    If the Terraform state file is corrupted or not in sync with the actual resources, you may encounter errors. In this case, you can try:

    • Running terraform refresh to update the state file
    • Manually removing the problematic resources from the state file using terraform state rm <resource_name>

Issue: Google Cloud APIs are not enabled

If the required APIs are not enabled, you may encounter errors during deployment. The error message will typically indicate which API is missing. To enable the required API, simply follow the URL provided in the error message or use the following command:

gcloud services enable <api_name>

To check the status of all APIs in your GCP organization, use the following command:

gcloud services list

The following APIs are required for the integration:

  • Secret Manager API
  • Identity and Access Management API
  • IAM Service Account Credentials API
  • Compute Engine API
  • Cloud Run Admin API
  • Cloud Scheduler API